> So, we don't need an electrical code to enforce correct wiring.
For an analogy to work, its underlying elements should have a relation to the target. Your analogy is not in the same universe. For electrical work, there is a baseline of materials and practices which is known to produce acceptable results if adhered to. For software, there isn't. (Don't tell me about the Space Shuttle. Consumer software doesn't cost tens of millions and isn't written with dedicated teams over the decades.)
The analogy does work. The house is any software provided by any vendor. The kind strangers are white hat security researchers. The people living in the house are the users.
Software absolutely has baseline materials, have you never written software before? Never used a library? Programming language? API? Protocol? Data format or specification? CPU instruction? Sorting algorithm? A standard material is just a material tested to meet a standard. A 10d nail is a 10d nail if it meets the testing specs for 10d nails (ASTM F1667). Software can be tested against a spec. It's not rocket surgery.
No known practices with acceptable results?? Ever heard of OWASP? SBOMs? Artifact management? OIDC? RBAC? Automated security scanning? Version control? Code signing? Provenance? Profiling? Static code analysis? Strict types? Formal proofs? Automated testing? Fuzzing? Strict programming guidelines (ex. NASA/DOD/MISRA/AUTOSAR)? These are things professionals know about and use when they want standard acceptable results.
What are you talking about re: space shuttle and tens of millions? Have you actually read the coding standards for Air Force or NASA? They're simple, common-sense guidelines that any seasoned programmer would agree are good to follow if you want reliability.
I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about, or jaded old fogeys who were on some horrible government project and decided anything done with rigor will be terrible. That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions. I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
AI is going to introduce 100x more security holes than before, so something will have to be done to improve security and reliability. We need to stop screwing around and create the software building code, before the government does it for us.
> What are you talking about re: space shuttle and tens of millions?
GP was almost certainly referring to "They Write the Right Stuff," an old article that is pretty well known in spaces like this. It discusses a process that (a) works extremely well (the engine control software was ~420 kLoC with a total of 17 bugs found in a window of 11 versions) and (b) is extremely expensive (the on-board shuttle software group had a budget of ~35 million per year in mid-90s dollars).
> The analogy does work. The house is any software provided by any vendor.
Even before we start, you immediately have a problem. When a house is built, the thing to be inspected is built in the jurisdiction requiring the inspection.
If you have some code being written in China or India and some US jurisdiction wants to require the sort of programming practices you're suggesting, is the US going to send inspectors to other countries? How do they even validate that the processes are being followed either way? And what are you proposing to do with all the existing code that was written in the past? Requiring the company to have a checklist included in their book of procedures that nobody is actually following doesn't solve anything.
The way this nominally works for building inspections is that the inspector waits until after the work is done and then inspects the work, but that's a validation of the result rather than the procedures. The equivalent for code is an audit, which is dramatically more labor intensive for the government than sending someone to have a quick look to see if the wires appear to be hooked up right, if you expect it to actually do anything.
> I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about
There are too many armchair experts saying "if they can land a man on the moon then surely they can land a man on the sun."
> That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions
First notice that you're listing all the professions where costs are out of control and the incumbents have captured the regulators to limit supply.
On top of that, those regulations are not even effective in solving the analogous problem. For example, the ethical requirements for lawyers nominally require them to do the thing public defenders aren't provided with the ability to do, i.e. spend enough time on the case to give the client adequate representation. Public defenders are given more clients by the state than they have the resources to actually represent. Quite unsurprisingly, this utterly fails to solve the problem of indigent defendants not having adequate representation.
But that's the thing most analogous to what you're proposing. If you nominally require companies to do something they otherwise have no real incentive to do, which you have no efficient way of verifying that they've done, and provide them no additional resources to do it, you can't expect "they will now do it well" to be the result.
> I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
What makes you think the software developers are the ones objecting to it? They, and the incumbent companies trying to raise costs on smaller upstarts, are the ones trying to establish a new racket and exclude newcomers from the industry. The ones objecting are the customers, and anyone who values efficiency and efficacy.
> We need to stop screwing around and create the software building code, before the government does it for us.
"We need to stop screwing around and create the Torment Nexus, before the government does it for us."
I mean this is still a semi-bs response on your case, even if you don't realize it.
Many of these devices have security flaws that are horrific and out of best practices by over a decade.
Just having something like "Have a bonded 3rd party security team review the source code and running router software" would solve around 95% of the stupid things they do.
> Just having something like "Have a bonded 3rd party security team review the source code and running router software" would solve around 95% of the stupid things they do.
It would certainly help, but no economically feasible amount of auditing and best practices could lead to having a warranty on that software. My thesis is that our current understanding of software is fundamentally weaker than that of practical applications of electricity, so it makes no sense to present analogies between the two.
