|
|
|
|
|
|
by therealjumbo
1723 days ago
|
|
|
That isn't just a problem of misaligned incentives, it's more fundamental than that. It's also a problem with how software "construction" tools work at a very basic level. Look around at open source projects, they don't have this perverse incentive, and which of them ship security updates separate from the feature updates? Nobody does because it causes a combinatorial explosion in code branches, and in testing. This isn't just a problem with the higher level convenience tools like compilers and package managers, its a problem with the actual source code as formulated as it is today. We'd need an entirely different way of writing code in order to do that without a massive increase in programmer/testing hours. Personally I don't think it will ever realistically happen, but I'd love to be proven wrong. |
|
|
As a developer, I don't really understand. I've been working on large, complex software that targets multiple operating systems for years, and we don't have any such issues.
It sounds to me like a lot of companies are using development methodologies that are a bit broken...
I've long thought that the reason for this is rather different -- the industry really wants to go to continuous-release models (which I don't think is a good thing, but that's a separate issue), which make security-only releases a bit nonsensical.