I'm perplexed.

Are they going to keep replacing whatever software they use?

As always with plastic recycling. The whole concept of plastic recycling is only a "don't think about it, just buy it".

OSS on the other side has the downside of being free.

That means it's:

• massively underfunded because nobody donates
• no SLA-style contracts to hold anyone accountable
• most of the time no 3rd party security audits because free software (especially libraries or system tools) don't go through procurement and thus don't require them
• everyone expects that "someone" will have already reviewed it becouse the code is open and used by millions of projects, while in reality they are maintained by some solitary hero hacking away in his basement

If stuff like OpenSSL was CSS, it would be at least a mid-sized company making lots of revenue (because it's used everywhere, even small license fees would rack up lots of revenue), with dozens of specialists working there, and since it would go through procurement there would be SLAs and 3rd party security audits.

But since it's FOSS, nobody cares, nobody donates and it was a singular developer working at it until heartbleed. Then some of the large corporations which based their whole internet security on this singular dude's work realized that more funding was necessary and now it is a company with multiple people working there.

But there are hundreds of other similarly important FOSS projects that are still maintained by a solitary hero not even making minimum wage from it. Like as shown with the .xz near miss.

Just imagine that: nobody in their right mind would run a random company's web app with just one developer working in their spare time. That would be stupid to do, even though really nothing depends on that app.

But most of our core infrastructure for FOSS OSes and internet security depends on hundreds of projects maintained by just a single person in their free time.

Looks really nice! I'll check that out!

So sad he stopped doing his regular videos. (Though I totally understand his reasoning.)

HTML5 + CSS3 seems to be Turing complete too: https://lemire.me/blog/2011/03/08/breaking-news-htmlcss-is-turing-complete/

They aren't wrong. Tariffs could help bring the upcoming Samsung A17 to $1000-1200.

In my country, the written final exams include a Q&A section in the beginning of the test, where the teacher and the headmaster are present, and where they present the tasks and students are allowed to ask questions. After that section, the headmaster leaves and students and teachers aren't allowed to talk for the rest of the test.

I noticed a missing specification in one of the tasks. It was a 3D geometry task, and it was missing one angle, thus allowing for infinite correct results. During the Q&A section I asked about that, and my teacher looked sternly past me to the end of the room and said "I am sure the specifications are correct". If there was an actual error in the specifications, the whole test would have been voided and would have to be repeated at a later date, for all the students attending.

As soon as the headmaster was out of the room, he came to me and asked where he made the mistake. He then wrote a fitting spec on the whiteboard.

I liked that guy. He was a good teacher.

That's not what it is, no.

Teachers make mistakes, like any human being, and a good teacher can deal with the fact that they made a mistake and that a student found said mistake.

A teacher who insists on being right over being correct is a bad teacher, because a teacher is supposed to teach a child understanding and knowledge, not blind obedience above anything else.

That's how you end up with a population who agree with the leader even if he tells them the sky is green.

Yeah, if the question was "Is this possible?" then the teacher's answer would be reasonable.

But the "how" in the question implicates that it's actually factual and the student should come of with an explanation how. Which they did perfectly.

That's definitely a problem with every bit of code, that everyone relies on stuff they don't or can't review.

My point is that FOSS provides a false sense of security ("Millions of people use this library. Someone will already have reviewed it.").

But the bigger issue is that FOSS is massively underfunded. If OpenSSL was for-profit, it would be a corporate project with dozens if not hundreds of developers. Nobody would buy a piece of core security infrastructure from a self-employed dude working away in his basement. That would be ridiculous to even think about that. And if this standard component was for-profit, even very low license fees would generate huge amounts of revenue (because it's used in so many places) and this would allow for more developers to be employed.

And since it would be an actual thing that companies would actually buy, they'd demand that third-party security audits of the software would be done, like on any paid-for software that companies use. They'd also demand some SLA contracts that would hold this fictional for-profit OpenSSL accountable for vulnerabilities.

But since it's FOSS, nobody cares. Companies just use it, nobody donates. It's for free, so the decision to use it usually doesn't even go through procurement and anything related to it. I tried to get my old company to donate to OpenSSL in the wake of Heartbleed, and the company said they don't have a process to donate to something, so can't be done.

So everyone just uses this little project created by one solitary hero and nobody pays for it. And so that dude works alone in his basement, with literally the online security of the whole world resting on his shoulders.

Luckily after Heartbleed a lot of large corporations started to donate to OpenSSL, but there are hundreds of other equally important projects that still nobody cares about. As seen e.g. with the .xz near miss.

Are you sure?

All I'm saying is leftPad, if you still remember.

As a programmer I do not believe you when you claim that you read through all the code of all the libraries you include.

Especially with more hardcore dependencies (like OpenSSL), hardly anyone reads through that.