mccJun 24
Unpopular opinion: It is reasonable to describe random crap by volunteers with no warranty as part of a "supply chain" if it turns out a business is inhaling the random crap into their product. If a company's supply chain was to get their office furniture by driving around and seeing if anyone was throwing out couches on garbage day, that would be a supply chain, it would just be an obviously foolish one
Show threadmccJun 24
Wait I think I withdraw my above statement because "demand chain" / "software demand chain" is just too good
Show threadCogito ergo mecagoendiosJun 24
@mcc it also works really well at exposing the attack surface and whose fault it is. "It's a demand chain vulnerability because you went out of your way to obtain code from some random unpaid unknown actor and run it within your machine. You moron"
Show threadmkjJun 24

@elrohir It's not like there are greater assurances provided if the code is written by some known actor who/that gets paid.

@mcc

Show threadmccJun 24
@mkj @elrohir when i pay someone money i expect i get assurances in return
Show threadCassandrichJun 25
@mcc @mkj @elrohir Clearly that is not the industry norm these days...
Show threadBrar Piening
@dalias @mcc @mkj @elrohir At least you have *some* influence on how much time the person spends to work on the project.
Not that this wouldn't still lead to the situation that companies ask for way more than they pay for.
Jun 25 at 3:39pmWeb