SBOMs and Jellyfish

[Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>]

The most annoying thing with talking to computer scientists about anything
is they will look at any problem that remotely touches software and ask you
"Is that the right data structure? Are you ... sure?"

Like, this is what happens to every programming language - it's why you get
NaN or an empty list for any given arbitrary code fragment in Javascript.
People had a normal data structure, say a dictionary, and were like "What
if we OPTIMIZED IT for all the common situations?" And so now a Dictionary
is like a hybrid "Dictionary-List-Cache-Semi-Ordered-ViewMap" and it
changes everything about how it operates according to some internal
heuristic only some ancient and primal god of mischief could understand.

So when someone asks me why, in certain cases, my program returns weird
results right now, the REAL answer is, "Some computer scientist took what
could have been a perfectly good data structure, and gave it performance
anxiety". But project managers hate that answer. So instead they get to
hear about graph databases.

This brings me to two important and closely linked subjects: SBOM, and
venomous jellyfish.

As the mighty Halvar Flake once probably said to himself, "I can take any
hideously boring problem, and turn it into a fascinating and only a bit
unsolvable graph algorithm solution!" And this is where SBOMs currently
live.

Software is amazing, and people in cyber policy like to think of it as if
it was a book or long journal article, and you can take a snapshot of it,
and send it to your friend Bob with a version number 1.0 on it and Track
Changes and then they send it back with a version number 1.1 or
1.0-BobEdits and that's that.

But that is only what Loki, the god of lies, wants you to think.
Environment is a huge part of the equation! You can go to your local pond,
and get a carnivorous tadpole, an angry little hungry frog baby with a
giant beak that eats other frog babies, and show it to a biologist and ask
them the species, and they will tell you Spadefoot, and then find one
eating plants in the corner, just a cute little guy, and the biologist will
also tell you Spadefoot, and when you look at them confused they will shrug
and mumble something about phenotypic plasticity which is clearly a bunch
of words they made up to sound cool.

It is so with software. What software are we running? Well, the description
of software is rarely smaller than the software itself. It is usually much
bigger.

An SBOM could be described as a nested manifest of metadata about software.
But if you say that to a computer scientist you found drowsing on the beach
they will perk up like an evil sea otter who has spotted a bivalve and say
"Wait, are you sure about that data structure? Is it truly a directed
acyclic TREE structure, or is it more a ..." an awkwardly long pause will
ensue as they struggle to control their emotions "...graph?" At this point
you will realize you've made a mistake.

If you somehow manage to escape by diverging the topic into something about
eagles and Mordor, you can go on your merry way, building and selling tools
that work on Trees and only Trees. You will be arboreal, but rich. And then
someday someone will deliver a copy of Nature to your yacht by mistake,
which by this point will be the only way to traverse most of the East
coast, and you'll read about Jellyfish, or as the biologists will haughtily
inform you are now called simply, "Jellies". (The less money a scientist
makes, the more haughty and good looking.)

But because you are a "learned person" you will read this article
<https://www.nature.com/articles/news.2008.1134> about jellyfish and they
will let you know about horizontal gene transference, which breaks every
idea you had about how evolution worked. But it also might remind you about
backporting and cherry-picking and a lot of crazy stuff that happens in the
software world. So you might boat over to where that computer scientist
was, and ask them maybe if they can port all your Tree-working code to
Graph-working code.

And then, unfortunately for you, the story gets dark.

-dave

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org