←back to thread

Open Source is one person

(opensourcesecurity.io)
433 points LawnGnome | 5 comments | 28 Aug 25 01:54 UTC | HN request time: 0.921s | source
Show context
blueflow ◴[28 Aug 25 09:58 UTC] No.45050331[source]
If they had done an activity check they would have seen that half of all projects have zero maintainers.
replies(1): >>45051284 #
ysofunny ◴[28 Aug 25 12:21 UTC] No.45051284[source]
software once "perfected" (working well enough long enough) needs NO maintenance. No cleaning. No calibrating/tunning.

updating is a systemic issue, not a per-project matter

replies(8): >>45051346 #>>45051557 #>>45052779 #>>45053610 #>>45053967 #>>45055423 #>>45056222 #>>45057634 #
kube-system ◴[28 Aug 25 12:50 UTC] No.45051557[source]
Under a microscope, maybe.

But if you had a "perfect" piece of software that used Log4j in 2020, it wouldn't have been perfect for long.

Unfortunately, there's a lot of reasons that software needs maintenance, even if it was thought to be perfect when it was originally written.

Hardware changes. The software landscape changes. Dependencies are deprecated, or are found to have their own problems. Vulnerabilities are discovered. Vulnerabilities are found that aren't even the fault of your software, maybe they are a flaw in the hardware your software runs on, and the only way to fix it is via a software mitigation. These are all real things that happen to otherwise perfect software.

replies(2): >>45051623 #>>45054511 #
1. ridifndnwj ◴[28 Aug 25 12:58 UTC] No.45051623[source]
Ironically if you didn’t upgrade from 1.x you didn’t get the new features or the bug you’re referring to
replies(2): >>45051648 #>>45051734 #
2. ◴[28 Aug 25 13:00 UTC] No.45051648[source]
3. kube-system ◴[28 Aug 25 13:10 UTC] No.45051734[source]
2.x had been out for about six years by the time the vulnerability was discovered.
replies(1): >>45057800 #
4. ridifndnwj ◴[28 Aug 25 22:33 UTC] No.45057800[source]
And 1.x was and has been logging for a decade or more before that which is why I thought it relevant to the ‘no need to upgrade’ discussion
replies(1): >>45064356 #
5. kube-system ◴[29 Aug 25 14:08 UTC] No.45064356{3}[source]
The world didn't stop building new software for that 6 year period, is my point. One would have picked the latest version to build something during that time period.