Hacker News new | past | comments | ask | show | jobs | submit login

Reading about Keycloak and how long it is taking to patch critical vulnerabilities, I wonder is CNCF becoming how Apache was - where abandoned open source software goes to die.



Last I checked, Keycloak has increased in activity since joining CNCF...

https://keycloak.devstats.cncf.io/d/1/activity-repository-gr...

CNCF has probably 20x the funding of the ASF and is a different organization that spends millions of dollars on security audits, events and more, you can read about it in our annual report: https://www.cncf.io/reports/cncf-annual-report-2023/

Also we actively remove/prune projects that aren't active... we will probably archive ~10 this year https://www.cncf.io/project-metrics/


I think that CNCF has better handle on abandonware, plus really good observably. https://devstats.cncf.io/


I think being a CNCF project is better than not being one. It gives it more visibility and structure and thus is less likely to be abandoned.

But sure, unfortunately if not enough different companies and individiuals are maintaining stuff it gets abandoned.


Hopefully the Keycloak thing will spur more competition. I looked at some alternatives and settled on Keycloak because it was "obviously" the mature and hardened solution.

Well, clearly not.


I've replaced keycloak with https://goauthentik.io/ 2 years on, no complaints


Zitadel is worth a look, we're replacing Keycloak with it currently.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: