Development quote of the week
If you accept this premise that there is no tragedy of the commons – that open source software cannot be over-grazed by having more people use it – that freeloaders are free, and scarcity is not an applicable concept, then you’re forced to look skeptically at other assumptions we’ve been starting to make lately in the broader open source community.— David Heinemeier HanssonLike the idea that open source software just isn’t “sustainable”. That unless we somehow find a new way to force users to “give back” (i.e. pay/donate!), we’re going to burn out people who donate their “free labor”, but won’t do so forever.
In essence, that we’re at the cusp of a Malthusian-Randesque crisis! Too many takers, too few and too poorly compensated makers!
Never mind the fact that actual, observed famines are so rare that everyone keeps using the same example when it comes to this debate: OpenSSL! A famine that was promptly alleviated as soon as its effects were apparent.
Posted Jan 6, 2022 10:51 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (2 responses)
Pretty much every real tragedy is down to *outsiders* coming in, and pillaging the commons.
Even the original tragedy of the commons was driven by outsiders, as the ability to trade with London upset the village dynamics and handed undue power to just a few individuals (admittedly often members of the commons, but not always).
Cheers,
Posted Jan 6, 2022 20:50 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link] (1 responses)
Posted Jan 7, 2022 10:33 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
Let's take the African commons maybe 50 years ago (I'm thinking the Idi Amin era). The "government" came in, divided the nomadic trail area into farmsteads, and gave it their cronies. The farms lasted maybe 5 years and collapsed, the soil was exhausted. And an eco-system that had survived for hundreds of years was devastated.
Even the original tragedy was very much down to outside forces. All of a sudden, villages were exporting food to London, Birmingham etc. The richer (minority) of commoners who had surplus food to sell did very well, and found themselves in a position to mount a take-over bid. Or the Scottish Clearances. Exactly the same, down to outside forces as the big landowners suddenly found that sheep-farming was much more profitable than tenant-farming.
The tragedy always gets blamed on the commoners for mis-management. But it's not mis-management, it's outside forces upsetting the apple-cart.
Cheers,
Posted Jan 6, 2022 12:21 UTC (Thu)
by smurf (subscriber, #17840)
[Link] (14 responses)
I call this "hey, we find 'em and fix 'em" approach highly irresponsible. By now, people's lives (and/or their livelihoods) depend on this stuff not failing.
Worse, it falls flat on its face due to the simple fact that the log4j mess cost about three to five orders of magnitude more to fix than reviewing the code and rejecting such nonsense as obviously insecure would have cost.
Yes, it's not the same thing as Tragedy of the Commons. But that just means that we need a new catchy name for this sort of fallacy if we want to get a chance at convincing people to avoid it.
Posted Jan 6, 2022 13:12 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link] (5 responses)
Do we know that? If so, how? Sure, log4j was expensive to fix (though thankfully there wasn't any usage in any projects or deployments I maintain), but reviews can't prove the absence of bugs, so that's really just open-ended wishes that the problem is visible to someone at the right time with the right skills to do something about it. At what point do we say "this code is good"? How about "good for now, but needs another pair of eyeballs in a month or two"? I mean, it did get found…but what's to say that *this* behavior wouldn't have slipped past any initial review (and maybe it did; incidental complexity and emergent behaviors are hard to account for!)?
I don't want to get into the "ought-is" fallacy, but this *did* get fixed. I don't think software development is at a point where we could say, with any real confidence, that we know how to prevent such things. It's not like this was something a static analyzer or type system could have avoided without going full Idris or Coq applying some type system of "sanitized input" to format strings, so even that "easy out" isn't available here (well, AFAIK).
FWIW, I am firmly in the "we don't do enough review" at merge time and when passing through the code again (for whatever reason: updates, debugging, sanitizers, other analysis, random grep traversals, etc.) for problems. But the backlog is *large*. Maybe you have something in mind more than the flippant "more review would have avoided this" it comes across as, but I don't know that money would have necessarily improved it (as I see it going more towards features than maintenance anyways).
Posted Jan 7, 2022 13:33 UTC (Fri)
by smurf (subscriber, #17840)
[Link] (4 responses)
A code review costs you an hour. Make it a day to cover the subsequent discussion if you find something objectionable, which should not happen often.
