This is timely considering google's announcement to dump indexing of flash (swf) assets. I get it, the format is unused, buggy, and possibly insecure. That said, much of the nascent internet was built on that. Even "All Your Base" was originally in flash.

On the plus side, a lot of the non-interactive Flash content is now on YouTube. I was going through old Weebls Stuff animations the other day, it was a real blast from the past.

I'm hoping that the AGPL has or will curb some of this lock in, though I suspect that the people with the funding to run SaaS at scale will route around AGPL.

I’ve been ruminating on this problem for a decade or more and my belief is it’s not the licensing that’s the problem, it’s the infrastructure.

In the old world of tarballs, you could throw a file on an ftp server and someone could take an afternoon, mess with the paths and the make and make install and all that, and have your thing up and running. And mostly keep using it without fuss.

With web services you just can’t. You minimum need security patches applies, and in truth, you need the original author to be able to keep refactoring and updating the service architecture.

We don’t have infrastructure that can facilitate that. That’s the real problem, not licensing.

You can put a Heroku buildpack or whatever in your repo. That gets us pretty close to one-click deploy, and almost automatic security patching. But Heroku will penalize us with a 30 delay for being non-profit, when we access the service, which is pretty much a deal breaker. Even if I am paying them a hundred dollars a month (and I am) they will still pause for 30 seconds every time I access one of my cold “free” services.

If there was a hosting solution, even if it involved users paying a monthly fee, but it solved this issue of shared maintenance of open source services, it would usher in a new golden age of free software.

Ostensibly Ethereum solves this problem, but we’ll see if the ergonomics get where they need to be. It would be nice to be able to do this in a trustless way, although I don’t think that’s necessary for a MVP.

It's even easier to avoid AGPL than that - there is approximately 0 software of any value licensed only in AGPL.

Genuinely curious. Do they keep having security issues like this because they've got a huge target drawn on them, or are they just genuinely bad at security?

I have not been able to trust them since I had to install security updates for PDF or Shockwave nearly weekly.