• jntesteves@lemmy.world
    link
    fedilink
    arrow-up
    32
    ·
    1 year ago

    This article lacks focus and mixes unrelated security concepts in questionable ways. It ends like just an ad for Wolfi. Don’t get me wrong, Wolfi is neat, it’s probably deserving of being talked up. But it doesn’t solve the supply-chain issues pointed out by the article (it doesn’t even try). Supply-chain attacks are currently not a major issue in Linux distributions, and enterprises are already tackling the issue of provenance elsewhere, and the article itself notes that. Dependency management for enterprise software is NOT the responsibility of Linux distros. So what is the point of the article? To me, this article is security mumble jumbo.

  • michaelrose@lemmy.ml
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 year ago

    Are we suggesting that rich people who get a product for free and use it to forklift more piles of money into their scrooge mcDuck like vault ought to demand more accountability from the people who provided the free forklift.

    How about they pay for that?

  • Sina@beehaw.org
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    They’re installing packages to get the latest and greatest as fast as possible but losing trust guarantees in the process.

    Okay…

  • andruid@lemmy.ml
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    We need more need to normalize companies stepping up to pay for security development for opensource products they utilize. If companies aren’t putting FTEs to cover their risk of using a product or service then they should be held liable for any damages that causes them or their customers. This is for more than FOSS and for more than CVEs but also critical errors that cause delays in business continuity.

    The issue is many c suite are just now under standing this and many justice systems seem behind on this.

  • Perroboc@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    Matt Asay runs developer relations at MongoDB. The views expressed herein are Matt’s and do not reflect those of his employer.

    Well that explains a lot