A backdoor in xz
A backdoor in xz
Posted Mar 30, 2024 14:50 UTC (Sat) by cpanceac (guest, #80967)In reply to: A backdoor in xz by mb
Parent article: A backdoor in xz
Posted Mar 30, 2024 17:17 UTC (Sat)
by rra (subscriber, #99804)
[Link] (11 responses)
We have a social mechanism to require private organizations to support infrastructure that everyone needs, in order to avoid free rider problems like this. It's called taxes. Everyone hates that answer, because it requires making decisions collectively as a society (well, to be more accurate, multiple societies) and holding people responsible for participating in and funding the society that they are part of, but no one has a better alternative. Begging corporations to be kind, benevolent benefactors isn't going to work. Appealing to self-interest when it's quite clear they can socialize their losses and make more money by being aggressively selfish also isn't going to work.
An interesting model worth considering is the way countries like the UK compensate the authors of books based on how much circulation they receive in libraries.
Posted Mar 30, 2024 21:55 UTC (Sat)
by kleptog (subscriber, #1183)
[Link] (10 responses)
There's also a third way: regulations. The food and drink we consume is safe not because companies are nice or because we pay for it all via taxes. It's safe because we have regulations and enforce them. Stuff like electricity grids, water/gas networks, telecommunication grids are these days typically built on a user-pays principle: those who use the service pay for the infrastructure. In the past these were originally built by (local) governments with taxes but that's just not very inefficient. Using regulations to enforce service levels while letting the user pay for them can work much better (note: this is not the same as privatisation). (Caveat: requires people making sensible regulations.)
I'm not convinced getting open-source infrastructure paid for via taxes is a viable model. Taxes are a very blunt instrument because they completely divorce the people who use the product from the people who pay for it. This is fine for things where we expect social solidarity like social security. I don't think it makes sense for open-source software.
This is the moment where we need to point out to all those big companies: can you imagine if this had gone undetected and ended up in one of your released products? What would that have cost you and how much is it worth now to prevent that?
Posted Mar 30, 2024 23:07 UTC (Sat)
by ejr (subscriber, #51652)
[Link] (5 responses)
Posted Mar 31, 2024 22:07 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (4 responses)
Why? What you *should* do is provide a guaranteed level of funding for your enforcement agency that enables it to function, monitor the market, and carry out a low level of enforcement. That enforcement enables the agency to recover costs, which means they can expand enforcement in line with expanding abuse/breaches. The result again *should* be a commercial decision that breaking the rules is not wise - either you're a lone offender who will get targeted, or the market is generally offending and the fines/costs will enable the enforcement agency to rapidly expand ...
Cheers,
Posted Apr 1, 2024 17:49 UTC (Mon)
by apoelstra (subscriber, #75205)
[Link] (3 responses)
In the US at least, I don't believe any agency works this way. Instead any fines or other enforcement-related payments go to the goverenment's general fund. Money is fungible so in principle this could make an agency cost-neutral, but it has no effect on the agency's budget so they aren't incentivized to try.
If any agency *were* incentivized to levy fines, because their operating budget had to come out of the fines, this would be a perverse incentive for them to just levy fines willy-nilly. Much like the "speed traps" operated by local police agencies near the end of the month.
Posted Apr 1, 2024 21:49 UTC (Mon)
by kleptog (subscriber, #1183)
[Link] (1 responses)
> In the US at least, I don't believe any agency works this way.
It surely varies by jurisdiction, but regulatory agencies here in Netherlands don't live off fines. They'd die if that were the case. To give some examples how it works:
- NVWA (think food safety) charges per food inspection certificate issued, time spent auditing a business, etc for example.
- AFM (like the SEC) basically has a budget, which is divided by a formula over all the banks, insurance companies, etc within the Netherlands.
The principle is straight forward: regulatory authorities are paid for by the businesses they are regulating. The health agency is funded by the hospitals, GPs and pharmaceutical companies within their jurisdiction. If a sector complains the regulatory agency is too expensive, then politicians can simply argue that the sector should get its act together so they there's less enforcement work required.
It doesn't work for everything. Stuff like GDPR enforcement, it's not clear who should pay for that. But for a lot of regulatory agencies it does work reasonably well.
Posted Apr 2, 2024 9:10 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
The general model for things where it's not clear who should pay is for the regulator to be funded from general taxation, and for fines to go back into the general pot; it is understood that the regulator is not expected to attempt to pay its own costs via fines, but that it is expected to fine everyone who breaches the regulations.
Posted Apr 2, 2024 18:26 UTC (Tue)
by Wol (subscriber, #4433)
[Link]
What you *want* to achieve, is for the person paying to want to pay the minimum possible, but for them to have two (at least) different ways of minimising the cost.
My preferred example is with things like insurance companies. Why shouldn't the police have a "burglary investigation department" paid for by the insurance companies? You then hopefully get a "steady state" where the police catch enough burglars to keep the crime rate down, but barring outright fraud the system isn't going to get out of hand.
