I've seen better coverage but less depth from commercial entities. I just referred a Kobo bug to the in-house counsel, as the assigned support creature could neither understand the problem nor the process.

I used to work with their lawyer at Lexis Nexis: that's not a common kind of situation (;-))

in the open source world, one arguably only needs to convince a peer that something is wrong, not a legal representative of the company that they're at risk.

--dave


On 2020-11-21 12:06 p.m., D. Hugh Redelmeier via talk wrote:
| From: David Thornton via talk <talk@gtalug.org>
| Date: Fri, 20 Nov 2020 15:25:42 -0500

Thanks for reviving this thread 10 months later.  What prompted you to do 
that?  Note: this is not a complaint.  I continue to think that this is an 
important and unresolved topic.

| As administrators we have a responsibility to vet. Even if it's to
| "deligate" the vetting, we have to vet the deligate.

"have to" means "responsibility to".  Unfortunately, responsibility without 
capability is a recipe for disaster.

Clearly you've thought about this in a setting with customers.  How do you 
discharge this responsibility?

The GPL says: you get what we offer but we accept no responsibility.

Many commercial software contract and EULAs disclaim responsibility
and forbid using the software in safety-critical settings.  They then
often fall back on saying at most you can get back the purchase cost.

So a responsible decision-maker cannot delegate the responsibility yet has 
no practical or even theoretical tools to discharge the
responsibility.  Except bankruptcy law.

- you can ask your customer / client / employer that "here are the risks 
  that I can imagine, are you willing to accept them?"

- you can make sure that there are no assets available that can be lost 
  when and if problems arise

- you can work to reduce risks.  This quickly hits the law of diminishing 
  returns, long before the risks are eliminated.  But I'm sure we can
  do better than the industry norms, as long as customers
  understand that they must and should pay for the up-front cost.

Customers / clients often think that they are safer with large 
corporations.  In that role, I've found the help from large companies (eg. 
Microsoft, Sun Microsystems (back in the day), ...) to inferior 
to help from small companies.  Both are eclipsed by support from FLOSS 
communities.  But support only deals with problems in the future, not 
damage that has happened.

In the area of security, the worst breaches are the ones you never learn 
about.

| Npm is a hot mess, and most people get that now.
| 
| Galaxy / puppetforge / helm stuff ? Take a number.
| 
| It sprouts faster than you can get on it sometimes.
| 
| Pays the mortgage :)

You can't live with them and you can't live without them?
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
dave.collier-brown@indexexchange.com |              -- Mark Twain