Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

My (least) favorite instance of this is in the response to the Log4j vulnerability. Evidently some companies tasked people with ensuring that ""all of their suppliers"" had patched the issue and were in compliance. This lead to random open source projects, many of which could not possibly be vulnerable, being inundated with form letters demanding that the project meet ABC Corp's new security requirements. Most maintainers told them to kick dirt, but it was truly bizarre seeing people think they were in any position to make demands over a project that they aren't paying for.


Makes me wonder who the hell is in a position to write such a letter, and how the hell they got to that position obviously being clueless about security and their relationship with open-source projects like that.


Plenty of people in the world simply comply with handed down corporate directives rather than start discussions internally.

Often it's scenarios like their unqualified boss who is the ceo's uncle's son may throw a fit somebody is challenging them.

Or there's some checklist nazis in charge.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: