←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
279 points jwilk | 8 comments | 25 Jun 25 19:36 UTC | HN request time: 0.805s | source | bottom
1. djoldman ◴[25 Jun 25 23:01 UTC] No.44382594[source]
I really don’t understand solo unpaid maintainers who feel “pressure” from users. My response would always be: it’s my repo, my code, if you don’t like how I’m doing things, fork the code megashrug.

You owe them nothing. That fact doesn’t mean maintainers or users should be a*holes to each other, it just means that as a user, you should be grateful and you get what you get, unless you want to contribute.

Or, to put it another way: you owe them exactly what they’ve paid for!

replies(5): >>44382606 #>>44382644 #>>44382666 #>>44382801 #>>44383730 #
2. msgodel ◴[25 Jun 25 23:02 UTC] No.44382606[source]
The correct response to this kind of thing is an invoice IMO.
3. ◴[25 Jun 25 23:08 UTC] No.44382644[source]
4. kayodelycaon ◴[25 Jun 25 23:13 UTC] No.44382666[source]
Your solution is exactly right, but let me try to help understanding the problem.

Many open source developers feel a sense of responsibility for what they create. They are emotionally invested in it. They may want to be liked or not be disliked.

You’re able to not care about these things. Other people care but haven’t learned how to set boundaries.

It’s important to remember, if you’re not understanding what a majority of people are doing, you are the different one. The question should be “Why am I different?” not “Why isn’t everyone else like me?”

“Here’s the solution” comes off far better than, “I don’t understand why you don’t think like me.”

replies(1): >>44385577 #
5. michaelt ◴[25 Jun 25 23:35 UTC] No.44382801[source]
> I really don’t understand solo unpaid maintainers who feel “pressure” from users.

Some open source projects which are well funded and/or motivated to grow are giddy with excitement at the prospect you might file a bug report [1,2]. Other projects will offer $250,000 bounties for top tier security bugs [3].

Other areas of society, like retail and food service, take an exceptionally apologetic, subservient attitude when customers report problems. Oh, sir, I'm terribly sorry your burger had pickles when you asked for no pickles. That must have made you so frustrated! I'll have the kitchen fix it right away, and of course I'll get your table some free desserts.

Some people therefore think doing a good job, as an open source maintainer, means emulating these attitudes. That you ought to be thankful for every bug report, and so very, very sorry to everyone who encounters a crash.

Needless to say, this isn't a sustainable way to run a one-person project, unless you're a masochist.

[1] https://llvm.org/docs/Contributing.html#id5 [2] https://dev.java/contribute/test/ [3] https://bughunters.google.com/about/rules/chrome-friends/574...

6. sysmax ◴[26 Jun 25 02:31 UTC] No.44383730[source]
Sadly, that stuff backfires. The researcher will publish your response along with some snarky remarks how you are refusing to fix a "critical issue", and next time you are looking for a job and the HR googles up your name, it pops up, and -poof-, we'll call your later.

I used to work on a kernel debugging tool and had a particularly annoying security researcher bug me about a signed/unsigned integer check that could result in a target kernel panic with a malformed debug packet. Like you couldn't do the same by just writing random stuff at random addresses, since you are literally debugging the kernel with full memory access. Sad.

replies(1): >>44383985 #
7. hgs3 ◴[26 Jun 25 03:39 UTC] No.44383985[source]
Just be respectful and not snarky. And be clear about your boundaries.

What I do is I add the following notice to my GitHub issue template: "X is a passion project and issues are triaged based on my personal availability. If you need immediate or ongoing support, then please purchase a support contract through my software company: [link to company webpage]".

8. atemerev ◴[26 Jun 25 09:11 UTC] No.44385577[source]
That's a good argument, thank you. Open source authors are even more heroic with this.