←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
278 points jwilk | 1 comments | 25 Jun 25 19:36 UTC | HN request time: 0.226s | source
Show context
bawolff ◴[26 Jun 25 03:05 UTC] No.44383868[source]
So reading this, it sounds like the maintainer got burned out.

That's reasonable, being a maintainer is a thankless job.

However i think there is a duty to step aside when that happens. If nobody can take the maintainer's place, then so be it, its still better than the alternative. Being burned out but continuing anyways just hurts everyone.

Its absolutely not the security researcher's fault for reporting real albeit low severity bugs (to be clear though, entirely reasonable for maintainers to treat low severity security bugs as public. The security policy is the maintainer's decision, its not right to blame researchers for following the policy maintainers set)

replies(2): >>44385346 #>>44386746 #
1. teddyh ◴[26 Jun 25 12:26 UTC] No.44386746[source]
Being a free software maintainer, especially for code that you did not yourself write, is in effect a volunteer position in a charity or a non-profit organization. You yourself volunteered to take the position, and when you did, you became responsible for acting in the interests of the project and all its users. The fact that you are not paid does not mean that you can do whatever you please. If you at any time feel that you cannot fulfill your responsibilities to your users and to the development of the project, you should immediately leave your position to more eager and/or capable hands. (You should already have been prepared and have such people ready to take over, which should be possible if the project is popular enough.)