It's there in the The Model Services Contract, under Core Terms:
> Quality Plans
> 6.1 The Supplier shall develop, within [insert number] Working Days of the Effective Date, quality plans that ensure that all aspects of the Services are the subject of quality management systems and are consistent with BS EN ISO 9001 or any equivalent standard which is generally recognised as having replaced it ("Quality Plans").
The Short Form Contract also have optional ISO 27001 or Cyber Essentials (which is, uh, an adventure on its own). But there's also an option for no certification required. It depends on the contract.
But yes, you're right. Dealing with requirements takes time and experience and you likely need a dedicated person (or team) to deal with it.
Software engineering is a broad spectrum where we can move up and down its abstraction ladder. Using off-the-shelf tools and even third-party providers is fine. I don't have to do everything from scratch - after all, I didn't write my own text editor. I'm also happy to download prepacked and preconfigured software on my Linux distro instead of compiling and adding them to PATH manually.
I could, I just choose not to and direct my interests elsewhere. Those interests can change over time too. One day someone with Tailscale can decide to explore Wireguard. Similarly, someone who runs their own mail server might decide to move to a hosted solution and do something else. That's perfectly fine.
To me, this freedom of choice in software engineering is not disheartening. It's liberating and exciting.
That is a strawman though, and I am not sure why all replies assume extremes all the time.
Nobody said do everything from scratch. The point is: basic networking (port forwarding, WireGuard) should not be beyond someone's capability as a software engineer.
"I use apt instead of compiling" is a time tradeoff. "I can't configure a VPN" is a skill gap. These are not equivalent.
If you choose convenience for whatever reasons, that is completely fine.
"I can't configure a VPN" and "I don't want to configure a VPN" are 2 entirely different things. Mind you I have no idea how complex tailscale setup is in comparison.
I'm in the middle of setting up my own homeserver. Still deciding on what/if I want to expose to the internet and not just local network and while setting everything up and tinkering is part of the fun for me. I get some people just want results that they can rely on. Tailscale, while not a perfect option, is still an option and if they're fine with the risk profile I can understand sacrificing some security for it.
- SSH with key-only auth, exposed directly. This has worked for decades. Consider non-standard port to reduce log noise (not security, just quieter logs), fail2ban if you want
- Access internal services via SSH tunnels or just work on the box directly
- If exposing HTTP(S): reverse proxy (nginx/caddy) with TLS, rate limiting
- Databases, admin panels, monitoring - access via SSH, not public (ideally)
You do not need a VPN layer if you are comfortable with SSH. It has been battle-tested longer than most alternatives.
The fun part of tinkering is also learning what is actually necessary vs. cargo-culted advice. You will find most "security hardening" guides are overkill for a homeserver with sensible defaults.
WireGuard is ~10 lines of config and wg genkey. Calling that "network engineering" is a stretch.
The siloing of basic infrastructure knowledge into "not my discipline" is part of the problem. Software gets deployed somewhere: understanding ports, keys, and routing at a basic level is not specialized knowledge.
Honestly, if 10 lines of config is "network engineering", then the bar for software engineering has dropped considerably.
I am probably in the camp where I've found myself ovewhelmed with the amount of information about networks and I'm an alleged software engineer (without formal training in CS albeit).
The 10 loc is not a valid measure.
`sudo rm -rf /` is a 1 line of code. It's not the lines that are hard to wrap your brain around, it's the implication of the lines that really what we are talking about.
The rm -rf comparison is a bit dramatic. WireGuard's config is conceptually simple: your key, peer's key, endpoint, what IPs route through the tunnel. The "implications" are minimal. It is a point-to-point encrypted tunnel.
Being overwhelmed by networking basics is worth addressing regardless. It comes up constantly: debugging connectivity, deployments, understanding why your app cannot reach a database. 30 minutes with the WireGuard docs would demystify it. The concepts are genuinely simple and worth 30 minutes to understand as it applies far beyond VPNs.
I have become pragmatic too. I do not tinker for the sake of it anymore. But there is a difference between choosing convenience and lacking foundational knowledge. One is a time tradeoff, the other is a gap that will bite you eventually.
And with LLMs, learning the basics is easier than ever. You can ask questions, get explanations, work through examples interactively. There is less excuse now to outsource or postpone foundational knowledge, not more[1].
At some point it is just wanting the benefits without the investment. That is not pragmatism, it is hoping the gaps never matter. They usually do.
[1] You can ask an LLM to do all of that for you and make it help you understand under less than 10 minutes!
I do agree on that using LLMs to demistify, learn and explore is better alternative than handing it off to go rouge on, is a better advice. That's how I used it last weekend and I think that's what I would advocate the usage instead of just letting YourFavouriteAI be the sys admin.
My problem is not just networking knowledge. I genuinely faced issues with open source tools. Troubleshooting in the days of terrible search is also a major annoyance. Sometimes, it's just the case that some of the tools have evolved and the same commands don't work as did for someone in 2020 in some obscure forum. I remember those days of tinkering with linux and open source where you'd rely on a Samaritan (bless their soul) who said they'd go home and check up and update you.
Claude suggested me Tailscale too, but I'm glad we're having this conversation (thanks for the tips btw), so that we don't follow hallucinations or bad advice by similarly trained agents. I'm cautiously positive, but I think there's still a case to go self hosted with AI assistance. I found myself looking at possibilities rather than fearing dead ends and time black holes.
I am glad that it is useful to you! The "terrible search + outdated forum posts" problem is real for sure. LLMs genuinely help there by synthesizing across versions and explaining what changed.
I would say that self-hosting with AI assistance is the right approach. Use it to understand, not to blindly execute. Trust me, it is not much of a deal and you will be happy to have gone with this route afterwards!
Good luck with the setup. If you have any questions, let me know, I am always happy to help.
Can you talk a computer illiterate relative over the phone to install Wireguard on their device (laptop, tablet, phone) so that they can connect to your network?
I have done that with Tailscale, most of the time was spent waiting for it to download.
That made me think - are there any depictions of Markdown in movies and tv shows? I've seen a fair share of C, Java, HTML, and (in newer works) JavaScript and Python. And Perl in The Social Network.
> no publicly available data that would demonstrate adherence to the rule.
What kind of data would satisfy you? I imagine any data coming directly from YC would be untrustworthy and third-party data would be incomplete (say, it wouldn't catch content removed before it's published).
Is there a similar data set for other private platforms?
> Quality Plans
> 6.1 The Supplier shall develop, within [insert number] Working Days of the Effective Date, quality plans that ensure that all aspects of the Services are the subject of quality management systems and are consistent with BS EN ISO 9001 or any equivalent standard which is generally recognised as having replaced it ("Quality Plans").
The Short Form Contract also have optional ISO 27001 or Cyber Essentials (which is, uh, an adventure on its own). But there's also an option for no certification required. It depends on the contract.
But yes, you're right. Dealing with requirements takes time and experience and you likely need a dedicated person (or team) to deal with it.
reply