←back to thread

189 points udev4096 | 7 comments | | HN request time: 1.208s | source | bottom
Show context
mickael-kerjean ◴[] No.42136723[source]
What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Having very high expectations when using the software without contributing anything else than public shaming on something that clearly state in the license: "Licensor provides the Work ... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND" shouldn't be ok, this is quite literally how you make open source developer to burn out

replies(7): >>42136837 #>>42136872 #>>42136966 #>>42137033 #>>42137338 #>>42137517 #>>42137650 #
tapoxi ◴[] No.42137033[source]
Keycloak is a Red Hat product and is a dependency for many Red Hat products so I'd love it if people running the open source release can report the bug and get feedback. This isn't a student eating ramen supporting this software, its IBM.
replies(1): >>42137535 #
1. hiciu ◴[] No.42137535[source]
Keycloak has been donated to CNCF in 2023. So it's not a RH / IBM product anymore.

I would even go as far as say that it never was; Red Hat had their own product called "Red Hat Single Sign On" that was, for some time, based on opensource Keycloak project, but the opensource Keycloak project has existed before RH SSO. And exists now that RH SSO product has been deprecated (retired? Idk what happened).

Red Hat does offer a "Red Hat build of Keycloak" now, and of course Keycloak would not exists in it's current form without Red Hat.

But saying that "Keycloak is a Red Hat product and therefore Red Hat and / or IBM should support it" would be, in my opinion, harmful for the whole opensource movement. If, by being engaged with opensource project, a company risks it's reputation then such company could decide against any engagement, or would engage only if it could keep control of the project / community around it.

replies(3): >>42137753 #>>42138004 #>>42138921 #
2. tapoxi ◴[] No.42137753[source]
If there's a Red Hat build of Keycloak, and Red Hat products depend on Keycloak, then this vulnerability is present in all of those Red Hat products.
replies(1): >>42161635 #
3. ffsm8 ◴[] No.42138004[source]
RH SSO was the LTS build of keycloak with business support.

Keycloak doesn't publish hot fixes for previous major versions, and these major versions come out on a very tight release schedule / every few months. So if you didn't want to upgrade all the time, you'd have been forced to use rhsso. And now the red hat keycloak build.

https://github.com/keycloak/keycloak/discussions/25688

replies(1): >>42138643 #
4. vbezhenar ◴[] No.42138643[source]
> So if you didn't want to upgrade all the time, you'd have been forced to use rhsso.

Or just not upgrade at all. Not the most wise strategy for security-focused software, but I'm sure many teams do that. Especially because keycloak often being heavily customized with plugins and themes, so upgrading this setup might actually be not trivial.

5. tofflos ◴[] No.42138921[source]
Off-topic but I love this naming convention from Red Hat which I hope gets more traction across the industry. It absolutely detest wading through vendor marketing material to figure out which open source product is being used under the hood. With names like "Red Hat Build of Keycloak" and "Microsoft Build of OpenJDK" it's crystal clear.

I believe it works out better for the vendors as well because there are so many obstacles with evaluating anything that requires a license in an enterprise setting. If the technical person downloads and evaluates the underlying open source version some manager will insist on purchasing a support contract before going to production.

replies(1): >>42167606 #
6. TheNewsIsHere ◴[] No.42161635[source]
Not necessarily. Red Hat issues patches and backports to customers regularly and those don’t necessarily flow upstream right away (or sometimes ever).
7. bigfatkitten ◴[] No.42167606[source]
Though Red Hat did a search and replace for RHSSO with "Red Hat Build of Keycloak" in their docs, and now they are extremely painful to read with Red Hat Build of Keycloak sometimes appearing three times in one sentence when "Keycloak" or some other shortened form would suffice.