Hacker News new | past | comments | ask | show | jobs | submit login

I'm fairly confident that the vast majority of functionality broken by updates have not in any way been related to security mitigations.



I remember Microsoft around 2001 fixing a security issue in Windows Media Player. This security issue was combined with a feature which added DRM support to Windows Media Player. I'm still puzzled by decisions like these, and why they are even legal to begin with.


That wasn't the point I was trying to make. I was trying to point out that ideally you could just leave the old API there for old software to use and build a new API for new software to use. If it wasn't for security bugs you could leave the old API untouched. Sadly, security issues prevent this and after a while it becomes uneconomical to supply even security fixes. This is why hardware that relies on software has an operational life shorter than the hardware itself has.


And that is exactly my point: API changes are rarely—if ever—caused by security fixes, and thus are not the cause of breakage, despite you attributing the impossibility of stable APIs to it.

A fixed piece of software can have a limited lifetime for only two reasons: Dependence on ephemeral infrastructure (e.g. cloud services that disappear or change), and assumptions that fail over time (e.g. "the device will never be used after 2020" + hardcoded calendar).

Only the first can be caused by API changes, and the API changes are usually always caused by voluntary product rewrite and infrastructure deprecation, not by security issues.

In other words, the problems spawn from entirely voluntary and technically unnecessary actions, and you cannot claim that is caused by some unavoidable law of nature, such proliferation of security issues.


I was not trying say that security fixes cause breakages. I was trying to suggest that security fixes cost money and therefore old APIs would get withdrawn for monetary reasons (if they weren't simply replaced by something new and shiny which is the usual reason).

If old APIs required no maintenance it would be fairly simple to leave them around.

However, APIs are built on an ever deeper stack of APIs that go all the way back to the Operating system and through internet protocols (APIs) right across the internet. Each API gets updates and fixes and things get deprecated. Bit-rot sets in and things stop working.

My original comment was suggesting that if everyone just left their old APIs around forever then the world would be filled with unpatched APIs with security flaws and I was not sure that would be a better place to be than the world of bit-rot that we have now.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: