Ehh....Not really a mechanism for that that I can see. I mean, say that there's demand for that, which I can believe. Do I go to a given distro and buy a "security hardened" version? I don't see how that would work. Is the distro going to refrain from incorporating security fixes into the "non-hardened" free version?
jntesteves@lemmy.world
on 03 Oct 2023 22:28
collapse
If you have read it, you might have noticed that the theme of the article is a company called Chainguard. Enterprises can pay them and get a secure software supply chain all the way down to the container image. More than that, their container distro is actually free and open-source, anyone can use it for free, it’s a one line change in your build script to go from Alpine to Wolfi. Enterprises can also buy a secure OS for bare-metal from Red Hat, SUSE, etc…
explodicle@local106.com
on 04 Oct 2023 14:48
collapse
Do companies ever crowdfund anything for Linux? I can imagine a possible prisoner’s dilemma.
jntesteves@lemmy.world
on 03 Oct 2023 22:08
nextcollapse
This article lacks focus and mixes unrelated security concepts in questionable ways. It ends like just an ad for Wolfi. Don’t get me wrong, Wolfi is neat, it’s probably deserving of being talked up. But it doesn’t solve the supply-chain issues pointed out by the article (it doesn’t even try). Supply-chain attacks are currently not a major issue in Linux distributions, and enterprises are already tackling the issue of provenance elsewhere, and the article itself notes that. Dependency management for enterprise software is NOT the responsibility of Linux distros. So what is the point of the article? To me, this article is security mumble jumbo.
michaelrose@lemmy.ml
on 04 Oct 2023 19:40
nextcollapse
Are we suggesting that rich people who get a product for free and use it to forklift more piles of money into their scrooge mcDuck like vault ought to demand more accountability from the people who provided the free forklift.
How about they pay for that?
Perroboc@lemmy.world
on 05 Oct 2023 10:45
nextcollapse
Matt Asay runs developer relations at MongoDB. The views expressed herein are Matt’s and do not reflect those of his employer.
We need more need to normalize companies stepping up to pay for security development for opensource products they utilize. If companies aren’t putting FTEs to cover their risk of using a product or service then they should be held liable for any damages that causes them or their customers. This is for more than FOSS and for more than CVEs but also critical errors that cause delays in business continuity.
The issue is many c suite are just now under standing this and many justice systems seem behind on this.
threaded - newest
… can pay engineers, rather than expecting volunteers to fix everything for them.
while still paying less then the commercial OSes. That have been the victims of the vast majority of attacks and cost to corps using them.
Its not like other OSes are attack free. Not requiring qualified engineers to keep them protected.
That said. Ubuntu and their snap store are asking for trouble .
Ehh....Not really a mechanism for that that I can see. I mean, say that there's demand for that, which I can believe. Do I go to a given distro and buy a "security hardened" version? I don't see how that would work. Is the distro going to refrain from incorporating security fixes into the "non-hardened" free version?
If you have read it, you might have noticed that the theme of the article is a company called Chainguard. Enterprises can pay them and get a secure software supply chain all the way down to the container image. More than that, their container distro is actually free and open-source, anyone can use it for free, it’s a one line change in your build script to go from Alpine to Wolfi. Enterprises can also buy a secure OS for bare-metal from Red Hat, SUSE, etc…
Do companies ever crowdfund anything for Linux? I can imagine a possible prisoner’s dilemma.
This article lacks focus and mixes unrelated security concepts in questionable ways. It ends like just an ad for Wolfi. Don’t get me wrong, Wolfi is neat, it’s probably deserving of being talked up. But it doesn’t solve the supply-chain issues pointed out by the article (it doesn’t even try). Supply-chain attacks are currently not a major issue in Linux distributions, and enterprises are already tackling the issue of provenance elsewhere, and the article itself notes that. Dependency management for enterprise software is NOT the responsibility of Linux distros. So what is the point of the article? To me, this article is security mumble jumbo.
Okay…
I guess these guys haven’t tried Debian.
Are we suggesting that rich people who get a product for free and use it to forklift more piles of money into their scrooge mcDuck like vault ought to demand more accountability from the people who provided the free forklift.
How about they pay for that?
Well that explains a lot
We need more need to normalize companies stepping up to pay for security development for opensource products they utilize. If companies aren’t putting FTEs to cover their risk of using a product or service then they should be held liable for any damages that causes them or their customers. This is for more than FOSS and for more than CVEs but also critical errors that cause delays in business continuity.
The issue is many c suite are just now under standing this and many justice systems seem behind on this.