> The "lite" version of certification in tech could be a requirement for a programmer equivalent of a Professional Engineer to sign off on any piece of software that becomes used in a product or service offered to people (whether commercial, public or by non-profit orgs).
this makes sense for software that handles PII and/or where bugs could cause loss of life or limb, but this seems like overkill for a lot of commercial software. but suppose I'm selling some desktop application that doesn't have either of those qualities. wouldn't the certification requirement be a bit overkill in this situation?
You may be right, and perhaps it would be better to relax the requirements, letting them flow from the critical software (PII, risk to life and limb) downwards.
So if I want to make a new radiation therapy machine, I won't be able to pull in random crap from NPM. My software will need a PE sign-off, and so will my dependencies. This will hopefully lead to some OSS libraries getting certified (perhaps with corporate interest funding the certification), creating an excuse/incentive for other companies. Now some bank will notice that a third-party app they use internally has eaten their data several times, causing monetary loss, and it'll decide that going forward, PE-certified software is prioritized during procurement. Creating incentive for non-critical software vendors to get their software certified. Etc.
I'm not sure if the dynamics would play out this way, but it seems plausible. The goal here is to retain free experimentation - I'd hate to end up in a world where you aren't allowed to use a Turing-complete language without a license - while at the same time forcing responsible software practices where they matter.
> You may be right, and perhaps it would be better to relax the requirements, letting them flow from the critical software (PII, risk to life and limb) downwards.
agreed, I think this would achieve a lot of the positive downstream effects without placing an undue burden on developers of less critical commercial software. to go back to the desktop app example, it probably needs to authenticate serials for authorized users. you could write a small self-contained auth server and have it certified, while continuing to ship your behemoth desktop app that can't be fully evaluated.
The FDA already has an extensive validation process for medical devices with the potential to cause harm. They look at the complete system, not just software. There have been a few notable failures but overall the process works as intended. No need for additional programmers certifications.
this makes sense for software that handles PII and/or where bugs could cause loss of life or limb, but this seems like overkill for a lot of commercial software. but suppose I'm selling some desktop application that doesn't have either of those qualities. wouldn't the certification requirement be a bit overkill in this situation?