Such unhinged takes are one of the reasons EU has fallen behind so much. Nobody is arguing for child labor. We are just fighting for the right to build startups without worrying about reading hundred-page regulation manuals and having to hire "compliance officers" before even turning a profit.
Yeah, regulation generally tries to do good but that is going to be little consolation when EU's economy will go broke because all products and services we consume are build in less-regulated territories (USA and China to be specific).
> We are just fighting for the right to build startups without worrying about reading hundred-page regulation manuals and having to hire "compliance officers" before even turning a profit.
Oh no. How are you going to build your new ChatGPT wrapper without selling user data to thousands of "privacy-preserving partners"?
GDPR (and a very small number of other applicable regulations) are somewhere between place 1000 and 1500 of things that hinder startups. And unless you are a complete moron those regulations will maybe apply to you when you reach 10 million+ users.
> GDPR [...] somewhere between place 1000 and 1500 of things that hinder startups.
No. GDPR was presented as a company ending regulation. You make a mistake - you are doomed. The fines are in revenue percentages. User data was said to be "toxic". You touch it, you better know what you are doing or else.
This kind of regulation has a strong chilling effect on the budding founder. Countless web-startups were never created because the most common monetization model (ads) became basically illegal (for European startups only, US/Chinese competitors kept enjoying full freedom).
> and a very small number of other applicable regulations
But it's not a small number. And regulations have a cumulative effect. See, startups are like distance running. You know it's a hard thing, but you believe you can try to do it. But then regulations are like potholes. You run around a few, but the more potholes to avoid the harder the run, until your main job turns from running to avoiding potholes. Then you simply say "why bother" and give up.
The more regulations you have, the more obstacles you put in front of startups, the fewer young people choose the entrepreneur path and decide to just get some bureaucratic job instead.
This is the tragedy we are living in the EU right now, in the clapping of bureaucrats who never build a product or service in their entire life and do not understand what those damn entrepreneurs are complaining about.
> No. GDPR was presented as a company ending regulation.
Bullshit
> You make a mistake - you are doomed. The fines are in revenue percentages.
Tell me you didn't even read a line of GDPR in the past 9 years or know anything about European regulations without telling me
> This kind of regulation has a strong chilling effect on the budding founder.
A moron who gets their advice from ads industry, sensationalist headlines and HN? Perhaps.
> But it's not a small number.
It is.
> The more regulations you have, the more obstacles you put in front of startups
GDPR is not an obstacle. It quite literally is "do not scrape user data and sell it to third parties without user consent".
> in the clapping of bureaucrats who never build a product or service in their entire life and do not understand what those damn entrepreneurs are complaining about.
Yeah, "entrepreneurs" complain about a lot, and then make a surprised pikachu face when they are told in no uncertain terms that no, sending precise geolocation data to third parties to store for 12 years is not okay: https://x.com/dmitriid/status/1817122117093056541
> Tell me you didn't even read a line of GDPR in the past 9 years or know anything about European regulations
As a matter of fact, I am the founder&owner of a small ISV (nothing ad, privacy, crypto or AI-related) in the Eastern EU. Everything I am telling about European regulations comes from dozens of years of direct, painful, personal experience.
(long time no reply due to hitting HN's rate limit)
> Everything I am telling about European regulations comes from dozens of years of direct, painful, personal experience.
Strange that you then spew absolute bullshit about GDPR.
> How about you?
I've worked in large multinational corporations (banking, streaming) that were "hit" with GDPR and spent several years making sure they are compliant. Not because GDPR is bad, but because no one really cared about the data collected, and where it ended up. [1]
Startups had it and have it easy since they can just not siphon all the data. Especially now, when you have all the tools to handle data properly. Hell, a decade ago you couldn't even get privacy-preserving analytics. Now you're drowning in them.
We're also preparing to launch a few (admittedly small scale) projects with friends, and what do you know? GDPR is the absolute last thing that even bothers us. You know why? We know what data to collect and for how long to store it, and we're not sending that data to thousands of "privacy-preserving partners".
