A place to cache linked articles (think custom and personal wayback machine)
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.

index.html 17KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237
  1. <!doctype html><!-- This is a valid HTML5 document. -->
  2. <!-- Screen readers, SEO, extensions and so on. -->
  3. <html lang="fr">
  4. <!-- Has to be within the first 1024 bytes, hence before the `title` element
  5. See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
  6. <meta charset="utf-8">
  7. <!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
  8. <!-- The viewport meta is quite crowded and we are responsible for that.
  9. See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
  10. <meta name="viewport" content="width=device-width,initial-scale=1">
  11. <!-- Required to make a valid HTML5 document. -->
  12. <title>Software Maxims (archive) — David Larlet</title>
  13. <meta name="description" content="Publication mise en cache pour en conserver une trace.">
  14. <!-- That good ol' feed, subscribe :). -->
  15. <link rel="alternate" type="application/atom+xml" title="Feed" href="/david/log/">
  16. <!-- Generated from https://realfavicongenerator.net/ such a mess. -->
  17. <link rel="apple-touch-icon" sizes="180x180" href="/static/david/icons2/apple-touch-icon.png">
  18. <link rel="icon" type="image/png" sizes="32x32" href="/static/david/icons2/favicon-32x32.png">
  19. <link rel="icon" type="image/png" sizes="16x16" href="/static/david/icons2/favicon-16x16.png">
  20. <link rel="manifest" href="/static/david/icons2/site.webmanifest">
  21. <link rel="mask-icon" href="/static/david/icons2/safari-pinned-tab.svg" color="#07486c">
  22. <link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
  23. <meta name="msapplication-TileColor" content="#f7f7f7">
  24. <meta name="msapplication-config" content="/static/david/icons2/browserconfig.xml">
  25. <meta name="theme-color" content="#f7f7f7" media="(prefers-color-scheme: light)">
  26. <meta name="theme-color" content="#272727" media="(prefers-color-scheme: dark)">
  27. <!-- Is that even respected? Retrospectively? What a shAItshow…
  28. https://neil-clarke.com/block-the-bots-that-feed-ai-models-by-scraping-your-website/ -->
  29. <meta name="robots" content="noai, noimageai">
  30. <!-- Documented, feel free to shoot an email. -->
  31. <link rel="stylesheet" href="/static/david/css/style_2021-01-20.css">
  32. <!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
  33. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  34. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  35. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  36. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  37. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  38. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  39. <script>
  40. function toggleTheme(themeName) {
  41. document.documentElement.classList.toggle(
  42. 'forced-dark',
  43. themeName === 'dark'
  44. )
  45. document.documentElement.classList.toggle(
  46. 'forced-light',
  47. themeName === 'light'
  48. )
  49. }
  50. const selectedTheme = localStorage.getItem('theme')
  51. if (selectedTheme !== 'undefined') {
  52. toggleTheme(selectedTheme)
  53. }
  54. </script>
  55. <meta name="robots" content="noindex, nofollow">
  56. <meta content="origin-when-cross-origin" name="referrer">
  57. <!-- Canonical URL for SEO purposes -->
  58. <link rel="canonical" href="https://www.softwaremaxims.com/blog/not-a-supplier">
  59. <body class="remarkdown h1-underline h2-underline h3-underline em-underscore hr-center ul-star pre-tick" data-instant-intensity="viewport-all">
  60. <article>
  61. <header>
  62. <h1>Software Maxims</h1>
  63. </header>
  64. <nav>
  65. <p class="center">
  66. <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
  67. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
  68. </svg> Accueil</a> •
  69. <a href="https://www.softwaremaxims.com/blog/not-a-supplier" title="Lien vers le contenu original">Source originale</a>
  70. </p>
  71. </nav>
  72. <hr>
  73. <p>For the past few years, we have seen a lot of discussions around the concept of the Software Supply Chain. These discussions started around the time of LeftPad and escalated with multiple incidents in the past few years. The problem of all the work in this domain is that it forgets a fundamental point. </p>
  74. <p>Before we get there, I am going to define what is usually meant by Supply Chain and suppliers, why we are applying to software. And then why attempts at bringing FOSS under that definition are deeply misguided.</p>
  75. <h2 id="the-concept">The concept</h2>
  76. <p>In the past couple of decade, we have seen the rise of Free and Open Source Software (FOSS). In particular, this has enabled a massive growth of the reuse of pieces of codes, packaged as libraries. This has been possible due to a massive ecosystem of infrastructure that bloomed around that idea. Package Managers exist for every programming language environment under the sun nowadays, with central repositories holding the metadata needed to find the libraries and handle their distributions.</p>
  77. <p>This has been possible due to the FOSS Licences being pretty lenient, enabling a reuse and remix of these libraries without the massive legal and financial headache that would come otherwise. A modern software project will probably have hundreds if not thousands of these dependencies, from OpenSSL to a test framework or a datepicker, across a wide spectrum covering things like a JSON encoder/decoder library or even the libc of the OS it is deployed on.</p>
