Hacker News new | ask | show | jobs
by ornornor 17 days ago
Uhhh why? Aren’t these worthy goals? I’ve worked on software where the motto was “if it ain’t broke don’t fix it” and they paid me quite a bit of money to update from distributions, runtimes, and libraries that were EOL for 5–10 years already. I’d argue that keeping up loosely with modern practices of much easier than running outdated everything and suffer the consequences (breaches, painful updates)
1 comments
z3t4 17 days ago
What hurts the most is that most ppl disagree with me. It's like people telling you they will paint your house for free, even though the color of your house is perfectly fine, you agree to paint it in another color. Then you come home to find that they have bored a bunch of holes in the facade and tells you it's the new industry standard, when the winter comes you will have to plug these holes with special plugs, and you wake up next morning and it's -10 C outside. Your house is now pink, you are cold, and nothing has improved. Next week another team comes by and offers to repaint your house for free... They say orange is the new pink.
link
Sacho 16 days ago
> It's like people telling you they will paint your house for free, even though the color of your house is perfectly fine

You are perfectly capable of saying "No, I like the color of my house already". Just pin rsync's version. This isn't some esoteric mechanism, it's standard practice.

If you were actually willing to charitably engage, tidge was working on fixing security bugs - your house had holes in it already! Your choice was to say I'm fine with the existing holes, or yeah please try to fix them. Unfortunately while fixing them he introduced some new ones, but hey, that's the nature of software development - sometimes you introduce new bugs when fixing old ones.

Again, this isn't some esoteric happenstance. It's so banal it must happen thousands of times per day across many other maintained projects.

link
worik 16 days ago
> Just pin rsync's version

Very bad advice these days.

link
newtonsmethod 16 days ago
There's a comment on the GitHub thread which also mentions pinning rsync version would be a bad idea. Many of the people affected by reversions are those with workflows vulnerable to the prior CVEs.
link