> With network protocols, you make one layer (Ethernet), you add another layer (IP), then another (TCP), then another (HTTP). Each one fits inside the last, but is independent, and you can deal with them separately or together.
It looks neat when you illustrate it with stacked boxes or concentric circles, but real-world problems quickly show the ugly seams. For example, how do you handle encryption? There are arguments (and solutions!) for every layer, each with its own tradeoffs. But it can't be neatly slotted into the layered structure once and for all. Then you have things like session persistence, network mobility, you name it.
Data formats have other sets of tradeoffs pulling them in different directions, but I don't think that layered design would come near to solving any of them.
Qt costs serious money if you go commercial. That might not be important for a hobby project, but lowers the enthusiasm for using the stack since the big players won't use it unless other considerations compel them.
Depends on the modules and features you use, or where you're deploying, otherwise it's free if you can adhere to the LGPL. Just make it so users can drop in their own Qt libs.
QT only costs money if you want access to their custom tooling or insist on static linking. We're comparing to electron here. Why do you need to static link? And why can't you write QML in your text editor of choice and get on with life?
Some widgets and modules, like Qt Charts (or Graphs, I forget), are dual GPL and commercially licensed, so it's a bit more complicated than that. You also need a commercial license for automotive and embedded deployments.
> You generally can't adhere to the LGPL in automotive
"Can't" or "won't"?
The UI process is not usually the part that need certification.
> Slint has a similar license
Indeed, but Slint's open source license is the GPL and not the LGPL. And its more permissive license is made for desktop apps and explicitly forbid embedded (so automotive)
> [The same timezone in Poland and Spain] sounds like an unnecessary EU standardization.
Well, if you look up the histories of the time zones in the respective countries ("Time in Poland" and "Time in Spain" on Wikipedia, I have no reason to doubt their accuracy) you'll see that both settled on CET, with or without daylight savings, long before the EU was even an idea.
> I was careful to say "Good code still has a cost" and "delivering good code remains significantly more expensive than [free]" rather than the more aesthetically pleasing "Good code is expensive.
Which is nuance that will get overlooked or waved away by upper management who see the cost of hiring developers, know that developers "write code", and can compare the developer salary with a Claude/Codex/whatever subscription. If the correction comes, it will be late and at the expense of rank and file, as usual. (And don't be naive: if an LLM subscription can let you employ fewer developers, that subscription plus offshore developers will enable even more cost saving. The name of the game is cost saving, and has been for a long time.)
Sure, but clueless leadership is not a new thing. While big companies with structural moats can shamble along with a surprising amount of dysfunction (which is why they tolerate so many muppets in middle management), even they rely on some baseline of system integrity that will erode pretty quickly if they let go of the people who know how things work.
Don’t get me wrong, I think SWE headcounts will reduce over time, but the mechanism will be teams that know how to leverage AI effectively will dominate ones who don’t. This takes more market cycles though, and it’s even hard to nail down the specifics of these skills with the speed agentic coding tools are currently evolving. My advice is make yourself part of the second group, and worry less about bad management decisions that are inevitable.
> we invented this new thing called fire [...] So the tribe leader (who, by the way, gropes your children) proposed a solution: centralize control of all the fire
Of all the things, a "save-the-children prolegomena to the Prometheus myth" certainly wasn't on my bingo card today. So thank you for that, but I'm not aware of any reports of fire-keeping in the way you've described. Societies and religions do have sacred traditions related to fire (like Zoroastrians) but that doesn't come with restrictions on practical use AFAIK.
I'll spell it out for you since you can't read between the lines. It's not actually about fire-keeping in tribes to protect children. It's about certain people (governments, corporations, organizations) wanting control over the Internet and everyone's digital communications. They don't want a free marketplace of ideas and uncensored channels of communication because their propaganda narratives would not survive.
The tribe leader refers to certain rich and powerful folks that have infiltrated governments and are running some of the largest businesses.
The fire refers to instant communication over the Internet. This relatively new technology has the potential to paralyze old power structures and reshape civilization. It's understandable why governments et al are panicking. They know their authority will wane under global free speech unless they do something.
It's in the library you're using, and you're not using all of it. I've had that exact situation: a dependency was vulnerable in a very specific set of circumstances which never occurred in my usage, but it got flagged by Dependabot and I received a couple of unnecessary issues.
> Yes, you configured an LDAP server using it's own protocol. It was not good.
It's still possible to configure OpenLDAP via the slapd.conf file. The old roadmap called for ditching configuration file support in 2.5 IIRC, but it proved hugely unpopular so the file works to this day. The new configuration style is mainly useful for live updating of access rules and indexing.
reply