On Mon, Mar 30, 2015 at 2:49 PM, Bryce Kerley <bkerley / brycekerley.net>
wrote:

> On Mar 30, 2015, at 14:26, leam hall <leamhall / gmail.com> wrote:
>
>
> That's a dangerous message to preach if you want your community to
> continue. If you say "Your version is insecure and you should spend weeks
> of man hours to upgrade, as should everyone who uses your product", then
> you're likely to wind up with no one using your language because it's not
> worth the effort.
>
> Most places I've seen don't want to ignore security issues. However, they
> have to produce some sort of product and they have limited resources to do
> so. If Language X becomes so insecure that major upgrades are required
> because the community quits supporting what everyone is using, then
> Language X is used a lot less. Just because it's cool doesn't make it
> worthwhile.
>
>
> Denial isn¡Çt how you fix the cost of updating, making updating routine and
> well-practiced or automated is. The reality of shipping software in 2015 is
> that your environment is constantly changing, whether due to a
> megacorporation picking a different business strategy, researchers finding
> flaws in common software, or business partners ceasing to be businesses or
> partners.
>
> Ruby 2.2.1 isn¡Çt even a big change from 1.9.3: new syntax that doesn¡Çt
> break existing syntax, new APIs that augment existing ones, and a more
> efficient runtime.
>

I'm not denying anything. What I am pointing out, hopefully politely, is
just because the community wants to quit supporting a version that's used
in production doesn't obligate or incline production users to spend their
resources.

Again, if the community says something is insecure and unsupported, yet it
is heavily used in production, it makes those production users at least
raise the question about options.




-- 
Mind on a Mission <http://leamhall.blogspot.com/>