OSS on the other side has the downside of being free.

That means it’s:

• massively underfunded because nobody donates
• no SLA-style contracts to hold anyone accountable
• most of the time no 3rd party security audits because free software (especially libraries or system tools) don’t go through procurement and thus don’t require them
• everyone expects that “someone” will have already reviewed it becouse the code is open and used by millions of projects, while in reality they are maintained by some solitary hero hacking away in his basement

If stuff like OpenSSL was CSS, it would be at least a mid-sized company making lots of revenue (because it’s used everywhere, even small license fees would rack up lots of revenue), with dozens of specialists working there, and since it would go through procurement there would be SLAs and 3rd party security audits.

But since it’s FOSS, nobody cares, nobody donates and it was a singular developer working at it until heartbleed. Then some of the large corporations which based their whole internet security on this singular dude’s work realized that more funding was necessary and now it is a company with multiple people working there.

But there are hundreds of other similarly important FOSS projects that are still maintained by a solitary hero not even making minimum wage from it. Like as shown with the .xz near miss.

Just imagine that: nobody in their right mind would run a random company’s web app with just one developer working in their spare time. That would be stupid to do, even though really nothing depends on that app.

But most of our core infrastructure for FOSS OSes and internet security depends on hundreds of projects maintained by just a single person in their free time.

If the teacher was so wrong, explain to me how a majority of the students would have understood that question and been able to figure out the correct answer and provided the correct format?

But did they? How do you know? Have you seen the other students’ assignments?

Most likely, this specific task wasn’t actually a homework task at all but created just for this meme.

But teachers like this exist, and I stand by that that these teachers are wrong. Understanding and actually thinking about a problem are much more important skills than to obey blindly and follow pre-set directions without even reading what the question actually says.

I’d say, a student that answers the question as expected is failing in regards to reading comprehension.

And from my experience, if a question is worded as wrongly as the one in the meme, then half the class will have it wrong and there will be a group of parents at the next parent-teacher conference complaining about it.

True, even with the “Is this possible?” the student’s answer should have been ok. But with the “how” the teacher’s answer is plainly wrong.

In my country, the written final exams include a Q&A section in the beginning of the test, where the teacher and the headmaster are present, and where they present the tasks and students are allowed to ask questions. After that section, the headmaster leaves and students and teachers aren’t allowed to talk for the rest of the test.

I noticed a missing specification in one of the tasks. It was a 3D geometry task, and it was missing one angle, thus allowing for infinite correct results. During the Q&A section I asked about that, and my teacher looked sternly past me to the end of the room and said “I am sure the specifications are correct”. If there was an actual error in the specifications, the whole test would have been voided and would have to be repeated at a later date, for all the students attending.

As soon as the headmaster was out of the room, he came to me and asked where he made the mistake. He then wrote a fitting spec on the whiteboard.

I liked that guy. He was a good teacher.

That’s not what it is, no.

Teachers make mistakes, like any human being, and a good teacher can deal with the fact that they made a mistake and that a student found said mistake.

A teacher who insists on being right over being correct is a bad teacher, because a teacher is supposed to teach a child understanding and knowledge, not blind obedience above anything else.

That’s how you end up with a population who agree with the leader even if he tells them the sky is green.

Yeah, if the question was “Is this possible?” then the teacher’s answer would be reasonable.

But the “how” in the question implicates that it’s actually factual and the student should come of with an explanation how. Which they did perfectly.

That’s definitely a problem with every bit of code, that everyone relies on stuff they don’t or can’t review.

My point is that FOSS provides a false sense of security (“Millions of people use this library. Someone will already have reviewed it.”).

But the bigger issue is that FOSS is massively underfunded. If OpenSSL was for-profit, it would be a corporate project with dozens if not hundreds of developers. Nobody would buy a piece of core security infrastructure from a self-employed dude working away in his basement. That would be ridiculous to even think about that. And if this standard component was for-profit, even very low license fees would generate huge amounts of revenue (because it’s used in so many places) and this would allow for more developers to be employed.

And since it would be an actual thing that companies would actually buy, they’d demand that third-party security audits of the software would be done, like on any paid-for software that companies use. They’d also demand some SLA contracts that would hold this fictional for-profit OpenSSL accountable for vulnerabilities.

But since it’s FOSS, nobody cares. Companies just use it, nobody donates. It’s for free, so the decision to use it usually doesn’t even go through procurement and anything related to it. I tried to get my old company to donate to OpenSSL in the wake of Heartbleed, and the company said they don’t have a process to donate to something, so can’t be done.

So everyone just uses this little project created by one solitary hero and nobody pays for it. And so that dude works alone in his basement, with literally the online security of the whole world resting on his shoulders.

Luckily after Heartbleed a lot of large corporations started to donate to OpenSSL, but there are hundreds of other equally important projects that still nobody cares about. As seen e.g. with the .xz near miss.

My former argument? You might be confusing who you are talking to, since you answered to my first post in this thread.

