“This important legislation will, for the first time ever, codify open source software as public infrastructure,” said Trey Herr
Does this mean I can get paid hundreds of millions of dollars to ship upgrades to open source code several years late and with twice as much technical debt as before? Because if so, I'm on board
No part of the bill requires actually securing software, or, like, running scans, or fixing vulns, or anything like that. It's a weird jobs program and mostly just adds bureaucracy.
I'd much rather they spent money hiring people to contribute to securing open source and doing outreach, rather than just some mandatory "software scanning" which generate noisy alerts no one does anything about.
Or neither. Just make a fund to hire talent to work all day hardening OSS projects. Rather than all the new mandatory meetings and oversight.
Forgive me if my bar is too low, but just to see bipartisan efforts at all toward this is a refreshing bright spot in American politics. Let's not make the perfect the enemy of the good.
There is mandamus language that directs the DHS Director to "bolster the security of open source software", "support Federal efforts to strengthen the security of open source software", etc. but it's up to the director to determine the methods of doing so.
From the perspective of politicians, bugs in the legal code are actually features. The incumbent power structure expends resources paying lawyers to find and exploit them, while the little people are mostly stuck following the law at face value. Most people don't even get to run the interpreter, but get forced into plea bargains and settlements instead! The imbalance helps perpetuate the status quo which lines the politicians' pockets.
Whereas bugs in computer software are problematic because they allow a new type of analyst to gain an outsized advantage, which upsets the status quo. Although the sharp contrast is slowly vanishing as full compromise bugs get rarer and the incumbent power structure employs more and more computer code analysts. For example, look at all of the security vulns in modern browsers and web protocols themselves that leak information to surveillance companies, but get downplayed as mere "privacy" problems that would be nice to fix some day perhaps.
My favorite bit of 'tax law': Decades ago I accidentally failed to file a return and ended up needing to compute some interest and penalties when I figured it out a year later. When trying to determine how the computation was done exactly, I found a court case where the IRS petitioned the court to let them approximate the results of this specific computation because applying the rule exactly was too complicated for them!
They specifically refer to Log4shell. That to me felt like a damp squib.
I remember seeing the apache logs on my home desktop on my cable modem back in 2001, the default.ida GETS would race through with multiple attempts per hour.
Conversely I saw barely any attempts on my public facing apache servers 20+ years later with log4shell. Was it just me?
Agreed. Wyden is my senator so I may be a bit biased, but I'd want to see his involvement in something like this because he's pretty much the only senator that gets this stuff. Reading that blurb it seems kind of ambiguous - it could potentially lead to some bad places if people who don't understand the issues are writing the bill.
Right. Would be more helpful to view this as fraternizing with confederates, not bipartisanship. Anything Hawley touches is tainted by his role as an insurrectionist.
Does this mean I can get paid hundreds of millions of dollars to ship upgrades to open source code several years late and with twice as much technical debt as before? Because if so, I'm on board
/s