Unpopular Take: Software “End of Life” is Bullshit. Stop it.

Putting an expiration date on SOFTWARE is one of the most insidious, and stupid, things the tech world has imposed on us.

They’ve sold us the idea it has to do with security. Let’s be honest — it’s not that. It’s about money.

For-profit software companies want you to buy their products over and over again. It’s why Microsoft comes out with a new versions of the same shit every couple of years.

Corporate IT departments have to justify their budgets, and their jobs. If they don’t spend it on something, their budget will get cut. And a company-wide “migration” to the latest version of (whatever) will keep the staff plenty busy.

Independent IT guys have to generate work somehow, and “important updates” are a great excuse for them to sell you a monthly “managed services” plan.

Even the open source community is in on the racket. Your version of Debian reached end-of-life? No problem, just contact sales@freexian.com and start paying for “extended long term support”.

To understand how we got here, you have to recall a little history.

When I was a kid, we bought software by going to a STORE — you know, a physical place you would walk into, look at shelves full of products, pick the software you want, take it to a checkout stand, and buy it. You’d go home and open the pretty box. Inside was a manual and one or more discs (at first floppies, later CDs). You would install the software into your computer. You’d run it, it worked. And it would just… keep working. Forever.

This was obviously a bad business model for the software companies. Once you’ve bought WordPerfect and it’s, well, perfect… you don’t need to ever buy it again.

The software companies realized this early on and tried various approaches to keep sales flowing. Some did it by convincing users to buy new and improved versions that were objectively better. Some did it by conning users into buying “new and improved” versions that we’re really just the same old shit with a slight facelift. Some played games with deliberate backwards-incompatibilities, changing file formats, or other means of pressuring uninterested users into updating. Still others went the way of the subscription model, which is a whole other discussion, except to say that subscriptions really helped accelerate the idea that frequent updates were somehow a good thing.

(You could have the most perfectly crafted app, written 10 years ago, that still works perfectly and has never needed a single update; and on the other hand, a shitty app some random developer released yesterday but that’s updated every 5 minutes, and the latter app would be perceived as the better one because it’s “actively maintained”. Such bullshit. But I digress.)

No matter how much they convince, coerce, or force users to buy newer and newer software, there are still people who resist. That’s when some marketing genius or evil salesperson somewhere — who knows — came up with the brilliant idea, “why don’t we just put an expiration date on it?” We’ll pull some arbitrary date out of our asses and call it “end of life” — after that date the software is to be tossed out, just like milk past it’s “use by” date.

Of course there is no rational basis to throw out perfectly good, working software at any date, so they had to come up with a cover story, and that’s where the “security” excuse comes in. Software does not magically become insecure just because an arbitrary date has passed, but they have succeeded in scaring the general public that it does. People by and large are much more susceptible to scare tactics and fear mongering than rationality, but again I digress.

The “old software is insecure” scare has taken hold so thoroughly that you now have compliance people, insurance people, auditors, and the like — WHO KNOW NOTHING OF THE ACTUAL TECHNOLOGY IN QUESTION — issuing reports, making rules, and enforcing made-up requirements to eliminate “outdated” software.

Is it possible that your favorite software that went “end-of-life” yesterday could have a devastating vulnerability discovered tomorrow? Yes, it’s technically possible. It’s also possible all life on Earth could be wiped out by a giant meteor impact tomorrow.

I understand the need to mitigate risks, I really do. But instead of worrying about ridiculous possibilities, how about focusing on what’s most probable — and it’s much more probable there’s a vulnerability in new, relatively-less tested software. The odds are you’re not going to get hacked via an open source package that hasn’t needed an update in 10 years — if there were a vulnerability, it would have been found by now. As time goes along, the probability of any such vulnerability actually existing becomes less and less. OLD AND STABLE is safer than NEW AND UNKNOWN every day.

I also understand how the “important security updates” line is abused. I myself abuse it (sorry!) in my business selling subscription-based software. In that capacity I want people to keep renewing their subscriptions — obviously — so I repeat the same line as everybody else: “if you don’t keep your subscription current, you’ll lose access to important security updates and thereby put your system at risk!” It’s bullshit, I know it’s bullshit, but it works! I know that 99.9% of the updates I put out have nothing to do whatsoever with security. I’ve literally put out updates that we’re nothing more than changing some indentation in the source code — white space(!) — just to register an “update” and keep my otherwise good, stable software “actively maintained”. It’s a farce, and yet everyone does it.

However in my private capacity, as a user, all I want to do is keep using the software I already have that works! I’m an extremely busy guy. I have neither the time nor the interest to update my OS, my software, my packages, my libraries, or my anything, just for the heck of it. I don’t want to spend my weekend troubleshooting why nothing works after updating from v4.5 to v4.6 because of some crucial but undocumented setting buried in a config file somewhere. I don’t want to read a “v2.x to v3.x migration guide” every other week. My system is working fine, leave me the fuck alone.

I’m not saying I never update anything, but there has to be a real reason. If a real security vulnerability is discovered (like another Heartbleed) I absolutely take it seriously. But, if we’re being honest, that kind of stuff doesn’t happen too often.

So please, let’s just stop with the “end of life” bullshit. Software does not “expire”. The for-profit guys are gonna keep doing what they need to do to make money, but for fucks sake at least the open source guys could drop the EoL nonsense (I’m looking at you Debian — I don’t care if you stop releasing updates for version X, but at least stop deleting version X’s packages from the repo!)

Leave a Reply

Your email address will not be published. Required fields are marked *