From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.0.0.0/16 X-Spam-Status: No, score=-3.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id BC9D620954 for ; Mon, 4 Dec 2017 19:03:11 +0000 (UTC) Received: from localhost ([::1]:44794 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eLw1G-0008Do-Cl for e@80x24.org; Mon, 04 Dec 2017 14:03:10 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43497) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eLw0v-0008Di-61 for libreplanet-discuss@libreplanet.org; Mon, 04 Dec 2017 14:02:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eLw0q-0004PU-BE for libreplanet-discuss@libreplanet.org; Mon, 04 Dec 2017 14:02:49 -0500 Received: from james.kirk.hungrycats.org ([174.142.39.145]:40098) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eLw0q-0004PJ-66 for libreplanet-discuss@libreplanet.org; Mon, 04 Dec 2017 14:02:44 -0500 Received: by james.kirk.hungrycats.org (Postfix, from userid 1002) id DD06771CAF9; Mon, 4 Dec 2017 14:02:41 -0500 (EST) Date: Mon, 4 Dec 2017 14:02:41 -0500 From: Chad Larson To: Caleb Herbert Message-ID: <20171204190241.kqnb7zwgzvr4st6g@hungrycats.org> References: <174656503.565057.1512276313403@connect.xfinity.com> <87lgijhb1b.fsf@member.fsf.org> <20171204021255.n5atlesyayeeeuyw@hungrycats.org> <1512399970.3357.12.camel@leela> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1512399970.3357.12.camel@leela> User-Agent: NeoMutt/20170113 (1.7.2) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 174.142.39.145 Subject: Re: 7 Reasons to Avoid Open Source? X-BeenThere: libreplanet-discuss@libreplanet.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Pagan , libreplanet-discuss@libreplanet.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: libreplanet-discuss-bounces+e=80x24.org@libreplanet.org Sender: "libreplanet-discuss" On Mon, Dec 04, 2017 at 09:06:10AM -0600, Caleb Herbert wrote: > On Sun, 2017-12-03 at 21:12 -0500, Chad Larson wrote: > > Merely using a VCS is not sufficient. Traceability requires identifying > > individual persons responsible for determining requirements for the > > code, establishing their competence to design and implement the code, and > > demonstrating that the code implements the requirements correctly for each > > product that uses the code. Industrial regulations require traceability > > to determine which individual personally made which implementation > > decisions and which individual tested and verified the results. > > Sounds like they want better documentation. Ask Red Hat. That seems like an odd request, given that Red Hat's history of certified products is limited to enterprise software running on x86_64 hosts, not embedded systems. Red Hat has some products rated at EAL4, but the traceability requirements for EAL4 are fairly weak compared to other industry standards (or even EAL6). The other certifications they have seem to have even weaker requirements (but I haven't fully reviewed them all). I don't know of any free-software projects currently offering a complete traceability data set. I know of only two open-source projects (FreeRTOS and OpenSafety) which offer traceability data at all--but in both cases the data is only available under a separate non-free license. > > Traceability is very expensive, in terms of both development cost and > > liberty for the developers. If you think of it as a map to know who to > > sue when things go badly wrong, you're not entirely wrong. > > Sounds like they want the benefits of a warranty. Ask Red Hat. A warranty is necessary but not sufficient. If a project is demanding traceability, they expect more from their suppliers than a mere offer to refund the purchase price. > Reminder: Department of Defense will use software without a warranty IF > and ONLY IF it is free. Is some company more important than the DoD? The DoD routinely pays egregious development and support costs that the private sector will not. Does some company have deeper pockets than the DoD? > -- > Caleb Herbert > OpenPGP public key: http://bluehome.net/csh/pubkey _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss