People arguing about making FOSS accessible to untrained users, and here I am like

What you are asking for is untrained users to be physicians, nurses, lawyers, forensic pathologists, and more. Those fields all have professional organizations which regulate and certify who is permitted to use those labels. Participation in those fields is *actively dangerous* to individuals' rights and well-being if unregulated.

Software engineering is exactly like that, especially as software is pervasive in medical technology, telecommunications, *electoral processes*, media availability & consumption, and more.

Untrained users *should not* and *must not* be expected to identify high-quality software, file trouble tickets with relevant information, figure out why the software is misbehaving, or any of the other tasks *trained professionals* perform on a daily basis.

Software engineering is a specialised skill. The idea that anyone can or should be able to pick it up is neoliberalism and capitalism at its best, because if anyone can do it, then clearly you don't need to pay someone who's been specifically trained to be an expert. So you end up with Therac-25, airports having to shut down operations due to software failures, and more.

Software engineers are involved in key social processes like identifying whether an inmate's risk factors for recidivism should they be released from prison, or whether an individual should even be hired based on 'personality' tests, CV scanning, and more.

@Aerdan @Shamar therac 25 was developed by trained professionals, though

@a_breakin_glass @Shamar

I mean, yes, and people do make mistakes. However, the larger point is that *we didn't learn from incidents like that*. We still aren't—I bet you I can look at any four-year program for software engineering and not find a single course on ethics in programming, for instance.
@Shamar @z428 @a_breakin_glass

Our *lack* of elitism is why we have dozens of startups peddling insecure garbage with zero oversight.

Our *lack* of elitism is why we have people peddling algorithms for categorizing prison inmates or potential hires' fitness for work with zero oversight.

It is not elitism that generates a lack of social consciousness involved in those problems you identified, it is a lack of a professional organisation regulating the practice of programming for hire.

@Aerdan @a_breakin_glass @z428


It's exactly our elitism that cause all of this shit.

Imagine if all people were able to read, understand and modify the code of the software they use.

No startup could gain VC money with insecure garbage and zero oversight.

No judge would trust a neural network to categorize people.

Everybody would fully understand who try to manipulate them through software or "because software works so".


@Shamar @z428 @a_breakin_glass

No VC firm would accept software written by someone who is not an accredited professional. Lawyers on both sides of any case would challenge expert testimony from someone who is not an accredited professional.

Accreditation exists to ensure that we have a class of trustworthy individuals to perform tasks that cannot safely be delegated to people who are not trained to perform those tasks.

I would not trust an internet detective to identify the cause of death of an individual, I would ask a forensic pathologist to do that. I would not trust an armchair lawyer to handle paperwork relating to a contract dispute, I would hire an *actual* lawyer. I would not hire my 15-year-old self to write a content management system plugin, I would hire an actual programmer.

This idea that we should trust random people blindly to write software used by millions of people every day is absurd and dangerous.
@Shamar @z428 @a_breakin_glass

"When everyone will be able to practice law (seriously, filling out legal forms doesn't count), ..."

"When everyone will be able to prescribe medication (seriously, CPR doesn't count), ..."
@Shamar @z428 @a_breakin_glass

People have to blindly trust all sorts of technology and professionals. Do you expect them to debug a broken faucet? A faulty light switch? A power outage?

Non-professionals can do those things, but most people would rather pay a professional to do it. For some reason, the same simply does not apply to programming, or IT in general.

@Aerdan @a_breakin_glass @z428 @Shamar

Yes. Probably several reasons. Reason number one: code doesn't take the same kind of cost around replication and transport that physical constructions do.

@jankoekepan @Shamar @z428 @a_breakin_glass

Sounds similar to a lawyer, then. There are professional organisations that certify lawyers to practice law. Almost as though we had an understanding that allowing amateurs to do it would be dangerous...
@Shamar @jankoekepan @z428 @a_breakin_glass

I don't think you understand what it takes to actually audit codebases. It's not nearly so simple as "okay, this function does X and Y"; you also have to identify how the function can fail, and what happens when it does. You cannot democratize a specialized skill.

@Aerdan @a_breakin_glass @z428 @Shamar

And in the world of spectre and rowhammer, how deep does that rabbit hole go?

@jankoekepan @Shamar @z428 @a_breakin_glass

You don't have to go *that* far when auditing a codebase, and hardware problems should be solved by hardware experts.

@Aerdan @a_breakin_glass @z428 @Shamar

OK, so you're proposing a professional credentialing system that empowers people with a special membership card to do a lightweight review and not sweat the details ...

But security in code depends upon every link in the chain being strong, not just some of them ...

So your credentialed experts will mostly give you a warm fuzzy feeling, not the guarantees that you claim to want.

Explain to me again exactly what the huge benefit is?

@jankoekepan @Shamar @z428 @a_breakin_glass @Aerdan We live in a highly over-credentialized and gatekept society. In the world of mainstream BS nothing moves without the proper credentials or the approval of some petty official.
@bob @jankoekepan @Shamar @z428 @a_breakin_glass @Aerdan cue the famous "specialization is for insects" quote from heinlein
@jankoekepan @Shamar @z428 @a_breakin_glass

No, a 'lightweight review' is someone thinking just being able to read the code is sufficient for ensuring software quality.