  78. <p>This ecosystem of dependencies, a lot of them transitive (dependencies of a dependency), is what the Software Supply Chain model calls the Supply Chain of the project. Inside this model we will find tools that help manage it, like a Software Bill Of Materials (SBOM) that is supposed to hold the information of what libraries are used for this project, where they were found, which version, some hash of the content, etc.</p>
  79. <h2 id="what-is-a-supply-chain">What is a Supply Chain</h2>
  80. <p>The idea of a Supply Chain does not come out of nowhere of course. In the manufacturing industry, the supply chain is the long chain of suppliers needed to produce a particular factory’s output. As an example, if you assemble cars, you need seats, a lot of screws, cables, electronics, all kinds of stamped metal sheets, … Your cable supplier needs copper, plastic, energy and probably all kinds of machine tools. Machine tools that probably need other machine tools to be built, screws, bolts, nuts, some electronics too… And we can keep going through this long game of “what do you need to produce this car” until your diagram looks like a massive spaghetti ball.</p>
  81. <p>And then someone in an unknown small factory in Germany gets sick and it happens that five levels higher in the chain everyone depends on their particular bolt, and we are all screwed. A version of this problem happened early in the work to deliver the vaccine for the Covid19, when supply chain specialists realised they would need a lot more glass vials than could be produced in a year worldwide.</p>
  82. <p>In order to avoid this kind of snag five levels deep in the chain that would end up stopping their valuable production, manufacturing companies have spent a lot of effort over the years to build relationships with their suppliers, at every level of the process. It is both a really deep relationship and usually never enough, but isn’t that the case of every complex system?</p>
  83. <h2 id="why-do-we-talk-of-software-supply-chain-today-">Why do we talk of Software Supply Chain today ?</h2>
  84. <p>Well because companies keep discovering that they have big problems in their products, and that it does not come from the code their software engineers wrote. The problem can come from the owner of a library deciding to stop providing access to it (Leftpad for example) and breaking half the Internet.</p>
  85. <p>Or it could come from a massive library used for mundane digital infrastructure (Like OpenSSL or Log4J) discovering they have massive security problems that make half the Internet easy to pwn.</p>
  86. <p>Or someone could talk to the people owning these libraries, convince them they are here to help, get access and add a crypto mining code to it for their own profit (so many cases that I do not know where to start).</p>
  87. <p>Or the owner of the code could decide that he does not like people supporting a warmongering regime, so he will add code that destroys the computer of the engineers using his code, if they live in this part of the world (yes there have been a few instances of this too).</p>
  88. <p>And then, everyone in these companies discover that their product is open to spooky “action at a distance” from code they did not know about. So the concept of “Software Supply Chain” comes in, to define all the things that need to be done by the people in the supply chain, the owners of these libraries, in order to be good citizens that do not break companies using the code downstream.</p>
  89. <p>These rules govern things like how we test the code, how we protect who has access to it, how we release versions, how we validate its safety, how we organise work on the code, how we protect our personal accounts that control the code, etc</p>
  90. <h2 id="i-am-not-a-supplier">I am not a supplier</h2>
  91. <p>There is a small problem here. We are not suppliers. All the people writing and maintaining these projects, we are not suppliers. We do not have a business relationship with all these organisations. We are volunteers, writing code and putting it online under these Licences. And yes, we put it online for people to use them. But we do not get anything from it.</p>
  92. <p>Hell even worse, a lot of the libraries that underpin the fabric of what we all call the digital economy <em>have trouble getting enough money to pay for food</em>. On this topic, I strongly advise everyone to take the time to read <a href="https://www.fordfoundation.org/work/learning/research-reports/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure/">Nadia Eghbal Road and Bridges report</a> to realize the depth of the problem. It is a bit old, as it was written in the aftermath of HeartBleed, but it is as relevant today as it was at the time.</p>
  93. <p>Or for a funnier, more visual explanation, <a href="https://xkcd.com/2347/">XKCD 2347</a></p>
  94. <p><img src="https://imgs.xkcd.com/comics/dependency.png" alt='XKCD 2347, image of a stack of blocks, labelled "All modern digital infrastructure", with one small block holding the whole stack stable labelled "A project some random person in Nebraska has been thanklessly maintaining since 2003'></p>
