[zzzcpan]

Everything you ever used in production is "production-ready". The bar is super low, there is no deception here.

The security thing is particularly interesting here. If you care about security even a little bit, you absolutely cannot rely on a random third party to provide timely updates or at all, especially for free. A lot of software doesn't even provide basic security necessities to the point, where OS packages may have to include such patches themselves, effectively always being forks, never using vanilla upstream code. But this is only if you care about security a bit. If you just install from language package managers into prod, you obviously do not care about security even a little bit.

[ambrice]

So, your advice is that if you care about security even a little bit, you should write all your software from scratch yourself?

[Ntrails]

You should accept that you are responsible for all the code you run in production, whoever happened to write it. Whether you feel you are more likely to write bug free code than anyone else is your call.

[rakoo]

I think it means you should look more closely into the contract you have with the maintainers. Either you rely on trust, like you would do if you used OpenSSL or NaCl because the creators and maintainers are known to go beyond the required minimum, or you get an official contract.

[kbenson]

This. There is no free lunch. Either you pay for quality or assurance, or you risk you might get something rotten that wasn't obvious at first glance and you can't do anything about it. That's the difference, when you pay, you might also get something rotten, but you can do something about it. Your options are of course only constrained by what you pay.

The problem, as I see it, is that a whole generation of programmers have grown oblivious to this implicit relationship, and when that relationship is actually exercised in some way, they default to what they understand, which is paid services and products, which results in both sides feeling like they got a raw deal.

[ambrice]

Again, in my experience there is very little correlation between how much you pay for something and how rotten it is. And I find the opposite, when you get open source software and it's rotten, you can do something about it. You can patch it locally, even if the maintainer won't accept your patches. If you have a proprietary product written badly, paying money for a support contract will not magically make it a more secure product or guarantee that they will be able to fix your issues.

[TuringNYC]

I think his advice is to purchase a licensed product with a paid support package if you need an SLA.

[ambrice]

In my experience licensed products with paid support packages aren't any more secure, they just let you pass the buck when things go wrong.

[TuringNYC]

To some extent, they also come with warranties and insurance policies that could potentially be collected upon if there are damages.

But yes, a lot of it is a legal CYA, which is important.