A codebase auditor should be cognizant of the challenges posed by Spectre, Rowhammer, and so on, but not every codebase needs or should be expected to cope with those challenges—the operating system should provide an environment where a given program shouldn't need such hardening.

@Aerdan @a_breakin_glass @z428 @Shamar

You're still not answering what benefits your credentialing system would offer, given that you're already giving up on in-depth review.

@jankoekepan @Shamar @z428 @a_breakin_glass

Would it help you to know you're arguing with someone who wouldn't be credentialed by such an organization? :)

(I have zero desire to work professionally in software engineering, and would prefer to leave that to people who are competent to practice it. Unfortunately, there are a shitload of people who *aren't* competent to practice it but are permitted to anyway.)
@jankoekepan @Shamar @z428 @a_breakin_glass


I'm sorry that I don't have the answers you're looking for, but I have just explained to you why I don't. And I think it's bizarre that you seem to think this explanation is irrelevant when you're pressing me for details that *a group of professionals in the field for which an organisation might be useful* would be able to offer.

Might as well ask me to quantify the benefits to society that a board of medical examiners might offer. I know even less about forensic pathology than I do about programming.

@Aerdan @a_breakin_glass @z428 @Shamar

So to be clear: you're proposing a dictatorial solution to problems that you can't quantify, with well-known social problems that would emerge from it.

You may be surprised to learn that this is not a persuasive position.

@Aerdan @a_breakin_glass @z428 @Shamar @jankoekepan you have to be certified as a lawyer to practice law *on behalf of someone else*. Same with medicine.

We shouldn't trust software in critical applications that isn't vetted by certified professionals, but there is a lot of ground between your typical open source project and those critical applications that ought to be littered with those certified professionals.


I feel like this argument relies on that famous aphorism about "enough eyes", bugs, and shallowness. Which just plain isn't true the way most people interpret it.

@Shamar @Aerdan @a_breakin_glass @z428 @jankoekepan we need good editors for software, and we need standards for what is good code (or at least what is _bad_ code).

Not least, we need to train a bunch of people on proper programming grammar.

Most people get training in how to use their native language effectively for 10 or more years before they are let loose into the world.

If we could get that degree of training into programming, *then* we could probably trust the crowd more.

@Aerdan @a_breakin_glass @z428 @Shamar

And yet, we have dangerous, unaccredited people running around creating very useful software all the time.

What do you want to do, lock them up?

@jankoekepan @Shamar @z428 @a_breakin_glass

Actually, yes. Lock up everyone willfully producing and selling insecure IoT devices.

@Aerdan @a_breakin_glass @z428 @Shamar

That's an entirely different statement that has no bearing whatsoever on credentialing.

Moreover, it raises important questions: What is insecure? At what level can it be declared to be meaningfully secure? And what constitutes willfulness at this point?

Does a teenager putting a webcam online get to spend quality time with Bubba, Tiny and Thor?

@jankoekepan @Shamar @z428 @a_breakin_glass

I'm sorry, that was a bit flippant of me.

But let me offer an example.

My smartbulbs aren't connected to the internet. They have no reason to be, other than for them to be controlled by a smartphone app (which I don't use because my dimmer remote for the smartbulb can do something it doesn't: toggle light-emitting status without resetting brightness level).

They don't even use wifi, except for the gateway (which I never figured out how to put on wifi, not that that's even necessary since the gateway has ethernet). They pose *zero* threat to the internet.

By way of comparison, look at LIFX smartbulbs. They have on-board wifi and can only be interacted with over an IP-based network. You have to go out of your way to keep them off of the internet, even. (I bet the company wasn't aware of zigbee when they set out to do these bulbs, or felt that there's no way they could be a threat to the internet.)

@Aerdan @a_breakin_glass @z428 @Shamar OK, so you've described a problem.

What you haven't described is how credentials would solve that problem. Or even ameliorate it. I work cheek by jowl with programmers with decades of experience, who are quite shaky on secure programming practice.

@jankoekepan @Shamar @z428 @a_breakin_glass

A professional organisation would have continuous learning requirements, and presumably they would identify individuals as being competent with security and secure programming. Moreover, a professional organisation represents a clearinghouse of expertise—I could ask such an organisation if the individual representing themselves as a software engineer actually is certified or not if I had reason to doubt it.

@Aerdan @a_breakin_glass @z428 @Shamar

It would also be a home to all the ills that we associate with such things: cronyism, nepotism, regulatory capture and rentseeking behaviour.

@jankoekepan @Shamar @z428 @a_breakin_glass

Organization has problems associated with organizing shocker, more for you at eleven.

@Aerdan @a_breakin_glass @z428 @Shamar

OK, tell you what, I have an idea.

You go find a location somewhere that agrees with you.

I'll go live in a different location.

We'll see how it works out.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!