Actually, there is. I used to believe as you do. That belief was short-lived once I got to the medical device world. It’s not so simple in RISK situation. (I’m not shouting. We use RISK when referring to the formal FDA mandated RISK analysis process and documentation and risk when we are just talking about a single risk.)
The software update process in Ubuntu has become a virus unto itself. Just like Jason in the Holloween movie franchise, it cannot be killed for long. You can use every method found on-line and still it comes back to life. Windows 10 is even worse.
Back in the days of DR DOS 6 and OS/2 Warp, what you say actually worked. Really was no Internet to speak of. If you had a connection it was dial-up and the OS had a setting to block dial-on-demand or allow it. You could be absolutely certain nothing would change unless you changed it.
That hasn’t been the case in years.
As my previously posted link to the Git patch points out, even the “stable” 5.6.0 won’t build today without that patch retro-actively applied. This is due to automatic updates of underlying platforms.
Has anybody tried to run Windows 10 without an Internet connection? For a prolonged period without Internet connection? How did you get past activation and registration? Doesn’t it eventually hang when it cannot touch the Internet?
I don’t know, but I’ve heard rumors.
Same can be said of Ubuntu 20.04 (and probably earlier versions). Given they rolled NIC support into the kernel any network attempt has the potential to hang the entire system until timeout.
The traditional solution was to place all machines on a closed network that had zero connection to the outside world. It was really great if you could use an obscure network like Token Ring. Keep the machines off of anything that would connection to the Internet and completely remove all TCP/IP from them. No question your software would remain as-is and still be usable.
Today just putting it on your own Git instance doesn’t ensure that. Vast majority of machines are on the same network and it connects to the Internet. Operating systems wanting to gather all of the personal information they can about you to sell to anyone who will buy it demand an Internet connection and force updates on you.
No, this isn’t idle chatter or speculation. This is actual FDA conversation going on right now.
DRAFT -Cybersecurity Guidance (April 8, 2022) (fda.gov)
“As part of configuration management, device manufacturers should have custodial control of source code through source code escrow and source code backups. While source code is not provided in premarket submissions, if this control is not available based on the terms in supplier agreements, the manufacturer should include in premarket submissions a plan of how the third-party software component could be updated or replaced should support for the software end.”
Hardware manufacturers have long since mandated 10, 20, or 30-year supply terms in contracts with suppliers. They pay for this.
The same thing is happening with source providers now. OpenSource doesn’t cut it in the medical device world. You have to have fully controlled OpenSource.
Currently many are satisfying this requirement by creating a CMS on a machine that always gets backed up and is never updated. It sits behind both a physical security appliance and a VPN. Even if someone manages to somehow penetrate the security appliance from the regular Internet, without the extra device drivers and keys provided by the VPN front end, they see an alternate set of disks. In short, they see a virtual server, not the real thing. Virtual server goes away with the connection.
Again, people are signing contracts and paying money for this.
I don’t know what the arrangement is with my current client and this device.
The Git whammy should be a massive wake-up call. What we currently have in place is not good. If you are on Ubuntu 20.04 and haven’t slain the Software Updater virus, the locked down 5.6.0 will no longer build without retroactively applying a forward patch.
I know the IoT world will dismiss this, but the FDA regulated world cannot. It’s going to go from “best practice” to hard regulation very soon.