|
Top-level
 But, realistically, _we just don't have the time and energy_. The current schedule for stb lib maintenance is what works for us. The alternative is not "pay us and you get monthly releases". The real choice here is between either we update these libraries at all, at the leisurely schedule we do, or we abandon them entirely. Nagging us does not magically make us have more free time or energy. 27 comments
Like yes, I agree that it sucks that stb_image has a lot of exploitable bugs that often are around for months or years at a time but at the same time... we're completely transparent about this. Don't put this code in a security-sensitive context, especially if you need timely updates. We realistically can't serve that need and we have never claimed that we could. I do have plenty of code that I professionally maintain (you know, at work, where I get paid to do so) where security issues get handled ASAP but... that's work. Like that's actual work. I do that (and other support, and other coding) full-time every week. I'm not going to spend my weekends doing the exact same thing I do at work too. (I did for a while and it was _bad_ for me. I'm not going back.) ...so what's my point here? For foundational libs (including xz/liblzma) tons of people depend on, it sure would be nice if, assuming there are people who _want_ to be full-time maintainers, get to actually be paid for doing so. For something like the stb libs? I really don't know. I don't think we're foundational. If those libs disappeared overnight, nothing terrible would happen, people would just use other alternatives. And "any open-source lib anywhere in the wild must be up to professional quality standards and respond to all bug reports in a timely fashion" is also a bullshit standard to apply to anything. It just doesn't work that way. @rygorous people love the part of open source licenses that give them permissions, and always ignore the parts about the software being without warranty of any kind. It's not always just a legal cover! The majority of libs you know at the very least _started out_ as someone just noodling around on their private project and then over time turned into the go-to solution for XYZ. But for many libs, that's just never been the goal, and pretending that not having that level of ambition is tantamount to failure is also not serving anybody.  @rygorous well said, and thank you for speaking to this angle on it! we haven't seen enough people talking about that  “It just doesn't work that way.” It should not work that way. People should be able to publish software for free without incurring the obligations that come from commercial software. That idea is backwards. People or companies that take a dependency on software with no warranty get what they deserve. They have to make the effort test it and check the dependencies on their own. @railmeat @rygorous the most mind boggling example is probably cURL which was still a part-time project until very recently.. and the author was getting "charming" emails like https://un.curl.dev/emails/slaughter  @kkarhan @msinilo @railmeat @rygorous But even that is missing the point in some of these cases. Many people don't want code contributions to their open source projects from outsiders (or perhaps from anyone). But it's probably worth "standardizing" some of the messaging around this in the way we do with licenses so the expectations can be super clear to everyone.  > any open-source lib anywhere in the wild must be up to professional quality standards and respond to all bug reports in a timely fashion I think the proper standard should be to request that on vendors selling production software. « all libs you depend on must be up to o professional standards of security ». If upstream can't meet that, for the reasons you described, then it's downstream responsibility to either fork or vendor to meet that criteria.  @rygorous "How many machines is this on, and how frequently is it invoked, and with what privileges?" Are the real questions.  @rygorous People have packaged your knowingly-insecure code and uploaded it to an online package repo from which there have been 30,000 downloads: Similarly, 3,177 downloads for this package: Would you please at least consider adding the words “insecure-unmaintained-“ to your package names so that people can understand what they’re getting? We don't make distributions as distro packages at all, and have repeatedly told people in the issue tracker not to do it. The README.md, which shows up on the front page when you navigate to the project on Github, has a warning up top that is literally larger than the name of the library itself. https://github.com/nothings/stb/blob/master/README.md I mean, people should be able to see at a glance if something's maintained or not. There's a solution for that: #PayYourDistroMaintainers to cover that for you! But I guess you are too cheap for the 3-4 digits per year and Desktop/Server that would cost...  @wronglang @marshray @rygorous that needs to be a meme when dealing with demanding users of volunteer projects ;-) @raven667 I think so too but there's probably a canonical example out there I should use, I think some research is required to pick the right name. @rygorous "If you can't hack on it, I'm not supporting you using it" is my rough approach to things I'm not charged with maintaining professionally. Unless the problem interests me for some reason. I'm not prepared to burden myself with responsibility and drudge work for internet randoms. That said, I haven't yet been the target of abuse either. I maintain some pretty niche stuff so that probably helps  @rygorous |
Gregory's Server
And the reason I'm writing a whole thread about this is that fundamentally, I refuse to treat this as a problem when a lot of discourse around open-source libs very much wants to pretend that it is.
I don't know, man. Some projects just exist to scratch a very particular niche itch and are maintained by people who have plenty of other things going on in their life and... that has to be OK?