OSS/Homebrew and Remotely managed laptops - a discussion

Posted by chikamakaleyley@reddit | ExperiencedDevs | View on Reddit | 14 comments

I've worked in a few places where our product/services involve PII/HIPAA and obviously, your best bet is to stick with approved software; and when in doubt, you should check w/ the appropriate team

But with homebrew (if MacOS) and tools/features available as OSS, I feel like * this gives us as Experienced Devs a little more flexibility to tailor our development tools how we know best * a lot of these tools we've used for several years, knowing it's never been an issue, and we could do without them (more or less) and just settle for the shittier, approved org-wide options

So when I start a new job and set up a new machine, my mentality is pretty much like, "well, they can see everything I'm installing and at worst they'll either just uninstall it and let me know, or, slap on the wrist."

And so, the decision to just go ahead and set it up (after skimming through your company's developer setup guidelines, of course heheh) is just a faster path to contributing rather than having to ask for approval. Sometimes, you have to chase people around, you don't get immediate answers, often in the 'new-hires' channels you get a lot of i dunnos... and really i just wanna get going.

But all of this is a guess, and I'm curious what it looks like on the side that administrates this - cuz i feel like those folks are users of these tools as well

So one example is I joined a pretty big fintech and they had all these available licenses for all the typical IDEs; at the time I had become quite proficient with my Neovim installation and after discovering there wasn't really anything that explicitly said "No" (in reality very little info at all) I just said F it, and set it up.

and really there's a number of hints i took which made me feel safe with this decision (there's a 'Vim users' slack channel, there's few historical mentions of it in docs but updated a yr ago).

I just can't imagine places that would require FULL approval and nitpick little useful utilities like zoxide, eza, tldr; but i'm sure those places exist

What is your approach to this? For those who are on the admin side - is there a "rule of thumb"?

[-]

ninetofivedev@reddit

IT uses platforms like NinjaOne or another RMM brand.

These tools will provide IT admins basically everything they need to manage your device.

The level at which they lock down your device and the level of monitoring audit your company actually does will be a crap shoot.

My personal take is that as a software developer, if I don’t get local admin, I’m not working at your company.

Nothing is more infuriating than being bottle necked by a team of schmucks who have less understanding of my device than I do.

I deal with that today with our companies okta platform.

The truth is, most IT admins are really just given tools they’re expected to administrate and the best the can do is google.

So when I tell them I need specific oauth configs or need to bulk add 600 internal users to an internal tool my team built, even though I provided them the CSV, some idiot is one by one manually adding them.

Apply that to other situations and that’s IT. They’re just doing their best to stave off their former heroin addiction.

[-]

chikamakaleyley@reddit (OP)

i dunno why i just thought or remembered this but you're right, unless you're IT who also dabbles in SWE on their own time, what we do is pretty much alien technology to them

[-]

F0tNMC@reddit

I prefer to ask for forgiveness before permission. Stuff I use for productivity on my work laptop I'll keep track of what I'm installing, but I'm not checking against some list for permission. Especially if it only runs locally and doesn't access any external resources. I'm much more circumspect about using tools which connect to external resources or websites.

[-]

chikamakaleyley@reddit (OP)

this was the feedback i was given when I had inquired about Neovim, though by that time i had already installed it

[-]

engineered_academic@reddit

At both of my previous orgs this was a fireable offense. Not because the software is dangerous, but you actively had to try and circumvent the security controls in place.

There is a larger supply chain security risk that goes unmitigated in most organizations, because it's just "easier". Until it isn't.

Once you get into regulated organizations where the fines can go into the millions and you can be held criminally liable for lax information security policies, the math really starts mathin. A developer waiting for a day while security gets software added to the approved list is worth it when your ass is on the line to testify in court.

If you work for governments where state actors are constantly trying to gain persistence, and there are actual laws forbidding "collaboration" with certain nation states open source becomes a liability not an asset. You can't prove that the software you are downloading is free of malware (trivy, most recent example) or who contributed to it.

Shit NASA had to send out a missive to all employees to remind them not to install games (at the height of the KSP craze) on their NASA owned computing devices.

[-]

SquiffSquiff@reddit

a developer waiting for a day

Yeah, if only. More like going through multiple indirect people, only speaking to first one, who works alone to next one and so on, and none of them are interested or motivated. Even better if a three year old version of the same thing is 'already approved'.

My experience of regulated financial services- yes this is a significant issue. People doing real work got 2 laptops, typically running different operating systems- one for dev and one for prod, with different rules.

[-]

chikamakaleyley@reddit (OP)

If you work for governments where state actors are constantly trying to gain persistence, and there are actual laws forbidding "collaboration" with certain nation states open source becomes a liability not an asset. You can't prove that the software you are downloading is free of malware (trivy, most recent example) or who contributed to it.

this is the case where i've heard its pretty damn strict but i haven't had the opportunity to experience this

Not because the software is dangerous, but you actively had to try and circumvent the security controls in place.

yeah i could see this. You were told the protocol, you chose not to follow it

A developer waiting for a day while security gets software added to the approved list is worth it when your ass is on the line to testify in court.

good point

[-]

etherealflaim@reddit

I believe in making things better for others, which means that I have to feel the same pain they do. Maybe I am the only one who knows that it can be better, and have the skills to paint a compelling picture.

I'll only go off the paved path once it becomes clear that I'm not helping anyone by doing so.

[-]

chikamakaleyley@reddit (OP)

So... do your homework, and if it comes down to it you will hopefully have studied enough to make a compelling case for yourself

am I understanding your approach?

[-]

etherealflaim@reddit

Other way around. I try it their way. If I think it could be better, I try to make it better for everyone, not just me. If that doesn't work, then I'll consider my options.

[-]

chikamakaleyley@reddit (OP)

lol now the 'feel the same pain' thing makes more sense

[-]

chikamakaleyley@reddit (OP)

ah, someone who cares. I appreciate that

[-]

leneuromancer@reddit

plead ignorance beg for forgiveness 'system let me install 🤷‍♂️

but worst i have suffered was some PCI in payments, but that was long ago, can appreciate a stricter env

[-]

chikamakaleyley@reddit (OP)

yeah this is kinda my mentality - "I'd rather apologize later than wait for permission now" and while that might sound totally reckless, i feel like with experience you just kinda have this general thought of like, "dude i can't imagine why this would be problematic, and if it is, i hope its not stupid" LOL