> Despite all of its shortcomings, Wikipedia has been a relatively successful model. It is decentralized with an army of volunteers that try to stick to reliable sources. It leverages the fact that honest participants greatly outnumber malicious ones.
Also probably because the honest participants have a good reputation.
> With security, you need some online service so you can find the new CVEs every day.
Or you just do it manually if that service is down. It's weird to me that the argument for not having an automated, 3rd-party service is "if it goes down then you'll have to do things manually", when the alternative is "you always have to do it manually".
If you are comfortable trusting a third-party service to tell you when to upgrade, then that is absolutely an improvement over doing security updates manually. This is why I have unattended-upgrades set up on my Debian systems to automatically install updates from Debian Security every day. Sure, it may fail for whatever reason, but I am certainly not going to take the time to (or even remember to) update every day.
Yeah, honestly there's probably just a few libraries you're going to have to care about re: keeping up to date. Everything else can get updated opportunistically/ on some cadence. Your exposed attack surface for most software is pretty much your TLS library and network stack. The more mature you become the more of the attack surface you can try to track.
But basically if you just subscribe to a few projects' releases you can pretty easily get things pushed to you when it matters.
Oh I completely agree. I was referring to the parent saying that a third party is dictating what to build -- for security this is inevitable. For dependencies this can be solved by caching your .jars or whatever, but at some point you still always have a third party dictating what you're building.
It's scary having the CI/CD magically figure out what to do for you purely based on the files in your repo. I bet it would save a lot of time if you were actually able to use it for everything in your company. I'd rather write my own CI, which I do in Gitlab CI.
Its mastermind with letters... not original and not hard to implement. To monetize, the majority of work would be monetization stuff. That sounds like it wouldn't be fun.
It's like a certificate of authenticity. If you buy a nice watch which comes with a piece of paper saying that Rolex made it, what's actually worth money here? The watch is worth the money, provided you can prove that it was made by Rolex and not a knockoff. Is the certificate of authenticity itself worth money? Ehh... sort of... but only if you have the watch its authenticating. Who would buy the piece of paper alone?
What about if i can make infinite identical copies of the watch? Things stop making sense once there is no scarcity.
It's not strange at all, you just didn't understand the point. Libertarian theory has all kinds of bizarre reasoning about human nature, which doesn't translate into the real world. History, on the other hand, does provide a guide to how large numbers of actual people have behaved in the past, when cast on to the scrap heap of life. Human nature doesn't change rapidly.
I'm not taking your bait (never raise minimum wage), but it's important to be aware that, at the margin, increasing the cost of any business input will result in business attempting to substitute that input to the extent possible - i.e. fewer jobs.
