Conversation

Notices

1. Embed this notice
   Poul-Henning Kamp (bsdphk@fosstodon.org)'s status on Wednesday, 16-Apr-2025 19:00:57 JST Poul-Henning Kamp

   I understand why the "security industry" which feeds of the CVE register is upset about it's potential demise.

   But let's face it: MITRE's CVE register was a prototype, built in a world where there were (only!) 231 known security vulnerabilities in total.

   We have learned a lot from that prototype.

   It has shown us how big the problem is, that the IT-industry will not and can not solve the problem, and how to accidentally create fertile ground for organized crime with good intentions.

   1/2

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Andrew Zonenberg (azonenberg@ioc.exchange)'s status on Wednesday, 16-Apr-2025 23:26:16 JST Andrew Zonenberg

     in reply to

     • Phil M0OFX

     @bsdphk @philpem That's like Signal's kill switch which I strongly disagree with.

     Software should be patched because someone found a bug, not to create change for change's sake. This sort of thing encourages a constant flood of unnecessary updates where they have to reset the kill switch and then add more stuff too.

     All software should aspire to the level of stability of e.g. GNU coreutils, where the "stat" command has received eight commits in the past year including two that only changed comments and several that were code refectorings that renamed things to be more internally consistent without any binary modifications.

     It should be possible for a piece of code to be *finished*. Last planned release has happened, it's feature complete and in active use, bugs will be fixed if found, but otherwise there's no reason to change it.

   • Embed this notice
     Poul-Henning Kamp (bsdphk@fosstodon.org)'s status on Wednesday, 16-Apr-2025 23:26:17 JST Poul-Henning Kamp

     in reply to

     • Phil M0OFX

     @philpem

     I think all connected software/hardware needs to have a timer and detach themselves from the net, if it is not reset by periodic software updates.

     Mind you: "Detach from the net" not "stop functioning".

     Alfred M. Szmidt repeated this.
   • Embed this notice
     Poul-Henning Kamp (bsdphk@fosstodon.org)'s status on Wednesday, 16-Apr-2025 23:26:18 JST Poul-Henning Kamp

     in reply to

     Now is the time to throw away the prototype and implement changes which will work.

     1. Full and unconditional product liability for all software.
     2. Mandatory recalls of unsafe software products.
     3. Mandatory open sourcing of all systemically important software. ("OS", not "FOSS")
     4. Mandatory independent 3rd party review of all systemically important software.
     5. Mandatory reporting to independent accident investigation authority, with law-given full access to all aspects.

     2/2

   • Embed this notice
     Phil M0OFX (philpem@digipres.club)'s status on Wednesday, 16-Apr-2025 23:26:18 JST Phil M0OFX

     in reply to

     @bsdphk The first one alone would be great. My worry about the second is that it could be misused and twisted in an anti-consumer way.
     For instance, a plausibility shield for companies to remove non-enshittified software from the market. 'All software must have a kill switch'