Well besides software that runs in data centers/ cloud most other software is turning to crap. And people who think this crap is fine have now reached to position of responsibility at lot of companies. So things would go only worse from here.
The OSS that keeps getting "better" is one that accept lot user feature requests and/or implementation. Else maintainers are hostile to users. And when they do accept most of those requests and code we all know how it goes.
Gimp has generally been getting better and more capable for free, and hasn't launched any cloud-based subscription services, feature gates, ad-funded functionality or done price hikes like almost every one of its commercial competitors.
There's also Krita, which artists love.
That this comment keeps oscillating between upvoted and downvoted (with significant spikes in both directions) is an interesting insight into the span of opinions on HN between the hustler types who hate the idea of software that doesn't turn a quick buck, and the crafters :-)
This right here is moving me back to GrapheneOS and Linux. I was lucky enough to be able to uninstall Liquid glAss before the embargo. I will miss the power efficiency of my M1, but the trade off keep looking better and better.
being poor, I need to sell my Macbook to get money to pay of my 16e, then sell the 16e and use that money to but a Pixel 9, then probably a but a Thinkpad Carbon X1. Just saying all that to show you the lengths I am going through to boycott/battle the enshitification.
It's not talking to an LDAP server, it's the functionality for talking to an LDAP server that is causing the issue. Even if you don't need LDAP you're still vulnerable when a client can inject information in a log message.
Why is this functionality needed in the first place? I want to write log, some kind of string, into some kind of files, with rotation, maybe even send it somewhere that expect logs.
Why parse whatever is in the logs, at all?
Imagine the same stuff in your SSH client, it would parse the content before sending them over because a functionality requires it to talk to some server somewhere, it's insanity.
Log4j contains a very big collection of extensions for just about anything including inserting data from various sources.
Of course it's overkill for lots of situation, but nobody ever uses all functionality. It's just that nobody can agree on which functionality is useless ;)
Indeed a software used by thousands of commercial products and millions of enterprise applications with ZERO dollar support from either must be maintained at perfect, bug free level by lazy volunteers. Because internet demands it.
Would it even be possible to create today's software ecosystems by mandating all libraries are maintained and supported to the strictest standards?
That would be the end of open source, hobbyists and startup companies because you'd have to pay up just to have a basic C library (or hope some companies would have reasonable licensing and support fees).
Remember one of the first GNU projects was GCC because a compiler was an expensive, optional piece of software on the UNIX systems in those days.
That would be the end of the software industry. No company outside of aerospace and medical devices is capable of delivering this and I even have my doubts about those two, though at least they are trying.
It's not really added functionality, more unintended consequences of too much flexibility. Java contains JNDI (Java naming & directory interface), a very unified 'directory' system for all kinds of configuration of which LDAP is just one of the backend implementation options. The key issue is you can call into other objects which is unwise to do when used with untrusted user input.
> The key issue is you can call into other objects which is unwise to do when used with untrusted user input.
This, and while in this case it is specifically unwise on security terms, there are plenty of other example where the feature are completely cosmetic and deviates from the core user requirements/scenario.