The log4j nonsense ate ~10 working days at my company. On a weekend, i.e. 50% to 100% more cost.
There are >10000 companies world-wide whose IT staff had to scramble applying fixes and checking logs, lest the baddies got in before you managed to apply the workarounds.
QED.
Posted Jan 7, 2022 14:25 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (2 responses)
So, a question: when your company reviewed log4j before pulling it in as a dependency, why was the issue not spotted and addressed then? If it would only have taken a day to do that, but took 10 working days to fix the fallout from review failure, then surely you should have found it when you reviewed it?
And even better, if you'd then fixed it and reported your fix upstream, other reviewers would have seen the issue too, and someone might have taken the time to drive the fix all the way into the next release.
Posted Jan 8, 2022 20:09 UTC (Sat)
by smurf (subscriber, #17840)
[Link] (1 responses)
Our customers, on the other hand … or the platform vendors (hello, VMware) …
Posted Jan 9, 2022 15:16 UTC (Sun)
by farnz (subscriber, #17727)
[Link]
Right, so you outsourced part of your security review to your customers or to your platform providers, and you've been bitten because they didn't do a good job of review.
Why is it OK for your customers and platform providers to not do a good job of reviewing their dependencies, but it's not OK for a pro-bono provider of free software to do a similarly imperfect job? After all, you actually have contracts and money flow when it comes to your platform providers and your customers, where a random giving away source code "for the public benefit" does not have any contract or money flow relationship with you.
Posted Jan 7, 2022 14:55 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link]
Posted Jan 6, 2022 19:06 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (7 responses)
I disagree with you, because most of these failures are not a consequence of not "rejecting such nonsense as obviously insecure", and placing more burden on the pro-bono creators of useful code to not make mistakes is not going to work - if it did, then there would not be security vulnerabilities in any software.
Look at the log4j mess as a sample. There are three things interacting, all of which are needed for a vulnerability to occur:
The security issue is that if you didn't realise that you had (3) enabled in your Java runtime, and you ignored (1) and fed user input directly as a format string despite log4j developers telling you not to do that, then (2) came into play, and (to everyone's surprise) it was possible to invoke the remote code mechanism from a log4j format string.
Now, when the log4j maintainers realised that the combination of 2 and 3 was dangerous, they made changes that would allow you to turn on further lockdown of the plug-in mechanism so that you couldn't combine 2 and 3. As a pro-bono project, they had no contact with users, and were not sure how many combined 2 and 3 deliberately, and how many were doing so by accident; the decision they came to was to default the further lockdown to "off", to document that you should turn it on, and to change their example code to always turn it on. Unfortunately, people didn't bother with the log4j documentation, preferring to crib from other codebases, and thus never realised they were supposed to flip the switch.
The fixed release simply changes the default; if you need to combine 2 and 3, then you need to turn the switch the other way, and hopefully you'll keep on top of your code base here.
From our perspective, after the fact, the people working pro-bono on log4j made the wrong choice. They should have flipped the switches to "always safe", and required people who needed the potentially unsafe behaviour to flip the switches themselves; however, I can understand why they chose to instead avoid breaking people who'd deployed and used log4j happily, and then got surprised by the breakage.
But most of the issues were not obvious in advance - the only "obvious" mistake is leaving the defaults as "unsafe" when they could have flipped it. Given the sheer volume of abuse they got for getting it wrong, though, it seems plausible that if they'd set the default to "safe", they'd have faced abuse anyway for breaking perfectly reasonable and working deployments.
Posted Jan 6, 2022 20:00 UTC (Thu)
by BenHutchings (subscriber, #37955)
[Link]
Posted Jan 6, 2022 21:04 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link] (5 responses)
One could argue that this is a matter of type safety - that TrustedString and UntrustedString should not be the same type. The problem is that trust is more complicated than that (e.g. "I ran it through mysql_real_escape_string, is it safe now? No, because we're outputting HTML, not SQL."), and by the time you encode enough of that complexity into the type system, you've created a monstrosity which nobody actually wants to use. I'm not sure what the solution to this is. I don't think it's a "simple" matter of "sanitize your inputs," however, because at the time you take an input, it is nearly impossible to know all forms of sanitization which might need to be applied. Parameterized strings and "the thing that interprets the string also does the interpolation" (as with SQL prepared statements) are probably a good first step, but as another comment notes, in this case Log4j was doing the interpolation first and then applying expansions, which rather defeats the point.
