|
Top-level
 I do have plenty of code that I professionally maintain (you know, at work, where I get paid to do so) where security issues get handled ASAP but... that's work. Like that's actual work. I do that (and other support, and other coding) full-time every week. I'm not going to spend my weekends doing the exact same thing I do at work too. (I did for a while and it was _bad_ for me. I'm not going back.) 13 comments
And "any open-source lib anywhere in the wild must be up to professional quality standards and respond to all bug reports in a timely fashion" is also a bullshit standard to apply to anything. It just doesn't work that way. @rygorous people love the part of open source licenses that give them permissions, and always ignore the parts about the software being without warranty of any kind. It's not always just a legal cover! The majority of libs you know at the very least _started out_ as someone just noodling around on their private project and then over time turned into the go-to solution for XYZ. But for many libs, that's just never been the goal, and pretending that not having that level of ambition is tantamount to failure is also not serving anybody.  @rygorous well said, and thank you for speaking to this angle on it! we haven't seen enough people talking about that  “It just doesn't work that way.” It should not work that way. People should be able to publish software for free without incurring the obligations that come from commercial software. That idea is backwards. People or companies that take a dependency on software with no warranty get what they deserve. They have to make the effort test it and check the dependencies on their own. @railmeat @rygorous the most mind boggling example is probably cURL which was still a part-time project until very recently.. and the author was getting "charming" emails like https://un.curl.dev/emails/slaughter  @kkarhan @msinilo @railmeat @rygorous But even that is missing the point in some of these cases. Many people don't want code contributions to their open source projects from outsiders (or perhaps from anyone). But it's probably worth "standardizing" some of the messaging around this in the way we do with licenses so the expectations can be super clear to everyone.  > any open-source lib anywhere in the wild must be up to professional quality standards and respond to all bug reports in a timely fashion I think the proper standard should be to request that on vendors selling production software. « all libs you depend on must be up to o professional standards of security ». If upstream can't meet that, for the reasons you described, then it's downstream responsibility to either fork or vendor to meet that criteria.  @rygorous "How many machines is this on, and how frequently is it invoked, and with what privileges?" Are the real questions. |
Gregory's Server
...so what's my point here?
For foundational libs (including xz/liblzma) tons of people depend on, it sure would be nice if, assuming there are people who _want_ to be full-time maintainers, get to actually be paid for doing so.
For something like the stb libs? I really don't know. I don't think we're foundational. If those libs disappeared overnight, nothing terrible would happen, people would just use other alternatives.