Libxml2's "no security embargoes" policy

(lwn.net)

277 points jwilk | 2 comments | 25 Jun 25 19:36 UTC | HN request time: 0.502s | source

Show context

djoldman ◴[25 Jun 25 23:01 UTC] No.44382594[source]▶

I really don’t understand solo unpaid maintainers who feel “pressure” from users. My response would always be: it’s my repo, my code, if you don’t like how I’m doing things, fork the code megashrug.

You owe them nothing. That fact doesn’t mean maintainers or users should be a*holes to each other, it just means that as a user, you should be grateful and you get what you get, unless you want to contribute.

Or, to put it another way: you owe them exactly what they’ve paid for!

replies(5): >>44382606 #>>44382644 #>>44382666 #>>44382801 #>>44383730 #

1. sysmax ◴[26 Jun 25 02:31 UTC] No.44383730[source]▶

>>44382594 #

Sadly, that stuff backfires. The researcher will publish your response along with some snarky remarks how you are refusing to fix a "critical issue", and next time you are looking for a job and the HR googles up your name, it pops up, and -poof-, we'll call your later.

I used to work on a kernel debugging tool and had a particularly annoying security researcher bug me about a signed/unsigned integer check that could result in a target kernel panic with a malformed debug packet. Like you couldn't do the same by just writing random stuff at random addresses, since you are literally debugging the kernel with full memory access. Sad.

replies(1): >>44383985 #

2. hgs3 ◴[26 Jun 25 03:39 UTC] No.44383985[source]▶

>>44383730 (TP) #

Just be respectful and not snarky. And be clear about your boundaries.

What I do is I add the following notice to my GitHub issue template: "X is a passion project and issues are triaged based on my personal availability. If you need immediate or ongoing support, then please purchase a support contract through my software company: [link to company webpage]".

↑