No patches please, we're British

Welcome to Runtime! Today: why a proposed cybersecurity law in the U.K. is both ridiculous and terrifying, the campaign to fork HashiCorp's Terraform gets underway, and the quote of the week.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

A sticky wicket

Imagine having to fill out Form 493-F in triplicate to issue a security patch for a zero-day exploit.

If a proposed surveillance law under debate in the U.K. comes to pass, software providers could be required to obtain government approval before patching flaws in their software. The law has been up for debate for several months, with companies like Apple slamming it as misguided, but is getting new attention this week as the ramifications become clear.

Software companies would be required to give the government "advance notice" of any proposed changes to their software and "the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes," according to Just Security.

• The tech community is, correctly, horrified by this proposal.
• And I'm not sure how this is enforceable, but according to Just Security the law "would mean that the operators with a multinational presence would have to adhere to the U.K. government’s orders in every country of operation."
• The entire point of patching security flaws is to protect users as quickly as possible no matter where they are using your software, because criminal hackers don't respect borders.

The law is part of an attempt to weaken services that provide end-to-end encryption or deter companies from adding such encryption to their products.

• There's a recurring fantasy among government regulators around the world that it's perfectly reasonable to request software developers include back doors in their end-to-end encryption services that would only be used to defeat that encryption in cases of national emergency or serious crime.
• That is — at best — wishful thinking, given that any vulnerability deliberately placed into software will be discovered by the legions of criminals that troll the internet every day (quite successfully) looking for vulnerabilities.
• The tech industry went down this road several years ago following a mass shooting in San Bernardino, Calif., when the FBI demanded that Apple build a feature allowing them to unlock an iPhone belonging to one of the shooters.
• Apple refused, and the FBI dropped the matter after it found another way to get into the iPhone, but the demand was a rallying cry for tech companies still fuming from the government surveillance tactics uncovered by Edward Snowden.

Given the precarity of the software supply chain in this day and age, the proposed law could have incredible ramifications for the cybersecurity industry.

• "...expanding the extraterritorial effects of the notices regimes would entitle the U.K. government to decide the fate of data privacy and security for virtually every citizen in the world," Just Security wrote.
• The law would put the U.K. in the same league as China, which requires companies to disclose vulnerabilities to the government within two days after they are discovered.
• Alibaba was sanctioned by the Chinese government after an employee alerted the Apache Software Foundation to the infamous Log4j vulnerability before telling the government.

Tech companies and their employees almost reflexively disparage even good-faith attempts to regulate their industry as misguided proposals from people who don't understand how software works, but sometimes, as Ben Evans put it this week, they have a point.

• "Your MPs’ WhatsApp group can be secure, or it can (be) readable by law enforcement and the Chinese, but you cannot have encryption that can be broken only by our spies and not their spies," Evans wrote. "Pick one."

Setting the table

A consortium of companies announced Friday that it has forked Terraform, HashiCorp's flagship cloud infrastructure open-source project that it plans to relicense under the Business Source License in order to restrict the rights of others to use it for commercial purposes.

That means that Terraform and OpenTF, the name the group has chosen for its effort, will embark on separate paths. Dozens of companies pledged support for OpenTF but the primary backers – judging by the number of full-time employees they are committing to the project — are Spacelift, env0, and Scalr.

It's a little hard to understand how successful this effort will be, given that the three major backers pledged a total of 13 full-time software developers to work on OpenTF. HashiCorp, worth $5.5 billion as of the close of trading Friday, has thousands of employees, and co-founder and CTO Armon Dadgar told Runtime earlier this month that around 95% of all the code written for its various open-source projects was written by people on HashiCorp's payroll.

Quote of the week

"...the H100 is 35,000 parts, 70 pounds, nearly a trillion transistors in combination; takes a robot to build — well, many robots to build because it's 70 pounds to lift." — Nvidia CEO Jensen Huang, describing the product that has made him a very rich man, and which is way heavier than I would have thought.

The Runtime roundup

The ongoing MOVEit hacking disaster has now affected more than 60 million people and 1,000 organizations, according to new figures released this week.

Instacart's S-1 summed up the enterprise tech spending dropoff this year: The company spent $51 million with Snowflake in 2022, and expects to spend just $15 million with the cloud data warehousing company in 2023, as spotted by former ZDNet editor and degenerate Philadelphia Eagles fan (that is perhaps redundant) Larry Dignan.

Thanks for reading — see you Tuesday!