  95. <p>And we know it. This is why in every single one of these licences, that govern the rules to reuse the work we put online in these libraries, you will find this paragraph, copied verbatim.</p>
  96. <blockquote>
  97. <p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>
  98. </blockquote>
  99. <p>It may feel a bit legalese, and yes, it shouts at you, but I can summarise it pretty easily. If you use this, I owe you nothing. At all. We have no relationship. I put this up online on the condition that if you use it, all the risks are on you.</p>
  100. <p>What it means is that there is no supply chain here. Because there is no supplier. I am not providing you something that you bought from me. There is no relationship. I put something online because I wanted to. The fact you made your product depend on it is <em>your responsibility</em>. Not mine. Not the one of the providers. We provide libraries. We do not supply them. You cannot apply rules to me.</p>
  101. <p>And quite honestly, I am not going to accept them. I barely have time to spend on doing the work on the FOSS libraries I maintain and doing so regularly burns out the people doing it.</p>
  102. <p>Now, I am more than happy to become a supplier. You want me to work a certain way, I am more than happy to do it. But to do that, I am going to have to become a supplier. Which means you are going to have to start to pay me. A fair price, that we can negotiate. Under a different licence.</p>
  103. <p>Until then, I am not your supplier. So all your Software Supply Chain ideas? You are not buying from a supplier, you are a raccoon digging through dumpsters for free code. So I would advise you to put these rules in the same dumpster. And remember. I am not a supplier. Because</p>
  104. <blockquote>
  105. <p>THIS SOFTWARE IS PROVIDED “AS IS”</p>
  106. </blockquote>
  107. </article>
  108. <hr>
  109. <footer>
  110. <p>
  111. <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
  112. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
  113. </svg> Accueil</a> •
  114. <a href="/david/log/" title="Accès au flux RSS"><svg class="icon icon-rss2">
  115. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-rss2"></use>
  116. </svg> Suivre</a> •
  117. <a href="http://larlet.com" title="Go to my English profile" data-instant><svg class="icon icon-user-tie">
  118. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-user-tie"></use>
  119. </svg> Pro</a> •
  120. <a href="mailto:david%40larlet.fr" title="Envoyer un courriel"><svg class="icon icon-mail">
  121. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-mail"></use>
  122. </svg> Email</a> •
  123. <abbr class="nowrap" title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340"><svg class="icon icon-hammer2">
  124. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-hammer2"></use>
  125. </svg> Légal</abbr>
  126. </p>
  127. <template id="theme-selector">
  128. <form>
  129. <fieldset>
  130. <legend><svg class="icon icon-brightness-contrast">
  131. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-brightness-contrast"></use>
  132. </svg> Thème</legend>
  133. <label>
  134. <input type="radio" value="auto" name="chosen-color-scheme" checked> Auto
  135. </label>
  136. <label>
  137. <input type="radio" value="dark" name="chosen-color-scheme"> Foncé
  138. </label>
  139. <label>
  140. <input type="radio" value="light" name="chosen-color-scheme"> Clair
  141. </label>
  142. </fieldset>
  143. </form>
  144. </template>
  145. </footer>
  146. <script src="/static/david/js/instantpage-5.1.0.min.js" type="module"></script>
  147. <script>
  148. function loadThemeForm(templateName) {
  149. const themeSelectorTemplate = document.querySelector(templateName)
  150. const form = themeSelectorTemplate.content.firstElementChild
  151. themeSelectorTemplate.replaceWith(form)
  152. form.addEventListener('change', (e) => {
  153. const chosenColorScheme = e.target.value
  154. localStorage.setItem('theme', chosenColorScheme)
  155. toggleTheme(chosenColorScheme)
  156. })
  157. const selectedTheme = localStorage.getItem('theme')
  158. if (selectedTheme && selectedTheme !== 'undefined') {
  159. form.querySelector(`[value="${selectedTheme}"]`).checked = true
  160. }
  161. }
  162. const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
  163. window.addEventListener('load', () => {
  164. let hasDarkRules = false
  165. for (const styleSheet of Array.from(document.styleSheets)) {
  166. let mediaRules = []
  167. for (const cssRule of styleSheet.cssRules) {
  168. if (cssRule.type !== CSSRule.MEDIA_RULE) {
  169. continue
  170. }
  171. // WARNING: Safari does not have/supports `conditionText`.
  172. if (cssRule.conditionText) {
  173. if (cssRule.conditionText !== prefersColorSchemeDark) {
  174. continue
  175. }
  176. } else {
  177. if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
  178. continue
  179. }
  180. }
  181. mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
  182. }
  183. // WARNING: do not try to insert a Rule to a styleSheet you are
  184. // currently iterating on, otherwise the browser will be stuck
  185. // in a infinite loop…
  186. for (const mediaRule of mediaRules) {
  187. styleSheet.insertRule(mediaRule.cssText)
  188. hasDarkRules = true
  189. }
  190. }
  191. if (hasDarkRules) {
  192. loadThemeForm('#theme-selector')
  193. }
  194. })
  195. </script>
  196. </body>
  197. </html>