No big news, really: closed-source software, even if it is built on open-source components, will inevitably accumulate long-standing bugs that never get fixed. And sometimes the bugs have security implications. This report from Black Duck uses the term “commercial” software, but it’s quite clear they mean “proprietary” software, i.e. closed-source <http://www.theregister.co.uk/2016/05/04/commercial_software_chokkas_with_ancient_brutal_open_source_vulns/>. The telling phrase in the report is “visibility into the components that are included in their code base is required”. How would you *not* have such visibility, if the source of your product is open? A lot of companies may hate copyleft licences, but at least they force a level of transparency that makes this kind of thing much harder to cover up.