![]() ![]() There's no requirement for you to distribute those sources yourself unless you make modifications and make the software available for sale or download. Version 3 of the GPL simply states that "clear directions" on how to find the source code may be given. > For GPL-licensed code, you should provide the sources yourself. Generally, this can be solved by simply vendoring your dependencies (aka, commit them to the repository instead of fetching them for every build). > Otherwise you will be left having to handle requests like "does anyone remember the exact contents of our product X, of version of ?" Large amounts of acquisition money does strange things to people. I've seen a few good people suddenly not get anything because there was a missing signature on a document even though the person had been at the company three years. Sudden acceleration of equity grants and a "re-interpretation of what 'it' means" or extreme scrutiny of whether you actually qualify for the equity in your contract. An equity claw back that happened to me many years ago that I am still sore about. I've also seen the ugly side of acquisition too. Getting a full run down of every open source license, and I mean _every_ license, and then going back and checking them again. And the licensing of software and source code. "Yeah, that bug has been there for three years, nobody has time to fix it." Well, all of a sudden, we are fixing it. ![]() But it always seems to be in hindsight that we look back and go "huh, funny." I am sure we could write an inference bot that monitors the calendars of people in the organization and estimates that an acquisition is imminent.Īnd the security/bug fixing. The distractedness of the executives is spot on. Some holding company you've never heard of but probably have spent quality alone time on their primary website. Have been acquired/acquihired a few times. It's unquestionably worth doing if this is a dealbreaker for our customers, but could definitely impact things in the short term by requiring fixes which are technically unnecessary. They want every CVE resolved for every release this is going to cause a notable amount of work to 'resolve' issues which aren't issues by taking developer time to update and test third-party libraries, or even patch the libraries ourselves if the upstream CVE hasn't been resolved yet. That said, we now have some customers who have extremely stringent security requirements, and for understandable reasons. an information disclosure vulnerability in SASL authentication, but we don't use the library for authentication) then we make a note of that for our customers so they know that, while this CVE does exist and may show up in their own scans, it's not relevant to their use of our product. Our product undergoes CVE scans before every release, and we ensure that all relevant CVEs are handled before we release if a CVE is low-severity and isn't relevant to our use of the component (e.g. then suddenly the throwaway proof of concept codebase for the 7th pivot starts getting traction, and by shovelling features on top it is possible to win more customers startup is pre product-market fit in a domain where security is less relevant, and security issues are less of a risk to the business than the more existential concern around identifying and de-risking a scalable, profitable business model. startup outsources development work and has no in-house technical capability to check quality or security of deliverables leadership doesn't value quality or security, so the company culture reflects this and focuses on what leadership values they end up with rookies with potential but not enough experience to avoid security foot-guns, and/or experienced expert-beginner developers who have a low level of ability startup doesn't have ability to hire competent, experienced developers. First of all, who intentionally writes code to contain SQL injection vulnerabilities anno 2024? ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |