Post B2Nd73dcTJX6lp9f9c by JessTheUnstill@infosec.exchange
(DIR) More posts by JessTheUnstill@infosec.exchange
(DIR) Post #B2Nd73dcTJX6lp9f9c by JessTheUnstill@infosec.exchange
2026-01-16T17:55:40Z
0 likes, 0 repeats
When some company demands security questionnaires be filled out for the open source product they don't pay for. And I leave it to others to politely say "sorry we don't fill those out unless you pay" because I'd just say "fuck off".
(DIR) Post #B2Nd74jKPZh49opjgu by munin@infosec.exchange
2026-01-16T18:00:14Z
0 likes, 0 repeats
@JessTheUnstill this is the sign of a deficient organization that does not have an appropriate FLOSS dependency policy for their third-party supply chain risk management. it's completely nonsensical to demand compliance questionnaire activity from volunteer maintainers of various projects.the security department has a responsibility in these situations to discuss the use and vulnerability surfaces of these libraries with the internal development team making use of them, and to analyze risk - and potential other options - accordingly.the business is the one making money off of its use; the open-source community is already being exploited, and does not have the resources to shoulder the cost of the business' compliance desires.
(DIR) Post #B2Nd75wTu9oDutzkpc by JessTheUnstill@infosec.exchange
2026-01-16T18:16:49Z
0 likes, 0 repeats
@munin Sadly I'm under NDA so I can't name and shame
(DIR) Post #B2Nd77NoY1GcNxn64e by munin@infosec.exchange
2026-01-16T18:17:41Z
0 likes, 0 repeats
@JessTheUnstill it's regrettably common.
(DIR) Post #B2Nd78SoWurPjl8bVQ by JessTheUnstill@infosec.exchange
2026-01-16T18:19:03Z
0 likes, 0 repeats
@munin What do you mean random open source project maintained by a single person and who has in total received $75 in donations in the last 5 years doesn't have a SOC2?
(DIR) Post #B2Nd79L3HGFIRyVv2u by munin@infosec.exchange
2026-01-16T18:21:31Z
0 likes, 0 repeats
@JessTheUnstill ayup. anyone with any understanding of the industry will immediately realize this is not reasonable, and will write their open-source policy to accommodate this reality.
(DIR) Post #B2Nd7A4QYYXeihk9lw by dr_a@mastodon.social
2026-01-16T18:38:54Z
0 likes, 0 repeats
@munin @JessTheUnstill it would be a nice if reasonable practices were the norm, but a look at the state of the software industry suggests reasonable practices are uncommon.
(DIR) Post #B2Nd7B0Z4P2vd0waOG by JessTheUnstill@infosec.exchange
2026-01-16T18:40:48Z
0 likes, 0 repeats
@dr_a @munin my biases are showing, but I see even more of that sort of thing come out of compliance. Only some of which is compliance 's fault themselves. Sometimes it's the upstream auditors and regulators that are also driving this shit.
(DIR) Post #B2Nd7BypSLFgdv8iK8 by munin@infosec.exchange
2026-01-16T18:47:36Z
0 likes, 0 repeats
@JessTheUnstill @dr_a frequently it's from execs demanding compliance without understanding that there's more to it than checking off boxes on the list.
(DIR) Post #B2Nd7CrmA3CjOKqay8 by dr_a@mastodon.social
2026-01-16T20:22:12Z
0 likes, 0 repeats
@munin @JessTheUnstill i’ve worked both sides on compliance, and checkbox compliance is definitely a sugnificant problem. I think folks like RMS helped builr this problem by setting stupid expectations about the value of software. People tend to not value what they don’t pay for and mindless compliance requests are part of that.
(DIR) Post #B2Nd7DRa0vqPBNbBmC by lxo@snac.lx.oliva.nom.br
2026-01-17T15:31:49Z
0 likes, 0 repeats
woah woah woah! ever heard the phrase "it's a matter of freedom, not price. we encourage you to charge as much as you can for free software."that others twisted and misrepresented his words is no excuse to blame him for it.CC: @munin@infosec.exchange @JessTheUnstill@infosec.exchange
(DIR) Post #B2NvmvaaaOHZ91qu6S by wollman@mastodon.social
2026-01-16T21:28:43Z
0 likes, 0 repeats
@dr_a @munin @JessTheUnstill The idea of the gift economy only works if the labor involved is being paid for by someone else, for their own purposes. That was the kind of milieu RMS was soaking in: everyone's labor was being paid for by the US government, and the software was just an externality of making some other thing (weapons, Ph.D.s, supercomputers, CAD tools, etc.). As a mechanism to foster cooperation toward a shared goal, it's fine. It doesn't generalize to the broader economy.
(DIR) Post #B2NvmweAeYk2QQXHKC by lxo@snac.lx.oliva.nom.br
2026-01-17T19:01:12Z
1 likes, 0 repeats
most of the software developed in the world by far happens to be developed just like that: someone is paying for the development because the software serves a purpose of one's own. software developed with the purpose of selling licenses is the exception rather than the rule, it just happens to be the most visible and strident exception, in that it enabled huge fortunes to be made.there's genius in funneling those who would independently invest in procuring the development of software to serve their own needs into cooperating to fund the development of software that serves all of the parties without burdening any one of them as much as if they went their own separate ways. indeed, this funneling is what general-purpose off-the-shelf commercial (whether proprietary or freedom-respecting) software used to strive to do, back when software was made to serve the users rather than exploit them.the key difference is that free software still strives to serve users that, and it has always done so without sacrificing the users' independence in the process, because users are collectively and individually in control of the software and its development directions.CC: @dr_a@mastodon.social @JessTheUnstill@infosec.exchange