Posted Jan 8, 2022 15:47 UTC (Sat)
by mkbosmans (subscriber, #65556)
[Link] (4 responses)
Posted Jan 8, 2022 20:12 UTC (Sat)
by smurf (subscriber, #17840)
[Link] (3 responses)
Posted Jan 14, 2022 13:32 UTC (Fri)
by nix (subscriber, #2304)
[Link] (2 responses)
... by making it impossible to write any useful program in that language. The poor users will not be in nirvana, though: they'll be longing for a system in which it's actually possible to get work done. :)
Posted Jan 20, 2022 15:25 UTC (Thu)
by jezuch (subscriber, #52988)
[Link] (1 responses)
😜
Posted Jan 21, 2022 9:08 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Jan 6, 2022 18:25 UTC (Thu)
by jschrod (subscriber, #1646)
[Link]
Posted Jan 6, 2022 19:33 UTC (Thu)
by rra (subscriber, #99804)
[Link]
But what I think this is missing (and I admit that I hit tldr and started skimming once I realized how long the essay was, so perhaps I missed it) is that this community is embedded in a capitalist market system that you can't just wish away. It's great to talk about mutuality and jubilee, but no one is mutually going to give you housing or bring you food, and no jubilee is going to get rid of your credit card debt. So what Hansson says is good so far as it goes, but I think it's worth acknowledging that it is only applicable to a very specific, narrow slice of humanity that is already successfully participating in the market economy (by, for example, being a partner at a highly successful business) and then choosing to use the leisure that they have been granted by that success to write free software for fun.
This is a great life! I'm also a big fan! But only a very few people are able to live that life.
It has been the case, for many hundreds of years, that a certain economic slice of society gets way more leisure than everyone else and can use that leisure to indulge their interests without having to worry about making them economically sustainable. Hansson talks about being an aspiring stoic; yes, exactly, that's the sort of social class that gets to do things like spend their time on philosophy. But that's not some sort of radical new model for human collaboration. That's just rich people having a lot of leisure and using it for their hobbies.
I would like free software to be more than a hobby for rich people.
Posted Jan 6, 2022 21:31 UTC (Thu)
by neilbrown (subscriber, #359)
[Link] (6 responses)
Posted Jan 7, 2022 1:02 UTC (Fri)
by NYKevin (subscriber, #129325)
[Link] (2 responses)
Now, if your product doesn't accept outside bug reports, then I'm pretty unlikely to use it, but hey, if it's really a hobby, you probably don't care what I do with your code.
Posted Jan 10, 2022 9:37 UTC (Mon)
by anton (subscriber, #25547)
[Link] (1 responses)
Posted Jan 10, 2022 12:29 UTC (Mon)
by zdzichu (subscriber, #17118)
[Link]
Posted Jan 18, 2022 0:16 UTC (Tue)
by jrincayc (guest, #29129)
[Link] (2 responses)
Posted Jan 18, 2022 0:28 UTC (Tue)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
Posted Jan 23, 2022 16:02 UTC (Sun)
by jrincayc (guest, #29129)
[Link]
Tragedy of the Commons
Wol
Tragedy of the Commons
Tragedy of the Commons
Wol
Development quote of the week
Development quote of the week
Development quote of the week
Development quote of the week
Development quote of the week
Development quote of the week
Development quote of the week
Development quote of the week
Development quote of the week
Development quote of the week
Development quote of the week
;-)
Development quote of the week
Development quote of the week
Development quote of the week
Development quote of the week
Wol
Development quote of the week
Development quote of the week
Development quote of the week
The point of contention would be the issue tracker or equivalent.
Having issues reported can benefit the software developer. Having thousands reported per day effectively destroys that benefit.
Development quote of the week
Development quote of the week
Now, if your product doesn't accept outside bug reports, then I'm pretty unlikely to use it
Like systemd? In July 2021 I noticed a bug in the systemd-logind coming with Ubuntu 21.04, but the systemd maintainers don't accept bug reports for such outdated versions, so I have not reported the bug yet.
Development quote of the week
Development quote of the week
Development quote of the week
Development quote of the week