The providence of the SBOM is important. If you can't say "I made this" in reference to the SBOM then it's pretty much worthless.
Or, flip the script, if you're concerned enough about supply chain security to mandate an SBOM, you probably don't trust the supplier anyway.
There's the "but I signed it" crowd, but the wheels fall off when they've signed compromised artifacts too.
I just don't see a scenario where an SBOM that cannot be inspected and verified would be useful. If you have the infrastructure to do it, you're generating SBOMs anyway.
CVEs are very important, of course, especially nowadays, but...
Many licenses, such as the MIT license, are very open. All you have to do is include the license text and the names of the software creators, because they want attribution. In other words, it really is about who made what, even with some of the most open licenses.
Licenses matter, a lot. After all, some licenses are share-alike/viral: if you "use" code with such a license, your code might inherit that license. (I put "use" in scare quotes because this is where the lawyers get involved. It depends how exactly you use the code.)
To put it another way - PIT runs your unit tests against automatically modified versions of your application code. When the application code changes, it should produce different results and cause the unit tests to fail. If a unit test does not fail in this situation, it may indicate an issue with the test suite.
Laptop reseller Malibal who boasts laptops with Linux support has picked a fight with the coreboot project and blacklisted several countries and US states from receiving their laptops.
Oh no! What will we ever do? haha. So Malibal tried to use free software, couldn't do it themselves, tried to get someone else to do it for cheap, and complains while not even paying anybody. Sounds like a cheap company that will cut corners at ever turn(pun intended).
> We determined that the rollout of a fix for an older bug report pertaining to Slackbot responses not working in org-wide or multi-workspace channels, was the root cause.
I'm not trying to be paranoid here but I work for a very large company. We got slackbot responses that looked a lot like phishing URLs. We got slackbot responses with broken english, and emojis we never use. I find it very hard to believe that this wasn't a security incident.
You did the correct thing. The PIP is to cover their butt that you really were a bad employee and you were not wrongfully terminated. The laws vary wildly state-to-state but generally if you're PIP'ed out you can't claim unemployment or wrongful termination.
> Good employees? It's literally gaslighting people. One day they're pulled aside and told they're not performing well enough and given a PIP. The PIP usually isn't designed to help them get performance up - it's creating a paper trail to manage them out.
Exactly this. The PIP process also protects the company from wrongful termination suits and oftentimes serves as evidence against paying out unemployment claims. Rightly or wrongly applied, telling employees that they're underperforming solely serves as creating a papertrail to push someone out.
> So the employer has a financial inventive program to encourage people to stay in the organization long term
That's not correct. The financial incentive program of vesting is designed to keep the cost of actually paying people down, plain and simple. If you're interviewing, I would encourage you to pretend the stock compensation doesn't exist. I've had offers of $60k actual cash with $300k stock with a five year cliff and my next question is always "what's the average tenure here?" If they look uncomfortable, I know they know it's a golden poison pill.
Consider the fact that Amazon, for instance, won't let you pay for EC2 instances in stock options at your company. They darn well know what they're doing.
Do you mean a five year vesting schedule or a five year cliff before you start vesting. The former is...bad, but I don't think I've seen the latter. That's just...no, absolutely not.
The mechanism I'm trying to describe is when employers pay a base in X dollars and stock in Y dollars which takes Z years to mature. AWS sounds like they're being somewhat reasonable about it by giving an employee cash before their options mature, but I have interviewed at places (Envestnet in New York City) where I was offered a base comp which was meh and then options which were gonzo. The offer, if I remember correctly, was $105k/y base and then $100k/y in stock which took three years to vest. I passed on the offer because $105k/y in NYC was cutting it too close for me. They did not have a "cash float" mechanism.
Everyone seems to be fixated on the idea that the API should be free and no-one seems to be mentioning that there's some very successful business models built around charging people access to content which the parent company didn't generate. LexisNexis, for legal searches, Elsevier for scientific papers, Facebook, for random graph searches (and occasional political data scraping), Twitter, etc.
It feels scummy to me too to take something free and charge people for it, but it's also not this unique thing people seem to be screaming about. Just go somewhere else if the API is that important to you. (Like hackernews). :)
LexisNexis does not just "charge people access to content which the parent company didn't generate". I could access most legislation through the government legislation website that shows the current version of every piece of legislation. I could piece together legislative history by looking through all the various amendments over the years compared to the originally enacted Acts. OR, I could look at LexisNexis, who have done all that work already and also have notes for pretty much every provision linking all that data together with academic and judicial commentary, major cases on those provisions, etc.
Similarly, I can look up unreported senior courts cases on the 'Judicial Decisions Online' section of the courts of New Zealand website, for free. But what about the notes written by experienced barristers in the law reports? What about the database cataloguing every judgment that has referred to every other judgment, giving an indication of whether the judgment is still good law?
It seems very popular these days to crap on businesses like LexisNexis and it does sometimes feel like they're taking the mickey given their prices and the terrible web interface to their databases. The fact you can't even 'open in new tab' properly is infuriating. But they're not just selling access to something that ought to be free, as many people seem to like to claim. They provide a lot more than just the raw judgments and statutes.
Or, flip the script, if you're concerned enough about supply chain security to mandate an SBOM, you probably don't trust the supplier anyway.
There's the "but I signed it" crowd, but the wheels fall off when they've signed compromised artifacts too.
I just don't see a scenario where an SBOM that cannot be inspected and verified would be useful. If you have the infrastructure to do it, you're generating SBOMs anyway.