Charge them, and make sure they understand why - they’re benefiting, and have been benefiting, from software developed at no cost to them. If they want anything, it needs to cost them; otherwise, …
There's going to be a lot more of this, as people in gov work out how tenuous their links to supply chain logistics behind software systems are. When shit hits the fan and you trace it back to libcurl, as a government employee you want to be able to show you at least tried to acknowledge the risk existed, no?
I love open source, I love free software. I do actually want my government to front up and acknowledge the risks in building systems to depend on it, and not understanding its precarious nature.
An example from nearly 20 years ago is the CMU SNMP library which was embedded in Cisco routers. Maaaaasive worldwide CVE risk which had to be ameliorated, all because of a rational free s/w inclusion. The code was already 10 years old at that point. I doubt anyone from CMU was in the loop.
I've also seen the other side: I wrote a 2 line patch to some free s/w and I had to invoke lawyers for a sign-off requested by the s/w org. We were happy, but it's not exactly zero-risk to accept inputs now, if you're in the business of giving code away.
Hello Department of Energy,
I cannot find that you are an existing customer of ours, so we cannot fulfill this request.
libcurl is a product we work on. It is open source and licensed under an MIT-like license in which the distribution and use conditions are clearly stated.
If you contact support@wolfssl.com we can remedy this oversight and can then arrange for all the paperwork and attestations you need.
Indeed. However this is also the result of "checkbox security". Someone at the DOE has a security compliance form with a list of checkboxes they must check, one of which reads something like: "dependencies are developed in accordance with M-26-34 procedures". They have some custom project created by some contractor (who may or may not be around anymore) that links to libcurl. Therefore, in order to "check the box" on their compliance form about their custom project, they have to find out if libcurl is developed in accordance with M-26-34, and an email such as this one is created and sent.
I’d also bet that this was handed off to a contractor with minimal room for discretion, like when you have an absurd discussion on the phone with someone at a large company and have to remember that they were given rules and are choosing the “don’t get fired” option.
This happens all the time in enterprise software too. Everybody is covering their ass at these places and nobody is "brave" enough to say anything directly, hence the wording of these reports/emails/assessments.
Charge them, and make sure they understand why - they’re benefiting, and have been benefiting, from software developed at no cost to them. If they want anything, it needs to cost them; otherwise, …