top | item 45285809

(no title)

Snild | 5 months ago

> we should have a software building code

This made my brain go "Oh no, not this again. Open source projects don't owe you..." etc etc.

> or you can't use it commercially or for safety-critical things

Oh. Yeah, okay, absolutely! For safety-critical, I would like to think the responsibility already lies with the integrator/seller, but making it explicitly so can't hurt.

discuss

WJW|5 months ago

> or you can't use it commercially or for safety-critical things

The license for libxml2 (like the license for almost any kind of open source software) already states "THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT." I don't see how you can put the responsibility even more on the integrator/seller than that. It literally states the devs don't even guarantee it works correctly.

elcritch|5 months ago

Safety critical fields like aviation already have strict requirements. Usually there's very few software dependencies used in those projects.

Expanding that to more fields would be interesting, but difficult and expensive across the board. Particularly any sort of requirements like that generally incur significant regulatory and certification overhead.

However, if it was done similar to PCISS as an industry forum it might work better. Especially if certain fields like anything connecting with the electric grid we're required to use certified software.

unknown|5 months ago

[deleted]

0xbadcafebee|5 months ago

Pretty much all construction uses materials which follow a specification. The least we could do is start requiring all commercial software do the following:

  1. Declare an SBOM
  2. Each software component must have a listed specification

We'd then need to make software specifications. Start with the most basic specification possible; "has performed linting", "has full integration test coverage", "has passed QA testing", "has an active maintainer", "lists its license", "does not have a hidden back door", "is free of known vulnerabilities", etc. Make more detailed specifications as-needed (for a particular industry, use case, requirements).

Once we have all that, you can glance at a company's SBOM and find out if they've done the bare minimum due-diligence. We could also make or modify regulations that require these same materials standards, like privacy regulations, financial regulations.

And yes, meeting minimum material standards is more expensive. We already accept that cost in the physical world, why not in the software world? If there's a TDS, SDS, MSDS, etc for physical products, we should have them for software too. I want to know your materials are safe before I use your products. I'm sick of being exposed by companies who are completely irresponsible.