mccUnpopular opinion: It is reasonable to describe random crap by volunteers with no warranty as part of a "supply chain" if it turns out a business is inhaling the random crap into their product. If a company's supply chain was to get their office furniture by driving around and seeing if anyone was throwing out couches on garbage day, that would be a supply chain, it would just be an obviously foolish one
Wait I think I withdraw my above statement because "demand chain" / "software demand chain" is just too good
jack@mcc and the people making demands of that chain? We call them “chain yankers”.
Jeremy Kahn@mcc "software demand chain attack" also works well
(it's a little "dragonball Z" but that may be an advantage)
Daniel Durrans@mcc Goldish Lookin Chain.
Bill Seitz@mcc software alms race
Cogito ergo mecagoendios@mcc it also works really well at exposing the attack surface and whose fault it is. "It's a demand chain vulnerability because you went out of your way to obtain code from some random unpaid unknown actor and run it within your machine. You moron"
Marcos Dione@mcc but notice that it also inverts some meanings: a healthy dema d chain is _not_ a good thing :)
Adriano@mcc People are just skipping a couple steps and jumping to calling companies foolish. Saves time.
Shar(yna)Tran/Shark(aeopteryx)@mcc This part!!
abadidea@mcc I know I’m the one who reboggled it but I’m not opposed to calling random code from github “the supply chain” so much as acting like it’s not a chain with a bunch of obviously rusty links it’d be malpractice to pull on
RootWyrm 🇺🇦
@0xabad1dea @mcc this is why I have consistently found that the fastest way to get people to shut the fuck up about the "supply chain" is to actually show them what is *in* their "supply chain."
"And here we have a 7 year old abandoned Docker image ripe for dependency hijack, a 6 year out of date GPLv3 library with no maintainers we're violating the shit out of the license on, a shell script running as root from someone's Gist from 2016..."
Irenes (many)@mcc right, like, it's not that it's unreasonable, it's that it guides the discussion in certain ways... we would prefer to push back against the idea that people contributing the commons owe anything to corporations pillaging it, on our own rhetorical terrain and not on the terrain of capital.
@mcc like, accepting the "supply chain" frame obscures more than it clarifies about what's going on, and it requires us to explicitly say things like "there is no contractual relationship" and "that violates the author's intent" as part of every point we make, over and over
Don Marti@ireneista @mcc from what I can tell looking at the SEC regs, it looks like if a publicly traded company in the USA is using software from a maintainer who has already disclosed an unmet need for funding (for anything related to security) then the company likely has a "material" cybersecurity issue that they would have to disclose to shareholders
Lydia Trivia
Negahyphen@mcc Yes, we absolutely consider that to be part of the supply chain. It's just higher risk than working with established companies under contract, and there aren't as many options for steps to handle service disruptions / loss of vendor scenario planning. Plus the need for performing source code scans and audits either internally or through a third party. -GRC expert
soc@mcc Also love how "supply chain security" companies contribute exactly 0 money to the supply the claim to secure.
Tom Walker@mcc People who think that exploitation and random junk aren't a "supply chain" are in for some bad news about real-world physical supply chains
Amber 
@mcc But... they included free bedbugs! Usually you have to pay for them and it's quite a penny.
Developing Stacy 
What is this in reference to?
Sven@The4thCircle
Companies use open-source software and then treat the authors as suppliers they can demand/expect support/paperwork/... from. And there understandably is pushback along the lines of "if we don't have a contract you don't get to demand things, we're not suppliers". E.g. a popular blogpost was https://www.softwaremaxims.com/blog/not-a-supplier :
"You are not buying from a supplier, you are a raccoon digging through dumpsters for free code. "
Companies use open-source software and then treat the authors as suppliers they can demand/expect support/paperwork/... from. And there understandably is pushback along the lines of "if we don't have a contract you don't get to demand things, we're not suppliers". E.g. a popular blogpost was https://www.softwaremaxims.com/blog/not-a-supplier :
"You are not buying from a supplier, you are a raccoon digging through dumpsters for free code. "
I am not a supplier
For the past few years, we have seen a lot of discussions around the concept of the Software Supply Chain. These discussions started around the time of LeftPad and escalated with multiple incidents in the past few years. The problem of all the work in this domain is that it forgets a fundamental point.
@The4thCircle (and maybe the triggering event today: over the weekend a few banking apps broke down because they used a random single-dev open-source library for security and it couldnt handle a change in an API it relies on. And apparently nobody had really bothered to properly vet it before using it)
George BI'm assuming at least tangentially related to the libxml2 maintainer recently saying (my interpretation, may be inaccurate) that security vulnerabilities will be treated like normal bugs and anyone who has a problem with that can stop depending on it
@gbargoud @The4thCircle it was from observing this conversation, which I had a variety of reactions to various components of (but was only able to form words to the response about the fairly narrow terminology issue)
Raphael@mcc I dislike the presented dichotomy of "good proprietary code" and "trash OSS". First, there _is_ high-quality OSS, otherwise OSS wouldn't drive most software. Second, professionals putting out products under OSS licenses _do_ have, in my mind, more responsibility than "throwing out trash" implies; namely, best effort. I look at them more like a non-profit: you don't get to demand things from them, but also they don't get to harm you.
Enterprises should certainly do more in terms of funding OSS -- although I shudder to imagine entering an actual contract with liabilities in order to get funding for OSS work. At the same time, OSS maintainers have _some_ responsibility, and certainly _accountability_ for the things they put out. At least label your abandonware, people; else, bump dependencies, pull bad releases, plug security holes.
@OmegaPolice I think that having a defined support contract with your software vendors is good
@mcc I don't see that happening for most of those one-person projects we are talking about (are we?). How do you even negotiate that? Would they pay you for "best effort"? Can you commit to more?
Sure, entities like the Apache Foundation or bigger projects with existing funding may be able to pull that off, to act like B2B-entities. Others ...
Is that an intended side effect of the proposal? That is, remove "small" OSS from the corporate stack and consolidate in a few, company-like organisations? Or am I missing something?