Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not updating is the other side of the same problem: library owners feel it is ok to make frequent backwards-compatibility breaking changes, often ignoring semver conventions. So consumers of their libraries are left with the choice to pin old insecure versions or spend time rewriting their code (and often transitive dependency code too) to keep up.

This is what happens when nobody pays for anything and nobody feels they have a duty to do good work for free.



>This is what happens when nobody pays for anything and nobody feels they have a duty to do good work for free.

Weirdly, some of the worst CVE I can think of were with enterprize software.


That's because there many people don't feel like it is their duty to do good work, even though they are paid ...


Who do you mean with "many people"? Developers who do not care or middle management that oversold features and overcommitted w.r.t. deadlines? Or both? Someone else?


I was thinking of many developers, but actually middle management should be included.


And the CEO. And lawmakers




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: