Hacker News new | past | comments | ask | show | jobs | submit | noselasd's comments login

When you're cities of 20-40k people 4000 years ago, there's quite a bit of admin work that has to be done - it's not all small farmer villages or hunter-gatherers. Ancient Sumeria was quite advanced.

> It has never been easier to build scientific devices that rely on your phone for compute.

I think the actual need right now is the other way around, don't build new devices and instruments, rather support existing devices.


Are we sure it can't be created in nitrogen rich atmospheres outside earth?


Which extraterrestrial bodies with nitrogen-rich atmospheres do you have in mind?


If we can, there's the problem of where they would live. Looking at google maps, most of the good places for wildlife now is just a patchworks of deforrested farming fields and roads.


Single digit dollar sounds more like the Appollo program. I think it's been a long time since the entire NASA budget was more than a penny per tax dollar.

NASA says the voyager mission cost 865 million dollars from the start in 1972 to Neptune encounter in 1989, and currently runs at 7 mllion dollars per year.


So that would be $7.72 per taxpayer, a single-digit dollar amount.

(based on number of taxpayers in 1989 -- using the numbers from 1972, it would be a low double-digit amount).


Totalled up, yes - fair enough.


> If I disclose a security issue to you, it doesn't matter if you're a multinational trillion dollar corporation or a hobbyist in Nebraska, the onus is on you to fix it. Not the security researcher. Their job is done once it's disclosed.

On the other hand, if I'm a hobbyist, I have 0 obligations to do or fix anything I've made open source. Patches are welcome ofcourse.


As long as you disclose that right-front on your value statement, yeah, you don't have any other obligation.


Is there an open source license that doesn't?


It is right in the license.


That's not what these licenses have come to mean. They're a way to reduce the risk that you'll get sued,

but not any "I don't give a fuck" statement.

You could add "I don't care about fixing security vulnerabilities" somewhere in the beginning of the readme, if you're developing security related OSS software? That'd be more clear.

Maybe the WTFPL actually a little bit indicates that the developers maybe don't give a fuck, though: https://en.wikipedia.org/wiki/WTFPL ?


That sounds a little like having your cake and eating it too. 'Giving a fuck' is not really a boolean value but more of a broad spectrum.

Of course, anyone who writes any software cared a little bit about it at one point, or they wouldn't have written it. But warranty is about whether they care enough to cater specifically to you when you have a problem in the future.

Maybe many of these projects do care enough to give general updates to the community as a whole on a best effort basis, but that's a lower level of assurance and more voluntary than what you'd get in a legal warranty.


>You could add "I don't care about fixing security vulnerabilities" somewhere in the beginning of the readme

I care about fixing security vulnerabilities in my OS projects, but I care more about my sanity, my family, getting enough money to survive, and a few other things. Unless you pay me I don't care about your problems with my free (as in a beer) software.

And that's a good thing btw - I tried to ask for donations once, got the equivalent of a few cups of coffee per month, and... burned out almost immediately. I started to feel responsible for that project, staying up late to fix reported minor bugs, and it turns out watching Github issues 365 days a year for a few dollars monthly is not a great business strategy.


This is not a one-person project ran by someone in their spare time, posted online for fun.

They are going out of their way to advertise so that people use their security-critical software in security-critical applications, and then they neglect the security.

While they aren't under any legal obligation, it's (in my worldview at least) pretty damn unethical.

All they would have to do to not be unethical is make it clear that this software should not be used in any security-critical application because it is not properly/frequently maintained. Put that in a header on the website.


The license is not your value statement.


Nobody has an obligation to even do that outside of a contractual relationship, though it would be polite.


And you also shouldn't expect anyone to use your software. Which of course is up to you.


>I have 0 obligations to do or fix anything I've made open source.

While technically true, this seems pretty scummy when you're advertising security software for real people and companies to use as their identity management.

Nowhere on the Keycloak home page does it say "just a hobby project" or anything that would remotely indicate that it is not a serious project and that you shouldn't use the software.

Instead, it seems like they are trying very hard to be taken seriously as an identity management product.


> Nowhere on the Keycloak home page does it say "just a hobby project" or anything that would remotely indicate that it is not a serious project and that you shouldn't use the software.

https://github.com/keycloak/keycloak/blob/main/LICENSE.txt#L...

Indeed

   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.


Point 7 buried in the license document of the github repository is very much not https://www.keycloak.org/


Is this the first time you heard of open source licenses or something? This is standard boilerplate, and it's hilarious to think you get to ask for more from a project you're not even contributing to.


I'm not asking for more. I'm saying I think it is scummy to do the bare minimum when you're advertising yourself as a critical piece of security software and encouraging the use of the software in real security-critical applications.


They are literally explicitly stating that the software does not claim to be fit for purpose.

You can’t have it both ways.


They are advertising on their website, extremely prominently, that they are fit for your all of identity management needs.

Are they allowed to put a single paragraph in their license file that runs counter to all of their other marketing, advertising, and communication efforts? For sure!

Is it shitty to do that? I think so. Just be upfront, it's not hard. If your software isn't fit for security-critical applications, don't pretend it is.


