Das nützlich-unbedenklich Spektrum
Ownership, Contingency
O++ Public domain / MIT / Apache
O+ Copyleft
O We own it. But if we go under, you get the source code.
O- We own it. You get a license we can revoke any time.
O-- We own it. We don\'t sell it. You can only rent it.
!O You use our appliance / cloud service.
Source Code:
S++ The source code is public and you can change it
S+ The source code is public
S The source code leaked a while ago
S- We let your goverment view the source code
S-- The source code is secret
!S We lost the source code
Intent, Confidence:
I+++ I make actual guarantees
I++ I have done this multiple times before. I know what I\'m doing
I+ I had to adapt the design a bit over time
I I tried to avoid security bugs while writing this
I- Look, they paid me to do this
I-- The guy left. Code now maintained by team on Sol3
!I I have no idea what I\'m doing
Correctness:
C+++ We have a correctness proof and you can understand/verify it
C++ We have a correctness proof
C+ No open bugs, 100% test coverage and we do regular code audits
C We try to fix bugs that our users tell us about
C- We have a bug backlog (bugwave)
C-- At some point we are planing to have a bug tracking system
!C That\'s not really a bug, that\'s just a crash!
Engineering, Design:
E+++ Least Privilege, Privileage Separation, TCP minimized
E++ We sandbox ourselves away so nothing bad can happen
E We try to detect bad arguments
E- Well... we fix bugs. That\'s good, right?
E-- We just do what we are told. You call us wrong, that\'s on you!
E--- We run as root / in the kernel
E---- We sell it as an application so you don\'t see how bad it is
!E We do a daily AI malware scan of our blockchain
Maintainance:
M! Author is Don Knuth / Dan Bernstein, makes no mistages
M+ Project is feature-complete, gets accasional security updates
M Project gets updated regularly
M- People send pull requests / patches to mailing list
M-- Vendor publishes quarterly patch roundup with 512 fixes each
M--- Author killed project. Unofficial forks / backups still around
!M Author left / dead, project abandoned
Votatility
V! Software is perfect, needed no update since 1993
V++ Like V+ but has a way to notify you of new versions
V+ Regular patches and updates but you can\'t tell the difference
V- Updateing is such a hassle that backporting patches is a thing
V-- The new version broke so much, most people use the old one
V--- Agile. 5 updates/day, half of them break produktion
!V Support ended
Protocol / Spec
PS++ The spec is public, short and precise
PS The spec is OK but interoperability is a bitch
PS- The spec is to large, nobody implements all of it
PS-- The spec cannot be implemented securely
PS--- There is a spec but it\'s paywalled
!PS The Author made it up as he went
Dependencies:
D! No dependencies. You boot our image directly.
D++ We depend only on things that come with the system/distribution
D+ We depend on ... see build requirements
D We use somebody\'s Docker image from the internet
D- We don\'t even have a list of dependencies
D-- We load extensions dynamically from the internet (without knowing what is needed overall)
D--- Uses vendor specific lock-in APIs/features