You also seem to remember leftPad wrong. What happened there was that someone made a tiny library that did nothing but to pad a string. Something so trivial that any programmer should be able to do that within a minute. But still tens of thousands of projects, even large and important libraries, would rather add a whole dependency just to save writing a line of code. In fact, in most dependency management systems it requires more characters to add that dependency than to write that oneliner yourself.

The issue with leftpad was that the maintainer of that “library” was angry for unrelated reasons and pulled all his libraries, which then broke thousands of projects and libraries because leftpad wasn’t available any more.

My point was that everyone just relies on upstream doing their stuff and hardly anyone bothers to check that the code they include is actually doing what it should. And everyone just hopes that someone else already did their job of reviewing upstream, because they can’t be bothered to do it themselves.

A better example though would be Heartbleed. OpenSSL is used in everything. It’s one of the core libraries for modern online communication. Everyone and their grandma used it, most distros, all the cloud providers and so on. Everyone has been making money using the security that OpenSSL provides. Yet OpenSSL was massively underfunded with only one permanent developer who was also underpaid for what he was doing. And apparently nobody thoroughly reviewed the OpenSSL code. Somehow in version 1.0.1 someone made a mistake and added the Heartbleed bug. Stuff like that happens, nobody’s perfect, and if there’s only one person working on this, mistakes are bound to happen.

And then this massive security vulnerability just stayed in there for over two years, allowing anyone to read out whatever’s in the memory of any server using OpenSSL. Because nobody of the billions of people using OpenSSL daily actually reviewed and analysed their code. Because “so many people use OpenSSL, someone surely already reviewed it”.

Or take Log4Shell. That’s a bug that was so trivial it was even documented behaviour. To find this, someone wouldn’t even have had to review the code, just reviewing the documentation of Log4J would have been enough. And still this one was in production code for 8 years. For a library that’s used in almost every Java program.

Nobody reviews upstream.

If upstream makes a mistake, that mistake is in the code. And then everyone just happily consumes what they get.

And upstream is often just a random library thanklessly maintained by some dude in their spare time.

Edit: Just to prove my point: Think of your last big FOSS project that you worked on. Can you list every single dependency and every single transient dependency that your project uses? For each of these dependencies, do you know who maintains it and how many people work on each of these dependencies? Do you know if everyone of these people is qualified and trustworthy enough to put reliable and secure code in your project? Or do you, like everyone else, just hope that someone else made sure it’s all good?

Are you sure?

All I’m saying is leftPad, if you still remember.

As a programmer I do not believe you when you claim that you read through all the code of all the libraries you include.

Especially with more hardcore dependencies (like OpenSSL), hardly anyone reads through that.

The ability to wake up the laptop from sleep.

Damn, do I regret going with Fedora. Anything newer than kernel 6.10 (which I salvaged from Fedora 39) and my laptop doesn’t wake up from sleep anymore.

But changing distros is a hassle and idiot me went with a single partition for system and data, so migrating to another distro requires me to actually backup everything, so I haven’t done it yet.

If you don’t root your Android you can even run a full desktop Linux in a proot container. You can run all Android apps and Linux apps on it. Using Winlator you can even run most Windows apps and there are emulators for most systems out there. If you cann that “barely anything” you are lacking imagination.

Apparently you haven’t used Chromebooks or MacOS, but you clearly misunderstand the topic at hand.

There’s always a balance between configurability and stability, and every single OS, even Windows, falls somewhere on that spectrum. If you allow a user to break their system, the downside is that they can break their system.

iOS, unrooted Android and ChromeOS fall on the “less ability to break your system”-side with Windows and MacOS following rather closely, and different Linux distros are on the full spectrum in between. Immutable distros make it harder to break yous system at the cost of immediate configurability, while running Arch you can do whatever you want and you’ll likely destroy your OS while doing so, if you don’t know what you are doing.

Again, all of that are choices done in user-space, nothing about that comes down to the kernel. You can make any Linux distro entirely unbreakable by taking away sudo rights for the current user and making every non-temporary directories and files read-only. You can do that in 10 minutes and suddenly there’s nothing the user can do to break the system. But the user also loses a lot of abilities. Again: all of that is user-space only and has nothing to do with the kernel.

And yes, there are enough stable and comprehendible Linux distros out there, but if the user has sudo rights and the constant and uncontrollable urge to destroy their system, they will find a way to do so.

Android runs an only slightly modified Linux kernel, and yet the OS requires much less from the user than e.g. Windows or MacOS.

Chromebooks run a bog-standard Linux kernel and the target audience is kids.

My car’s entertainment system runs a standard Linux kernel, and the UX is so cut down that PC expertise really doesn’t matter when using it.

MacOS and iOS, two systems known for their ease of use, both stem from BSD, which comes from Unix.

The kernel has nothing to do with this.

In fact, the only mainstream kernel used in user-facing operating systems that doesn’t “come from Unix” is Windows. Everything else is derived either from Linux or BSD, which both are derived from Unix.

There isn’t even a mainstream phone OS anymore that doesn’t “come from Unix”.