From: arne@vajhoej.dk   
      
   On 2/15/2026 2:23 PM, John Dallman wrote:   
   > The rule I work to is that if a system is always air-gapped and cannot   
   > communicate with any other computer, even via exchangeable media (floppy   
   > drives, USB sticks, etc), then it can be frozen. Anything else needs   
   > security updates, and if there's software in the stack that does not get   
   > security updates, it has to go.   
      
   Curious.   
      
   Where do you make the cut?   
      
   Example list:   
      
   commercial vendor where you directly pay for support   
   commercial vendor with product supported   
   open source with multiple maintainers and recent releases   
   open source with single maintainer but recent releases   
   open source with single maintainer and no recent releases   
   open source declared EOL by author but source still available   
   commercial vendor with product not supported   
   commercial vendor no longer existing   
      
   And it does not matter what it is and how it is used?   
      
   If we are talking a classic 80's or 90's VMS Basic or   
   Cobol application, then it is sort of easy.   
      
   But if we are talking something recently developed, then   
   there is a good chance that with transitive dependencies   
   you will have 1000-5000 open source libraries included   
   in the solution.   
      
   And then it can become a little harder.   
      
   Let us say that Felix Boehm decided not to maintain   
   this little code gem:   
      
   https://github.com/fb55/boolbase/blob/master/index.js   
      
   Would you worry?   
      
   And before something thinks that it is a joke, then according   
   to public statistics https://www.npmjs.com/package/boolbase   
   then it is downloaded 37 millions times per week (for   
   npm "builds").   
      
   Arne   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)