"Company-destroying fines" boogeyman or whatever other "chilling effect" bullshit belongs in the mind of children and morons. Hell, I've seen banking regulators come, list issues, and give a deadline to fix them. Much less GDPR.
[1] That's not entirely true. Payment and payment-adjacent regulations are significantly more stringent than GDPR, so everything related to that was and is extremely serious. As anything related to things like "data of persons under state protection". It's never black and white.
However, in big companies, especially at the time, you would eventually end up with a lot of data duplicated across many systems, often barely connected. 10 years ago cleaning up that mess required companies to reverse engineer and document 10-15 years of bad/hasty/adhoc decisions and assumptions. Surprisingly often that resulted in just retiring certain internal microservices wholesale (they just were no longer needed) and/or significantly reducing bandwidth and storage requirements in certain cases (because you no longer cary and store heavy duplicate objects around).
So the main opposition to GDPR came not from "poor chilled startups", but from companies like Facebook and Google who rely on 24/7 surveillance exclusively, ad industry, and large corporations who didn't want to deal with cleaning up internal messes.
This is a nightmare for security for companies that aren't big enough to pay the tax - which is most companies.
Every product, every fucking product, if it does anything, should have RBAC and SSO. These are the bare minimum. You want to hold off on SCIM for large customers, fine. Do that.
These are fair concerns, and I want to clarify what's included versus what's paid.
The confusion here is about two different types of SSO:
_Admin SSO (for managing Ory itself)_ - Ory is fundamentally an API. For self-hosted deployments, you control access however you want - through your infrastructure, reverse proxy, or using Ory Polis. This is not gated.
_Organizations SSO (for your end users)_ - This is the paid feature. It allows your B2B customers to bring their own identity provider. If you're building a SaaS product and BigCorp wants their employees to authenticate using Okta or Azure AD, Organizations handles that federation.
The distinction matters because maintaining integrations with enterprise IDPs is continuous work.
For example Google randomly changes their OIDC implementation on a Saturday evening. Someone needs to wake up and fix that. For products serving other businesses at scale, that operational burden is real.
Organizations is one of the few areas where we charge, specifically targeting the B2B SaaS use case. If you're self-hosting for internal use or building a consumer product, you don't need Organizations.
If you're selling to enterprises that require SSO, you're generating revenue to support the cost.
If every plan is not getting access to at least SSO / RBAC, you are contributing to a weaker security ecosystem that disproportionately impacts non-Enterprise organizations (most organizations).
Maintainers rarely understand or agree with the severity of a bug until an exploit beats them over the head publicly in a way they are unable to sweep under the rug.
On the other hand, reporters giving a CVE a 10 for a bug in an obscure configuration option that is disabled by default in most deployments is bit over the top. I've seen security issues being reported as world ending, being there for years, without anyone being able to make an exploit PoC.
No, publishing the vulnerability is the right thing to do for a secure world because anyone can find this stuff including nation states that weaponize it. This is a public service. Giving the dev a 90 day pre warn is a courtesy.
Expecting a reporter to fix your security vulnerabilities for you is entitlement.
If your reputation is harmed by your vulnerable software, then fix the bugs. They didn’t create the hazzard they discovered it. You created it, and acting like you’re entitled to the free labor of those that gave you the heads up is insane, and trying to extort them for their labor is even worse.
You dont get to decide that lmao. Telling everyone this project doesnt care about security if they ignore my CVE is obviously a demand and your traditions can not change that
> Telling everyone this project doesnt care about security
Google did nothing like this.
If people infer that a hypothetical project doesn't care about security because they didn't fix anything, then they're right. It's not google's fault they're factually bad at security. Making someone look bad is not always a bad action.
Drawing attention to that decision by publicly reporting a bug is not a demand for what the decision will be. I could imagine malicious attention-getting but a bug report isn't it.
If merely publishing a bug they found, and doing nothing else, would qualify by your definition as "telling everyone this project doesn't care about security", then there is absolutely nothing wrong with doing that "telling".
If the FFmpeg team does not want people to file bug reports, then they should close their public issue tracker. This is not something that I decided but a choice that they made.
They can afford to pay more.