←back to thread

189 points udev4096 | 1 comments | | HN request time: 0.206s | source
Show context
mickael-kerjean ◴[] No.42136723[source]
What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Having very high expectations when using the software without contributing anything else than public shaming on something that clearly state in the license: "Licensor provides the Work ... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND" shouldn't be ok, this is quite literally how you make open source developer to burn out

replies(7): >>42136837 #>>42136872 #>>42136966 #>>42137033 #>>42137338 #>>42137517 #>>42137650 #
aseipp ◴[] No.42137338[source]
Keycloak is not written by some random person in the middle of nowhere who is shouldering the burdens of the world. It is security sensitive software that in part is funded by major open-source corporations like Red Hat, including full time engineers. What you're reading in this blog is literally standard fare in security research where a disclosure happens after some set period of time, regardless of when, or even if, the fix happened.

Fixing authentication bypasses is not "very high expectations", it's exactly what you would expect from this software. Get a grip on reality, please.

replies(1): >>42140923 #
threatofrain ◴[] No.42140923[source]
Is it still funded by Red Hat today?
replies(1): >>42147881 #
1. aseipp ◴[] No.42147881[source]
Several developers and full-time employees, including the project lead, are still employed by Red Hat.