←back to thread

An analysis of the Keycloak authentication system

(security.humanativaspa.it)
189 points udev4096 | 6 comments | 14 Nov 24 13:32 UTC | HN request time: 0.827s | source | bottom
Show context
mickael-kerjean ◴[14 Nov 24 14:57 UTC] No.42136723[source]
What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Having very high expectations when using the software without contributing anything else than public shaming on something that clearly state in the license: "Licensor provides the Work ... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND" shouldn't be ok, this is quite literally how you make open source developer to burn out

replies(7): >>42136837 #>>42136872 #>>42136966 #>>42137033 #>>42137338 #>>42137517 #>>42137650 #
1. tgsovlerkhgsel ◴[14 Nov 24 16:01 UTC] No.42137517[source]
Regardless of whether it's a project run by a big company or a guy in a shed, a security-critical project not fixing critical vulns for 10 months is an important bit of information when judging whether you should use it.

It doesn't really matter whether it's someone's fault, or wrong, or whatever - what matters for the user is that using the project is likely unsafe. Sharing that information is a public service.

replies(2): >>42138927 #>>42139571 #
2. hinkley ◴[14 Nov 24 17:50 UTC] No.42138927[source]
The number of software engineers who either don’t understand social contracts or only understand them when it benefits them to do so is frankly appalling.

You said you’re going to do something and now people depend on you having done it. Volunteer organizations fall apart if they can’t trust each other.

replies(2): >>42139573 #>>42142589 #
3. nijave ◴[14 Nov 24 18:40 UTC] No.42139571[source]
>a guy in a shed

That should be enough without needing to shame them over timeline.

You can also judge based off issue open/close rate and contribution frequency (GitHub has pretty charts for these if the project is hosted there)

4. from-nibly ◴[14 Nov 24 18:40 UTC] No.42139573[source]
People depending on you is not somethng in your control, therefore you can't be responsible for that. It's up to the people depending on you to make a judgement on whether or not that's a good idea.

Social contracts are not contracts, they do not end up in court, and if you depend on them you have no recourse. The most anyone can say about social contracts is that you are allowed to be disappointed privately. And even then...

replies(1): >>42140029 #
5. hinkley ◴[14 Nov 24 19:17 UTC] No.42140029{3}[source]
No, they end up in the court of public opinion. <gestures around>

And they make you lonely if you keep losing.

6. water-data-dude ◴[14 Nov 24 23:52 UTC] No.42142589[source]
This blog post is from another domain, writing, but it’s stuck with me over the years and colored how I see things like open source projects:

https://journal.neilgaiman.com/2009/05/entitlement-issues.ht...