Wow. I had not expected that quick of a reaction with such a long email :)
> Call me a pessimist but I highly doubt your commercial users are going to
> be willing to shoulder any cost associated with auditing the software, nor
> do I think it would be looked upon favorably by most to even suggest it.
>
>
I am right now discussing this very issue with one of our commercial users
(the one from issue 2) and I think I managed to at least (by being a little
assertive or even a bit pushy to be honest - that was a bit of an
experiment) to spark a conversation about that. The user (turns out -
consulting project with a "big commercial entity") who wanted to answer,
now at least routed our "we are not sure but here is the issue and you can
help by contributing" to the product manager of the "big commercial entity".
I understand being pessimist or optimist here matters. But I personally
think it does not matter what the situation is now, it's more about how we
shape the future. I believe by our actions, transparent communication of
our expectations and involving "big users" and "3rd-parties" - for example
Lars's company - we can absolutely influence how the future of those
relations will look like. Nobody (except regulations) can FORCE us to give
authoritative answers for 3rd-party libraries. And we always have the
option to answer not "yes" or "no" but "maybe, but you can help to move the
needle in the yes/no direction if you need it". This is IMHO what the whole
Open-Source business should be doing right now before the regulations are
in effect - start educating the commercial users of ours that "knowing if
you are vulnerable from 3rd-parties" is not part of the "free lunch" of the
OSS. They got used to getting everything for free in OSS, but in fact we
(and even the OSS as a movement) NEVER promised everything around the
software will be free. The software itself is free, but are services around
that free ? Not at all. Companies pay a lot of money for "managed version
of XXX". Why should not they pay for "security certainty for all the
3rd-party components". We have not promised that. It's not part of the deal
or the licence they have from us. I don't think we should pay for it, they
should.
Generally security is not a 0/1 business - it's always about taking
calculated risk (you can never protect 100% - there is always uncertainty
and risk that you overlooked something). The big question here is what risk
it is and whose responsibility it is to take the risk. Having
authoritative answers from the ASF / PMC means that we are taking the risk.
Or we pay the cost (and we have basically no money to do so - just
volunteers) for decreasing the risk by making deeper analysis. So my quest
is really how to turn it into a situation that those who have money will
pay effectively in case we are not able to quickly assess that risk is
really low.
I personally think that having such information ("we know about CVE-XXX and
invite our commercial users to get more certainty") will make it much more
transparent, open and inviting for commercial users. Also it will allow
multiple users of ours to band together - and for example via some
3rd-party companies and services put the money to a common "pot" that those
3rd-parties might use to pay for investing (either in audit or fixing such
bugs). For me it would be an ideal situation and this is something I am
looking for feedback on. I know it's early and probably not something easy
to act on (going through product managers etc.),. This for example would
make a great business case for companies like Lars' . They could say "here
is the issue that needs attention, PMC says it is something that someone
should pay for - so let's collect some money from the interested users and
fund the work". For me this is a fantastic opportunity for us to make it a
viable business, get more funding into the OSS and educate our users that
"OSS is free software. And that's it. Generally you need to pay for things
around the software if you expect more than just software". And to fund
individual contributors / experts who might be engaged (and paid for) to
spend their time on fixing the issues. EVERYONE IS HAPPY. Unicorns and
rainbows.
Of course we cannot endorse companies like Lars' - we cannot say "go to
this company to get it fixed". But we can say "Here are the things you
should look for" and then let companies like Lars' to do all the marketing,
setting up business relationships, collecting money and funneling them to
multiple projects (finding and funding the right people to work on the
issues) - generally making sure that the money find their way to things
that need the attention (and money) of commercial users (and of course take
their cut, which will make it a viable business model). The more I think
about it - the more obvious it is that it SHOULD be done this way.
> From the legal side of things, this is covered in the Apache license. Use
> of software under the ASL section 8 Limitation of Liability (in short form)
> states "use at your own risk". If there is a known vulnerability in a
> dependency, as you mention in the second case, but you don't think it
> creates an issue, your first statement seems to hit most of what needs to
> be said. "We are aware of the CVE-2023-46136 vulnerability in Werkzeug. We
> currently have no reports with scenarios exploiting it and we believe it is
> unlikely it affects Airflow." For your commercial uses, have a more
> detailed statement as to why it is unlikely to cause an issue. I'm not a
> programmer but issue 2 appears to be a stack overflow issue but requires
> outside input to cause the overflow. If the dependency is protected and
> never receives data input from outside that particular module, stating
> something to that effect might be all that is required.
>
Yes. And I think we should do more of it. I think as engineers and
organisations we have really big difficulty in saying "I do not know, but
if you pay, we might be able to find out". This happens all the time and
it's often the case that people expect clear answers from "experts". But
REAL EXPERTS always know when to say "As an expert, I do not know for sure
- but if you pay for my time, I might actually even find out". I run a
software house for many years and "Estimating the project" was something
our customers always wanted to get for free often saying "Well, you are the
experts, you should know" - but we spent a lot of time and effort educating
our users (and it worked in many cases) that they have to pay - for POC, or
workshops with them to get more educated answers. And it worked even with
big customers. And to be perfectly honest - we are in a MUCH better
situation in our relationship with our commercial users. They might push us
to get answers, but they cannot FORCE US. We can be very assertive. They
cannot really (usually) go to competition. There is no-one else to go to.
They have no choice but to listen to us and if we have a viable proposal
that is good for everyone, this is a very fair game. If we tell them - here
is the way how you can deal with it - by investing into fixing an issue ,
they will have no choice but to comply. And it's a great business
opportunity for 3rd-parties to make business out of that to make it easier
for them to put the money to solve many of those problems.
> Software is potentially always 'hackable' by unknown exploits. There is no
> such thing as being 100% certain that a given program is and always will be
> secure.
>
Absolutely. This is all a "continuum of risk game" and we cannot let it be
turned into a 0/1 game where all the risk and cost is put on us.
J.
