[RndTbl] Fw: [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36

Alberto Abrao alberto at abrao.net
Wed Feb 22 22:52:46 CST 2023 

On 2023-02-22 14:17, Gilbert Detillieux wrote:
> You'd think with the combined wealth and resources of Alphabet/Google, 
> Apple, and Microsoft, they'd find it in their best collective 
> self-interest to fund a project to replace this garbage with some, you 
> know, actually secure code.

1) not having to pay for it; and

2) having a scapegoat for stuff that goes sideways.

Both sound awful to me, but I am not a CEO for a reason...


On 2023-02-22 15:12, Adam Thompson wrote:
> The OpenSSL team, however, appear to be rather resistant to help. 
> Serious NIH syndrome.  Also they're more focused on preserving 
> backwards compatibility than correctness or security.  And also don't 
> respond well to criticism, from what I've seen.

Amusing, isn't it? Every once in a while someone shows up smearing the 
OpenBSD developers  for *reasons*, but as far as I can tell they strike 
a good balance between stability - avoiding changes for the sake of it 
-  while regularly dropping the dead weight to make things secure and to 
move forward. A reasonable compromise, if you will.


On 2023-02-22 15:37, Gilbert Detillieux wrote:
> Longer term, maybe a complete re-imagining is what the industry will 
> need to move forward.  Most companies and developers are motivated 
> more by new features than by correctness or security, sadly. 
Let me present the Schrödinger's SysAdmin:

- If things break, well, it's your fault. You shouldn't have messed with 
anything, it was working before. Don't fix what isn't broken.
- If things work, are you even doing anything? If nothing is breaking, 
you must be useless.

It's hard to sell something that, when done, won't change anything as 
far as most people are concerned. No new apparent features; instead, 
potential for disruption and costs. All of that to protect from the 
*threat* - as in something that may or may not happen - of an attack.

At best, you can try and argue that something /could have happened/, but 
didn't. Even if you can prove it, more often than not, someone could 
easily think you're exaggerating to prove a point.

The optimist wishes executives could see the light.  The realist knows 
that, as long as someone other than themselves can be blamed, more often 
than not they won't let you do what you must.... until the moment where 
you /should have done it. /Then, it's /your fault./ Or, instead, they 
just buy insurance for it, pretend no one could ever have seen it 
coming, and move along.

Yes, some places do see past all the cynicism, and have some 
accountability. But we would not have landed where we are if that 
weren't the exception to the rule, so it is what it is. Let's hope it 
finds a way to go that does not involve a huge BANG.

-- 
Kind regards,
Alberto Abrao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20230222/39e88db1/attachment.htm>

More information about the Roundtable mailing list