I suppose it's best if you never use any open source software ever again because they all do that. Like I said, it's standard boilerplate and it's absurd to think you get to wish for more from an open source project that you aren't contributing to.

Of course this boilerplate is necessary else you get people like yourself demanding unreasonable things.


I'm not demanding anything, please stop reading my comments in the most uncharitable way you possibly can.

I'm not sure what has you in super-defense mode, but just as they are allowed to misrepresent themselves on their website, I'm allowed to think that it's shitty to do so. However, as I've said already (a few times, actually), they are more than free to continue doing so (and I'm more than free to keep saying it's shitty).

>[...] because they all do that.

No, they don't all do that.


The point is they're not misrepresenting anything, you just don't seem to understand open source. Literally all of them have the same disclaimer, and obviously they're not going to make any guarantees to randos who haven't even paid them. If this is a problem for you, stop using open source. For a start, say byebye to linux.

As for why I'm "on the defensive", bashing open source projects is bad form. You're absolutely welcome to request a refund, though.


>and obviously they're not going to make any guarantees to randos

This is what I mean by purposefully misreading my comments. I have never once said or asked for this. You are arguing in bad faith.


You literally started by calling them scummy. That is an implicit demand for change.


Customers have been refunded in full.


Red hat consumers have been refunded? Where?


As per the terms here: https://www.keycloak.org/pricing


The point is that red hat also sells keycloak and develops it. I agree that most users don't pay, but your point is a bit weird considering that some people do actually pay/paid for its development and still do not get a refund


So what gives you a right to download and use the software in the first place? The copyright law forbids that by default. What permission other than the license do you have?


I'm not sure what point you are trying to make but thankfully, given that they obviously can't be trusted to maintain security-critical software (despite what they imply on their website and marketing material), I haven't downloaded or used it or recommended it anywhere while consulting.


You really feel that anything that is not directly on the home page does not matter? A link to a separate document explicitly named as containing the conditions of license, warranty and such should not count?

Seems like an absurd view to me.

For all that I think RedHat is not a poor hobbyist and morally at fault. It's just a different matter altogether. The terms under which the software is provided are clearly spelled and in public view. You're just inventing a reason to disregard them.


>You really feel that anything that is not directly on the home page does not matter?

No, that's not what I said.

When it comes to software like this (one of the most important components of your security architecture), hiding the fact that you wont fix vulnerabilities unless you feel like it halfway down in your legalese-filled license is unethical.

I think it's absurd that people are defending this position. We're not talking about a weather app made by Joe Somebody for a weekend project.


The Linux kernel, probably one of the most critically important pieces of software nowadays, is licenced mainly under the GPL version 2.0[0], and other compatible licenses, and provides a section and 2 paragraphs on how there is no warranty for those who decide to use it.

"""

NO WARRANTY

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

"""

No Linux kernel engineer is obliged to fix any bugs, even security vulnerabilities, if one decides to, but since there's so much at stake, kernel engineers will end up fixing at their own timeframes, as they see fit.

[0] https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html


My complaint was not about the license, it was about how the product represents itself.

Linux.org is a much different website than keycloak.org in the way they represent themselves, how they communicate the product, etc.


> Point 7 buried in the license document of the github repository is very much not https://www.keycloak.org/

Not a single word in this comment refers to "software like this (one of the most important components of your security architecture)". I guess you realized the absurdity of your position and moved the goalposts to something else.


What?

Can you explain where you think I set goalposts, and how you think I moved them? Because I am not following.


Then you should never work on software with security implications, or if you do you should keep it to yourself. I’m a terrible party host, so I don’t host parties. I help other people do so when I can.


The post only have a few highlights. The Posix specs are only for paying IEEE customers though, but https://pubs.opengroup.org/onlinepubs/9799919799/ mentions it.


That is the POSIX spec, no?

It's at: https://pubs.opengroup.org/onlinepubs/9799919799/utilities/V...

(no permalink, search for "pipefail")


Yes, pretty much.


Historically 99 years was the longest term for leases in English laws. I don't think that's incorporated in laws any more, but it has just continued as common practice.


You may be right historically, but I don't think it's common practice any more - there are quite a few "virtual freehold" leases of 999 years, and most other domestic leaseholds are 125+ years when they start. When a leashold goes below 90 years its value dips sharply.


> This needs more explanation, does this mean the captain refused? Or Russian port authorities refused? Or they just... chose to limp in a particular direction?

The ship ran aground between Norway and Russia, seeked emergency shelter in Tromsø. The ship has damanges on it propellors and rudder. It anchored up near Tromsø for while until the port authorities and governments told the ship to leave due to security concern. Basically the ship stayed outside a small populated island, and it was determined the island would be blown flat if something happened.

The Norwegian government are likely extra nerveous about this, just a small amount of the same stuff was used to blow up the government quarter in Oslo in the terrorist attack by Anders Brevik.

Presumably the ship tried to get to another port elsehwhere, but got into more mechanical trouble.


The place "near" Tromsø where it anchored is in the middle of the city now.

For this who don't know the place: the city is on an island, facing the mainland. There's a suburb on the mainland, connected to the city with a bridge and a tunnel. The ship anchored between the bridge and the tunnel.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: