The dangers of using old stuff

I was reminded the other day of the dangers of using old software.  And by "old" I mean, "hasn't been updated in a couple of years".  So not really that old, just not new.

For my personal projects, I use the open-source version of a program called The Bug Genie.  It's a web-based bug issue tracker written in PHP.  I picked it mostly because it was easy to install on my hosting account (which didn't allow SSH access at the time) and sucked less than the alternatives I had tried.  It's actually not a bad program - a little confusing to administer, but has a decent feature set and UI.

The problem is that the last "official release" of the open-source version was in 2015.  In and of itself, this is not a problem - there are lots of super-useful programs out there that haven't been updated in far longer than that.  The problem is that this is a web application and the web, as an ecosystem, is not at all shy about breaking your stuff if you go more than six months without updating it.

So I tried to log into my Bug Genie instance the other day and I ran into two issues.  The first, and most serious, was a fatal error saying that a parameter to the count() function must be either an array or a countable.  After a little debugging, it turned out that this was due to a change in PHP 7.2, to which my web host had recently upgraded.  The code for one of the Composer packages contained a bug that didn't always pass an appropriate parameter to count() and in older versions of PHP, this would pass silently.  But in PHP 7.2, this raises a warning, which was in turn causing an error.  The fix was simply to update to a more recent version of the package that fixes the underlying bug.

The second issue was client-side.  The project pages have a number of panels on them that are loaded via AJAX calls, and none of them were loading.  Turned out the problem was that a JavaScript file related to the Mozilla Persona support wasn't loading and this was causing subsequent scripts on the page to fail.  A quick search revealed that there was a good reason it wasn't loading - Mozilla discontinued its Persona service in 2016, so the URL the page was trying to load no longer existed.  Fortunately, this was easily fixed by turning off that feature.

So we have two things broken by the passage of time.  One a change in platform semantics and the other a change in the surrounding ecosystem.  Both of them theoretically foreseeable.  But on the other hand, both also very easy to overlook.

For a software developer, this is a parable on building for longevity.  There are dangers is relying on external dependencies.  There are dangers in being even slightly out of spec.  If we want our software to last, we need to be vigilant in our validation and establish boundaries.  You can't trust the testing of today to reflect the world of tomorrow.