frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

OpenEoX to Standardize End-of-Life (EOL) and End-of-Support (EOS) Information

https://openeox.org/
31•feldrim•1y ago

Comments

feldrim•1y ago
An SBOM-like approach to EOL/EOS issues is on the way.
rollcat•1y ago
I think the only large projects that presently take SBOMs seriously are Nix, Guix, and Go (non-cgo). Bootstrapping is non-trivial, but at least builds are reproducible and can be compared against existing binaries.

"Oh, just write plain C". Which compiler do you mean? GCC? LLVM/clang? On top of what OS/kernel? What firmware? Etc.

Arnavion•1y ago
Some distros packaging Rust software (OpenSUSE at least) also transparently set up CARGO=cargo-audit to get embedded SBOMs.
wallrat•1y ago
How does this relate to the OWASP/Ecma Common Lifecycle Enumeration Specification (https://tc54.org/cle/)?
wpollock•1y ago
In my experience, many software projects become abandoned and no notice is given. I don't see how this standard helps in such cases.
repelsteeltje•1y ago
I think it will take a while for people to realize this effort looked great, but wasn't the right approach. Or no silver bullet, at least.

The presentation with a simple diagram that combines this data with an sbom to yield "information" gives me navel gazing vibes of UML being the future of coding.

Just as architecture didn't equate to well designed and maintainable software, I fear this initiative won't fix horribly outdated and vulnerable deployments. Software life cycle, deprecation, abandonment, supply chains are mostly a process problem, standards and technology won't fix that.

Arnavion•1y ago
It doesn't force someone who already wasn't checking their dependencies for CVEs / maintained-ness to start doing that. It does make someone who *was* doing that be able to show they're doing that in some standard way.

In other words it doesn't force you to add an SBOM + EOX checker step to your CI pipeline. But if your compliance auditor wants you to check your dependencies, adding such a standardized step makes it easier to satisfy the auditor.

repelsteeltje•1y ago
I'm basing this mostly off first hand and anecdotal evidence - but through the years I've found that the major contribution of audits lies in having to think about the checkboxes every now and then. And what they mean in the context of my organization or project.

Rarely have I found that compliance to the goals was an issue in themselves. Or that making changes to tick a checkbox correlated to material improvements.

That is to say that if this leads to more efficiency and makes it easier for compliance audits and such, I fear is stream lining the least impactful part of its goals.

hiatus•1y ago
> Rarely have I found that compliance to the goals was an issue in themselves. Or that making changes to tick a checkbox correlated to material improvements.

I am confused when I hear people say stuff like this. I guess if you turn on a tool and never look at it again, it won't result in material improvements. But complying with regulations or a particular compliance regime should _absolutely_ result in at least _some_ material improvement to your security posture. Like you can implement segregation of duties just as a checkbox, or use the requirement to revisit the way you gate changes to production, as just one example.

T3OU-736•1y ago
Htm. So, how does this compare, and/or is different from https://endoflife.date?
Arnavion•1y ago
The standard is for software to report its own EOL / EOS status. The website you linked is the opposite direction - it's aggregating that status for a certain set of software.
T3OU-736•1y ago
Aha. Very good point. SW self-reporting requires buy-in, though, which seems like a pretty high barrier.

I am very much hoping the effort succeeds, but I am also mindful of the fact that the site to which I have linked is more successful by virtue of having better coverage.

captn3m0•1y ago
We (endoflife.date) are also excited about OpenEoX.
mud_dauber•1y ago
JEDEC has long maintained an EOL/EOS standard for semiconductors. This was a big part of a previous PM gig. Sounds boring, and it was. But having a process kept us out of serious hot water.
Hackbraten•1y ago
That EoX logo though.

Every organization or committee that designs a logo should be legally required to have at least one teenager on the board to prevent accidental goatse or other inadvertent blunders.

genter•1y ago
Goatse has been around long enough that the teenagers are now in their thirties.
repelsteeltje•1y ago
It depends on where you're coming from. Your code base, that is.

If it's already outstanding, you spend a lot of time revalidating what you already know and it's often a noisy process with many false positives.

If it's in a horrible state, however, the regulation often leaves a lot of wiggle room where you do some work to achieve, say, PCI compliance and then spend a lot of time arguing why this and that don't apply in your specific case.

So admitted, the is probably some improvement in the latter case but it's hardly proportional.

So IMHO, it doesn't help those of good will & expertise and does too little for the negligent. It adds noise and in the end quality still depends on factors other than compliance and certification.

