←back to thread

189 points udev4096 | 1 comments | | HN request time: 0.201s | source
Show context
mickael-kerjean ◴[] No.42136723[source]
What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Having very high expectations when using the software without contributing anything else than public shaming on something that clearly state in the license: "Licensor provides the Work ... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND" shouldn't be ok, this is quite literally how you make open source developer to burn out

replies(7): >>42136837 #>>42136872 #>>42136966 #>>42137033 #>>42137338 #>>42137517 #>>42137650 #
some_furry ◴[] No.42136837[source]
> What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Yeah, no. That's not how security research works.

If I disclose a security issue to you, it doesn't matter if you're a multinational trillion dollar corporation or a hobbyist in Nebraska, the onus is on you to fix it. Not the security researcher. Their job is done once it's disclosed.

From the timeline:

> 28/03/2024 – First communication sent with all details and a proposed fix.

After that point, any additional help (including a pull request) is going above and beyond.

I run into this attitude you're exhibiting a lot. Where proprietary software has the legal threats, the open source community is plagued by patch entitlement.

Knowledge of a security issue in a project is, in and of itself, a valuable contribution. Expecting a PR devalues this work.

replies(2): >>42136977 #>>42137118 #
rcxdude ◴[] No.42137118[source]
There's no obligation for a hobbyist to fix the stuff they publish online. If they're selling the result, then sure, you can argue there's reasonable consideration, but just because a security researcher has made a contribution (and a valuable one) it doesn't compel any further contribution from the original author. Now, the lack of action does probably remove some of the credibility of the project as one that should be used in any security context (bit of a problem for something intended to be used as authentication).
replies(2): >>42137167 #>>42138856 #
1. some_furry ◴[] No.42137167[source]
> There's no obligation for a hobbyist to fix the stuff they publish online.

Correct, but I didn't say there was. The onus being on them to fix it is predicated on anyone having such an obligation at all. If anyone has an obligation, it's always the vendor, not the researcher.

But keep in mind this situation involves an IBM-funded open source project under the Red Hat product line. The hobbyist remark is tangential to the story.