back to article Google's big security cert log overhaul broke Android apps. Now it's hit undo

Google this week reversed an overhaul of one of its security-related file formats after the transition broke Android apps. In November, 2021, Google announced changes to the format of its Chrome Certificate Transparency log list file and, in August, 2022, notified developers whose apps might be affected that it would stop …

  1. VoiceOfTruth Silver badge

    So, a bunch of devs

    Either did not see or ignored or put on the back burner something which affected them, even after some prompting. I wonder if these are the same sort of devs who leave security holes in their applications unpatched.

  2. Anonymous Coward
    Anonymous Coward

    What about old software

    Does this mean that all old software that is otherwise perfectly fine, but no longer maintained will stop working?

    I'm sure there are many out there who stick with an older version of an app due to later versions getting crap "improvements".

    1. Adam Azarchs

      Re: What about old software

      "bit rot" is real. Unmaintained components eventually stop working, either because (as in this case) some public API it relies on changes, or because it depends on some other library that makes a change (and it didn't constrain the versions for its dependencies properly, or honoring that constraint breaks something else), or because the underlying platform / standard library changes something, and so on and so forth.

      While it's certainly true that many end-user-facing "updates" are crap, that tends to be less true for the library components from which that software is assembled. Yeah, you need to test updates (just like any other kind of change) but taking but fixes as they come in is pretty essential. Waiting until you're forced to update some dependency probably means accepting a jump of several versions at once, which makes it harder to track down the problem when something inevitably breaks. And it shouldn't be much work, if you have a proper automated test suite set up. Dependabot (or renovate or any one of a number of other automated tools) opens a PR, you wait for the tests to pass and then you hit the merge button. Easy. But smaller app makers might not have invested in that kind of automated test infrastructure. Writing tests just doesn't feel like it's getting you closer to launching your product (even if basically everyone who's studied it agrees that time spent writing tests pays for itself very quickly...)

      1. Anonymous Coward
        Anonymous Coward

        Re: What about old software

        "crap improvements' are games adding tokens and hearts and bollocks you can buy with real money.

        "crap improvements" are the useful utility suddenly deciding to switch to garish colours, or decide to switch to a subscription model even though you paid for the original.

        Another "crap improvement" involves the scrabble game my elderly mother plays which decided to reduce the size of the letters to a size she can't see, and insist on her logging in despite her already paying to remove adverts, and the fact she only ever plays the computer.

        saying "bit rot is real" is making the assumption that everything needs to be somehow updated and online. Why the hell can't she play her old game, on her old tablet, which she paid for, and with no internet access required?

        There is tried and tested software running on mainframes etc. that has been stable for decades, but these days, everyone wants to change things all the time, usually because their low quality code is full of bugs, or for the next shiny-shiny.

        What happened to proper testing, and proper thought out design?

        Why does MS have a new version of a word processor or spreadsheet program every year? You must be younger than 40. You don't know a time where developers weren't amateurs or cowboys!

      2. Michael Wojcik Silver badge

        Re: What about old software

        Live by third-party components, die by third-party components.

        Now that a great deal of software development has moved to just composing things out of huge numbers of third-party components of uncertain provenance, quality, and maintenance, stories like this one will quickly become so commonplace that they won't be newsworthy. It will just be software breaking all the time.

        You might have thought something as ridiculous as the left-pad debacle would have woken ISVs up about the dangers of letting their devs just pull in thousands of dependencies from package repositories, but no. Short-term economic incentives dominate the market.

    2. Paul Hovnanian Silver badge

      Re: What about old software

      "all old software"

      Not if it encapsulates its data properly in an OO sense. But if you interoperate with external data feeds and they jump to the next rev, you had better as well. Or hope that the designers of the new version saw fit to provide utilities that trsnslate between new and old.

  3. Dante Alighieri

    Single FOSS developer for a critical library

    Obligatory XKCD

    1. Will Godfrey Silver badge
      Thumb Up

      Re: Single FOSS developer for a critical library

      Ha! Exactly my first thought! Randal really does 'get' IT doesn't he.

  4. Anonymous Coward
    Anonymous Coward

    "The impact on our business is huge," said the person who owned a company that not only ignored the deprecation warnings, failed to apply the PR that was *right there* to fix in the library they were using.

    They didn't even have to do the dev work.. fork, apply PR, use that until mainline catches up. 10 minutes work - done it dozens of times.

    If they they didn't want to make any effort. That's on them.

  5. PRR Bronze badge

    Poor notification

    "...encourage maintainers to migrate to the v3 list before this date," .... But not everyone got the memo.

    I didn't see it in The Register, the only true source of true news. Therefore not my fault, this shudda been publicized louder.


  6. Kev99 Silver badge

    If v2 worked, why on earth was it deprecated and killed off? Change for the sake of change is a pissoir way to keep the script kiddies busy.

    1. DeathSquid

      The way Google performance reviews work is that you only get promoted for rolling out new stuff with metrics showing "impact". This incentivises breaking changes and forced upgrades.

      If you keep running software working well and diligently reduce tech debt, then layoffs for you!

  7. Tree

    Out with the Olde, in with the Niew

    DOS worked well with Lotus 132, but excel is a nightmare on windoze Eleven.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like