What Do We Know About the Microplastics Inside Us?

https://e360.yale.edu/features/cassandra-rauert-interview
117•speckx•2h ago•45 comments

Chatto is now Open Source

https://www.hmans.dev/blog/chatto-is-open-source
455•speckx•4h ago•123 comments

SWE-1.7 Reach Near GPT 5.5 and Opus Intelligence

https://cognition.com/blog/swe-1-7
173•mekpro•3h ago•96 comments

Show HN: Microsoft releases Flint, a visualization language for AI agents

https://microsoft.github.io/flint-chart/#/
91•chenglong-hn•2h ago•33 comments

Mistral's Robostral Navigate: a state of the art robotics navigation model

https://mistral.ai/news/robostral-navigate/
325•ottomengis•5h ago•77 comments

Decoding the obfuscated bash script on a Uniqlo t-shirt

https://tris.sherliker.net/blog/obfuscated-self-evaluating-bash-script-by-cdn-akamai-being-suppli...
1147•speerer•11h ago•189 comments

GPT‑Live

https://openai.com/index/introducing-gpt-live/
411•logickkk1•2h ago•276 comments

A bug which affected only left handed users

https://shkspr.mobi/blog/2026/07/a-bug-which-only-affected-left-handed-users/
17•sixhobbits•6h ago•5 comments

OpenMandriva: Statement regarding attempted distribution sabotage

https://forum.openmandriva.org/t/statement-regarding-attempted-distribution-sabotage/8997
18•workethics•1h ago•4 comments

Cloudflare Meerkat - Globally distributed consensus

https://blog.cloudflare.com/meerkat-introduction/
171•bobnamob•6h ago•37 comments

EU now one step away from reviving private message scanning rules

https://cyberinsider.com/eu-now-one-step-away-from-reviving-private-message-scanning-rules/
205•ggirelli•3h ago•81 comments

Grok 4.5

https://x.ai/news/grok-4-5
273•BoumTAC•2h ago•186 comments

OpenBSD has a use-after-free allowing local privilege escalation to root

https://nvd.nist.gov/vuln/detail/cve-2026-57589
206•linggen•6h ago•95 comments

I Built a Telegram Client for Pi

https://www.npmjs.com/package/@atharva-again/pi-tg
14•atharva-again•2d ago•6 comments

Understanding B-Tree Indexes in PostgreSQL: A Comprehensive Guide– Part 1

https://medium.com/@devli0/b-tree-indexes-in-postgresql-part-1-theory-eb2668c52520
18•corvus-cornix•3d ago•0 comments

Show HN: Agent Draw: An agent draws while you talk, built on TLDraw

https://techstackups.com/articles/tldraw-agent-draw/
11•jameswhitford•2d ago•0 comments

GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos

https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos/
472•ColinEberhardt•14h ago•180 comments

TypeScript 7

https://devblogs.microsoft.com/typescript/announcing-typescript-7-0/
270•DanRosenwasser•3h ago•93 comments

Show HN: Follow London Trains in 3D

https://ride.nexttrain.london/
106•mgranados•4d ago•46 comments

TabFont – guitar tabs rendered as you type

https://philatype.com/tabfont/
57•ChrisArchitect•3d ago•16 comments

EVE Online's Carbon engine is now open source: Fenris Creations explains why

https://www.gamesindustry.biz/eve-onlines-carbon-engine-is-now-open-source-fenris-creations-expla...
343•Stevvo•4d ago•119 comments

PlayStation can delete all your digital games after 3 years of inactivity (EU)

https://www.flatpanelshd.com/news.php?subaction=showfull&id=1783340582
105•thewebguyd•2h ago•47 comments

Apple to increase spend with Broadcom to produce billions more U.S. chips

https://www.apple.com/newsroom/2026/07/apple-to-increase-spend-with-broadcom-to-produce-billions-...
264•soheilpro•8h ago•215 comments

Japan's Hayabusa2 probe to conduct flyby of Torifune asteroid

https://www3.nhk.or.jp/nhkworld/en/news/20260705_01/
151•dvh•3d ago•17 comments

How to Build a Minimal ZFS NAS Without Synology, QNAP, TrueNAS (2024)

https://neil.computer/notes/how-to-setup-minimal-zfs-nas-without-truenas/
322•4diii•16h ago•217 comments

NoiseLang: Where N = 5 is a Dirac delta

https://manualmeida.dev/articles/noiselang/
98•manucorporat•2d ago•47 comments

Tenda firmware (multiple versions) contains hidden authentication backdoor

https://kb.cert.org/vuls/id/213560
334•miniBill•19h ago•114 comments

Geosql: A Claude/Codex skill for geospatial data

https://github.com/dekart-xyz/geosql
114•rzk•11h ago•13 comments

Structure and Interpretation of Computer Programs Video Lectures (1986)

https://ocw.mit.edu/courses/6-001-structure-and-interpretation-of-computer-programs-spring-2005/v...
338•gjvc•20h ago•44 comments

Catastrophe theory; geniuses and maniacs (2011)

http://glassbottomblog.blogspot.com/2011/01/catastrophe-theory-geniuses-and-maniacs.html
22•mbustamanter•3d ago•1 comments