On Thu, Nov 13, 2025, 18:24 Elliotte Rusty Harold <[email protected]> wrote:
> On Thu, Nov 13, 2025 at 4:54 PM Phil Steitz <[email protected]> wrote: > > > The problem with that is who is authorized to "turn it off." And in a > lot > > of cases with deep nesting it really is not practical to analyze in > detail > > whether a vuln is actually a risk, *and to ensure it does not become > one.* > > For that reason, a lot of our users don't have the choice to ignore these > > things. > > Really? What happens if they ignore them? The sky turns blue? A dog > barks in the night time? Elon Musk posts something stupid on Twitter? > > I don't believe open source maintainers are responsible for fixing or > working around the broken development processes of large corporations > that aren't paying for that work. > > Static analysis does sometimes find real issues, but most static > analyzers mostly report non-issues most of the time. Worse yet, they > compete with each other to see who reports the most non-issues. It's > just not reasonable to expect warning free builds. > I agree and experience the pain of corporate static and dynamic analysis tools all the time. I call this "management by checkbox". Releasing a Lang 2.x would effectively say, IMO, that 14 year old software is not EOL. I don't think that's a door we want to open. This will encourage "security researchers" to open more bugs on 14 year old or effectively EOL components. Gary > -- > Elliotte Rusty Harold > [email protected] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
