[patrec]

Your vision is only workable for software for which there are no security concerns. This might improve to the extent industry slowly moves away from utterly irresponsible technologies like memory-unsafe languages and brain damaged parsing and templating approaches and more or less the whole web stack. I wouldn't hold my breath though. And even software that's not cavalierly insecure will have security flaws, albeit at a lower rate.

[jasonkester]

Keep in mind that you're arguing against an existence disproof. The Microsoft stack, for example, is a pretty big target for attack, and has seen its share of security issues over the years.

But developers don't need to make any code changes or redeploy anything to mitigate those security issues. It all happens through patches on the server, 99% of which happen automatically via windows update.

[avodonosov]

Yes, Microsoft is good at backward compatibility.

So many open source hackers do not know the basic tecniques for backwards compatibility (e.g. don't reaname a function, just intoduce a new one, leaving the old available).

I'm spending very significant efforts maintaining an OpenSSL wrapper because OpenSSL constantly remove / rename functions. I hoped to branch based on version number, but they even changed the name of the function which returns version number.

And that's only one example, lot of people do such mistakes costing huge efforts from users.

And this popular semantic version myth, that you just need to update major version number when you chane the API incompatibly to save your clients from trouble.

[ben0x539]

> So many open source hackers do not know the basic tecniques for backwards compatibility (e.g. don't reaname a function, just intoduce a new one, leaving the old available).

I'd dispute this, or at least I think this doesn't capture the whole picture. Microsoft makes money with backwards compatibility and can afford to spend significant effort on to the ever-growing burden of remaining backwards-compatible indefinitely. Open source volunteers are working with much more limited resources and I think that it comes down much more to intentional tradeoffs between ease of maintenance and maintaining backwards compatibility.

If you have a low single-digit number of long-term contributors, maybe the biggest priority to keep your project moving at all is to avoid scaring off new contributors or burning out old contributors, and that might require making frequent breaking changes to get rid of unnecessary complexity asap. Characterizing that as "they don't know that you can just introduce a new function" doesn't seem like it yields instructive insights.

[avodonosov]

Yes, this is exactly the wrong reply I often hear when complaining about backwards compatibility.

The mistake here is that in 99% of cases backwards compatibility costs noting - no efforts, no complexity.

Of two equally costing choices the people breaking backwards compatibility just make a wrong choice.

> maybe the biggest priority to keep your project moving at all

When you rename function SSLeay to OpenSSL_version_num, where are you moving? What does it give to your project?

Ok, if you like the new name so much, what prevents you from keeping the old symbol available?

        unsigned long (*SSLeay)(void) = OpenSSL_version_num

(Sorry for naming OpenSSL here, it's just one of many examples)

When developers do such things, they break other open source libraries, which in turn break other. It's a huge destructive effect on the ecosystem. It will take many man-days of work for the dependent systems to recover. And it may take years for the maintainers to find those free days to spend on recovery, and some projects will never recover (e.g. no active maintainer).

With a lift of a finger you can save humanity from significant pain and efforts. If you decided to spend your efforts on open source, keeping backwards compatibility by making the right choice in a trivial situation will make you contribution an order of magnitude bigger, efficient.

So, I believe people don't know what they are doing when they introduce breaking changes.

[avodonosov]

I saw developers introducing breaking changes, then finding projects depending on them and submitting patches. So they really have good intentions and spend more their volunteer open source energy than necessary. And when the other project can not review and merge their patch (no maintainers) they get disappointed.

So please, just keep the old function name. It will be cheaper for you and for everyone.

[pnutjam]

An unmaintained duplicate way of doing things is a mistake waiting to happen.

[jasonkester]

Microsoft makes money with backwards compatibility

That's a good way of putting it, and it gets to a key difference between open source and proprietary software.

In the open source world where a million eyes make all bugs shallow, developer hours are thought of as free. So if you change something it's no big deal because all the developers using your thing can simply change their code to accommodate it. It doesn't matter how many devs or how many hours, since the total cost all works out to zero.

In the proprietary world, devs value their time in dollars. The reason they're using your thing is because it's saving them time. They paid good money because that's what your thing does. Save time. Get them shipped. As a vendor, you're smart enough to realize that if you introduce a change that stops saving your customers time or, worse, costs them time or, god forbid, un-ships their product, they'll do their own mental math and drop you for somebody who understands what they're selling.

In the end, all we're talking about here is the end product of this disconnect in mindset.

[ldoughty]

Microsoft also isn't your average developer that imports libraries from strangers.

Ever time I run an audit (which is monthly) I see at least a dozen conversations in NPM packages we use. Sure, some of them don't apply to our usage, and others can't really impact is, but occasionally there is one we should be concerned about.

We server admins can push buttons to upgrade, but that doesn't mean developer code will keep working.

Many developers live in this world were they think server admins will protect their app... But we're more likely to break things by forcing your neglected package upgrades

[lmm]

> Keep in mind that you're arguing against an existence disproof. The Microsoft stack, for example, is a pretty big target for attack, and has seen its share of security issues over the years. > But developers don't need to make any code changes or redeploy anything to mitigate those security issues.

I don't believe it. Most security issues are not just an implementation issue in the framework but an API that is fundamentally insecure and cannot be used safely. Most likely those developers' programs are rife with security issues that will never be fixed.

[AnIdiotOnTheNet]

Which is fine, as long as they are understood and mitigated against. If your security policy consists entirely of "keep software up to date", you don't have a security policy.

[lmm]

In practice trying to "understand and mitigate against" vulnerabilities inherent in older APIs is likely to be more costly and less effective than keeping software up to date.

[HelloNurse]

If there is a problem in an older API, it's probably time to update. That's understanding and mitigation.

The discussion is about the difference between updates when there's a valid reason and updates that are imposed by cloud providers, nobody advocates sticking with old software versions.

[lmm]

> nobody advocates sticking with old software versions.

In my experience that's what any policy that doesn't include staying up to date actually boils down to in practice. Auditing old versions is never going to be a priority for anyone, and any reason not to upgrade today is an even better reason not to upgrade tomorrow, so "understanding and mitigation" tends to actually become "leave it alone and hope it doesn't break".

[AnIdiotOnTheNet]

In practice you don't mitigate against specific vulnerabilities at all, you mitigate against the very concept of a vulnerability. It would be foolish to assume that any given piece of software is free from vulnerabilities just because it is up to date, so you ask yourself "what if this is compromised?" and work from the premise that it can and will be.

[lmm]

Sounds clever, but what does it actually translate to in practice? And does it work?

[patrec]

> But developers don't need to make any code changes or redeploy anything to mitigate those security issues

Right, so all deployed Active X based software magically became both secure and continued working as before after everyone installed the latest Windows patches?

The trivial patching only works for security issues due to implementation not design defects. If you have a design defect, your choice is typically either breaking working apps or usage patterns or breaking your users security. Microsoft has done both (e.g. Active X blocking, vs continued availability of CSV injection) and both have negatively affected millions.

[nostrebored]

... because it is maintained?

[TomMarius]

There are no changes needed on application code side.

[nostrebored]

What definition of maintained are you using?

If they're doing security patches and bug fixes it's a maintained codebase.

[jasonkester]

We're using the definition a few notches upthread: "Dear manager, for the next weeks/sprint the team needs X days to upgrade the software to version x.x.x otherwise it will stop working"

As opposed to:

2011: deploy website, turn on windows update

2011-2019: lead life as normal

2019: website is up and running, serving webpages, and not part of a botnet.

That's reality today, and if it helps to refer to it as "maintained", that's fine. The point is that it's preferable to the alternative.

[nostrebored]

I think that the parent commenter is referencing node 4.3 being past EOL and being unmaintained software and therefore unfit for prod, unlike the ms stack which is receiving patches

[yeahitslikethat]

Installing Security patches for a ruby stack takes a full code coverage test suite, days of planning and even more to update code for breaking changes.

Installing security patches for a Microsoft stack requires turning on windows update.

There's a BIG difference. Once you write your msft stack app, is done. Microsoft apps written decades ago still work today with no code changes.

[pnutjam]

That's not true. Try running anything with VisualFoxPro. There are tons of programs that ran on XP and 7 and don't on 10.

[dalf]

What if the new node version fix an bug / issue / CVE that doesn't concern the software ?

Is it resonable to postpone the upgrade for later ?

Example : the software uses python requests. A new version fixes CVE-2018-18074 about Authorization header, but you don't use this header, for sure. Is it resonable to upgrade a little bit later ?

[viraptor]

Depends on how mature is your security team/process. Can you spend time tracking separate announced bugs and make case by case decision for each cve? How much would you trust that review? Do you review dependencies which may trigger the same issue?

Or is it going to take less time/effort to upgrade each time?

Or is the code so trivial you can immediately make the decision to skip that patch?

There's no perfect answer - you have to decide what's reasonable for your teams.

[nerdbeere]

The cool thing about serverless infrastructure is that it does not really concern you. As long as you are on a maintained version of the underlying platform your provider will take care of the updates.

If your software runs on a unmaintained platform there won't be any security fixes and that's why amazon forces you to upgrade at some point.

[ldoughty]

AWS, at least, didn't make any promises for updates for serverless Lambda that I can see in their docs.

[nerdbeere]

Right, because it's not relevant to you. You don't care about the underlying infrastructure in terms of security, amazon does that for you.