Unfortunately, capitalism tends to sabotage such neat systems, another example is the mess we have of utilities - it makes sense for the infrastructure to be owned by the customers, but all too often it's treated as a profit centre by suppliers :-( As a result you get the horror stories we of from America of people locked into cable monopolies, or stuck with dial-up speeds. In a first world state !?!?
(I won't say we're much better - in theory we're a lot better off, but it still fails horribly ...)
Cheers,
Posted Mar 31, 2024 3:47 UTC (Sun)
by rra (subscriber, #99804)
[Link] (3 responses)
But, that said...
> Taxes are a very blunt instrument because they completely divorce the people who use the product from the people who pay for it.
This is exactly why I find the library model interesting: there's a feedback loop. Corporate products, services, and infrastructure that use free software vote with their choices. We figure out some way to count those choices (I know, I know, complexity of the software should be a factor, how to do this is very inobvious, insert vigorous hand-waving here), and an appropriate percentage of the revenues of those companies go to the maintainers of that software. If companies stop using their software, they stop getting money. If more companies use their software, they get more money.
I personally don't like that everything in society is denominated by money (this, ironically, is part of why I write free software; I like being motivated by community rather than money), but if I want free software developers to slow down, take a breath, be more methodical, and be able to take the time to do things properly, well, most of those things require money in some way. (Not *only* money, of course.) I think we need to find ways to derisk going part-time, or taking a year between jobs to work on free software, or making a living writing free software infrastructure, if we want to get ahead of our growing maintenance crisis.
Posted Apr 1, 2024 15:30 UTC (Mon)
by kleptog (subscriber, #1183)
[Link]
Ok, so that's a different model. That kind of thing exists as levies for other things. Like the "thuiskopieheffing" (home copy levy) which is basically an extra charge on writable CDs/DVDs and other media which is distributed to copyright holders as compensation for the fact the people copy stuff for own use. Or the charges on appliances that pay for the collection and recycling at end-of-life.
You could, in theory, add a 1% levy on all digital products/services and then via that hand-waving you were referring to, distribute to the developers/maintainers of open-source. The justification being that all digital products/services depend on open-source anyway, this is a way for finance it. I don't think this idea is completely ridiculous, if someone could actually work out the details it could actually happen.
The details however matter. Because it's not just a money problem. Even if tomorrow there was a fund available to pay for all the maintenance of open-source software, the social structures doesn't exist to make it happen. Are there enough people who actually want to do the required work, even if they were paid? How do we ensure the work is actually done? Figuring out which projects is the easy part. Can we trust the people who actually do it?
The financing of maintenance of open-source software is a long-standing problem and simply throwing money at it isn't going to solve it. You first need to figure out *how*, then you can discuss where to get the money from. I think the CRA is a step in the development of the business models that will improve the funding situation in the future but I don't think we yet know how this will work out.
Posted Apr 2, 2024 16:12 UTC (Tue)
by GNUtoo (guest, #61279)
[Link] (1 responses)
The issue here is the side effects. For instance what would prevent companies from writing extremely used software with poor security track record and try to get money to fix things after the fact when the design is bad, or that even bigger foundations than the design is bad (use cases impossible to secure, etc).
And if it somehow works it could also make very secure software that go in conflict with freedom or other things we care about (like inclusiveness, making old hardware continue to work, etc).
A slightly better approach would be to look at the NLnet approach and somehow adapt it for improving security maintenance.
Micro-grants for small period of time are probably not ideal to fund long term maintenance, so that could probably be adapted/changed, along with the metrics to decide when not to pay (it's probably easier to look if a specific task is done than assert the usefulness of maintenance tasks), but the fact that highly competent people decide what to fund and not to fund and have a strategic vision for FLOSS is probably something that we need.
This could avoid the most problematic perverse incentives, and the cost here would probably be the subjectivity of the people that decide what to fund or not to fund, and here having diverse people could help but probably won't fix everything.
But at least it would be better than the other models mentioned here before.
Posted Apr 3, 2024 13:17 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link]
First, to me, would be the interesting question of how a "poor security track record" ended up "extremely used" under the regulation threat looming. Besides that…if it is FOSS, who says the company gets the contract? Even if not, there could be some source escrow (something I would love to see for "critical" software). Either way, a bidding process can help with prices. Allow the "core maintainer" entity to usurp the lowest bid with, say, 10% overhead if they way to do it themselves and retain "power", but that can help curb gouging at least. Also allow bids to create a compatible replacement. Not that procurement doesn't have collusion, greased hands, and other situations, but it is at least something familiar.
A backdoor in xz
A backdoor in xz
A backdoor in xz
A backdoor in xz
Wol
A backdoor in xz
A backdoor in xz
A backdoor in xz
A backdoor in xz
Wol
A backdoor in xz
A backdoor in xz
A backdoor in xz
A backdoor in xz