I see downvotes, but there is a difference between "our stuff has a bug" and "we're actively keeping this project alive, including updating binary downloads, even though we know it has endless CVEs, some of them years old."
One is an innocent problem. The other is willful negligence.
And we need to start suing for this sort of thing. We need fines for companies willingly causing harm.
rm will unapologetically delete files instead of using the "trash bin" semantics that many people are used to. Some would define that as "faulty", and it can certainly cause "harm" (a "rm fuckup" is almost a rite of passage).
You can find many such almost banal examples, ranging from well-known tools to some project a student uploaded on GitHub that sees basically 0 traffic. Opening up Open Office to a lawsuit also means opening up countless GitHub projects from 15-year olds riddled with SQL injections and the like, but also things I put on my GitHub five years ago and don't really care about. Ignoring a PR would mean risking a lawsuit.
Plus, do we really want government involved in telling us what software we can and can't put on the internet? Because that's what this would mean.
"They should be sued for distributing outdated insecure software" is a fun one-liner, but the ramifications if it would actually happen are huge and almost entirely negative for the Open Source world.
I think you’d have at the very very least specify an actual harm against you, and even then you’d likely be told immediately that they have no obligation to provide anything given there’s no support contract.
I think the reason you’re getting downvotes is that Apache is a non profit foundation, not a for profit company. So fining them isn’t going to do a lot of good (as well as being very unlikely to succeed)
One is an innocent problem. The other is willful negligence.
And we need to start suing for this sort of thing. We need fines for companies willingly causing harm.