Mastodon Feed: Post

Boosted by aredridel@kolektiva.social ("Mx. Aria Stewart"):
arclight@oldbytes.space wrote:

Thanks to @meena for prompting this - it's not like I'm some sort of Superior Programming Being whose every line of code is elegant snd brilliant and not worthy of the sweaty masses. I'm a tediously average programmer. I detest status-driven gatekeeping. I would like to share my work so the effort can be leveraged by others to do new and useful work. I support some ideal of open source circa 1995 where useful decent quality tooling is freely shared and available.

That is not the environment we live in today. Beyond the individual entitled ankle-biters that harass devs for not doing work they want for free, we now have this extreme corporate bullshit of "open source supply chain", that freely-provided _caveat utilitor_ code should be treated like code acquired under a commercial procurement agreement with formal specs, requirements, and standards for security, quality, and lifecycle management.

I work in this space in my day job, I'm the one who sets and verifies those specs for our acquired codes, and I'm going to say flat out, that is that absent an explicit agreement with a supplier, all that supply chain and capital-P procurement activity is *solely* on the code user, not on the code author, full stop. Screw off with that CTO/infosec/bureaucrat thinking. Into the sea with you.

For those of you in the back:
_IF THAT PROCUREMENT AND ASSURANCE WORK IS IMPORTANT TO YOUR ORGANIZATION, YOUR ORGANIZATION NEEDS TO PAY FOR IT_.

Further:
_WITHOUT AN EXPLICIT AGREEMENT, NOBODY IS REQUIRED TO PROVIDE THAT SERVICE TO YOU AT ANY PRICE_.

And finally:
_WHAT PART OF 'USE AT YOUR OWN RISK' IS UNCLEAR TO YOU?_

I will curse all day long about research-grade software being built and distributed by organizations who explicitly know they are working on nuclear safety applications and do not perform adequate diligence in design, implementation, and testing. This goes beyond #ResearchSoftwareEngineering - it's production software engineering practice. These are organizations who absolutely know how their code is used (we have monthly meetings with them). I hold these organizations and individuals to a higher standard because this is quite literally our jobs.

By contrast, this is not the job of @bagder and expecting or demanding he do some corporation's or industry's V&V and SQA work is laughable, expecting him to do it _for free_ is arrogant, insulting, and delusional.

But this is where we are now with sharing our code. Ethically, I believe anyone who puts their code in public bears some personal responsibility to ensure it's of a reasonable level of quality, functionality, and security. It's as if you were bringing homemade food to a potluck - the expectation is that it's edible and not spoiled or adulterated. You aren't expected to disclose every significant allergen, provide a list of ingredients, or a nutritional statement but you're expected to wash your hands, use clean utensils and ingredients of good quality, and ensure the food is cooked all the way through.

That's gatekeeping, absolutely, and I won't apologize for setting that demand or an analogous one for "potluck" software.

I am old enough to remember Matt's Script Archive and I have seen what happens when we don't do this sort of positive gatekeeping. For those unfamiliar, Matt was the Typhoid Mary of insecure internet software and his formmail.pl script was the poster child for bad and dangerous code you found for free on the internet. https://en.wikipedia.org/wiki/Matt%27s%5FScript%5FArchive

And while I appreciate he was a teenager when he posted most of that code, as an adult he was repeatedly told how damaging his code was and yet he kept distributing broken versions for YEARS.