So the Department of Energy emailed me (opens in new tab)

(daniel.haxx.se)

51 pointsKirce1y ago7 comments

7 comments

As a US taxpayer, charge them.

Charge them, and make sure they understand why - they’re benefiting, and have been benefiting, from software developed at no cost to them. If they want anything, it needs to cost them; otherwise, …

ggm1y ago

There's going to be a lot more of this, as people in gov work out how tenuous their links to supply chain logistics behind software systems are. When shit hits the fan and you trace it back to libcurl, as a government employee you want to be able to show you at least tried to acknowledge the risk existed, no?

I love open source, I love free software. I do actually want my government to front up and acknowledge the risks in building systems to depend on it, and not understanding its precarious nature.

An example from nearly 20 years ago is the CMU SNMP library which was embedded in Cisco routers. Maaaaasive worldwide CVE risk which had to be ameliorated, all because of a rational free s/w inclusion. The code was already 10 years old at that point. I doubt anyone from CMU was in the loop.

I've also seen the other side: I wrote a 2 line patch to some free s/w and I had to invoke lawyers for a sign-off requested by the s/w org. We were happy, but it's not exactly zero-risk to accept inputs now, if you're in the business of giving code away.

defrost1y ago

It's a beautiful response:

    Hello Department of Energy,

    I cannot find that you are an existing customer of ours, so we cannot fulfill this request.

    libcurl is a product we work on. It is open source and licensed under an MIT-like license in which the distribution and use conditions are clearly stated.

    If you contact support@wolfssl.com we can remedy this oversight and can then arrange for all the paperwork and attestations you need.

cut to: Support and Maintenance

    24x7 & Long Term Support (1 year): $50,000

https://www.wolfssl.com/products/support-and-maintenance/

I imagine for the DoE to get the guarantees they want it might expand somewhat.

metadat1y ago

Good, that's crazy and unreasonable to email a company demands (legal and otherwise) when you don't have any contract and have never paid them a dime.

pwg1y ago

Indeed. However this is also the result of "checkbox security". Someone at the DOE has a security compliance form with a list of checkboxes they must check, one of which reads something like: "dependencies are developed in accordance with M-26-34 procedures". They have some custom project created by some contractor (who may or may not be around anymore) that links to libcurl. Therefore, in order to "check the box" on their compliance form about their custom project, they have to find out if libcurl is developed in accordance with M-26-34, and an email such as this one is created and sent.

acdha1y ago

I’d also bet that this was handed off to a contractor with minimal room for discretion, like when you have an absurd discussion on the phone with someone at a large company and have to remember that they were given rules and are choosing the “don’t get fired” option.

feketegy1y ago

This happens all the time in enterprise software too. Everybody is covering their ass at these places and nobody is "brave" enough to say anything directly, hence the wording of these reports/emails/assessments.

j / k navigate · click thread line to collapse