[dang]

Tell me more about this world in which HN's users shield its developers from criticism.

We fixed the reported vulnerability and have a fix for the remaining issue ready if it's needed. There's no "eh" here; it's a question of what the right tradeoff is.

[ubernostrum]

Well, I don't see people insulting you the way they would if it were another site...

And I don't see people calling out the "breaks third-party clients" justification for not rolling out the full fix.

[dang]

Since you're a "people here", your comments disprove themselves.

A phrase like "calling out" assumes that it's obvious what we should do. It's not obvious; the parts that were obvious are done. Our goal is to do what's best for the community, not to avoid getting criticized on the internet.

[ubernostrum]

Since you're a "people here", your comments disprove themselves.

If I were going to respond to you the way I feel HN would generally respond to a CSRF hole in a major non-HN site/service, I'd say something like "Well, that line shows you're as good at formal logic as you are at preventing/patching CSRF holes".

You know the same as I do that HN's getting light treatment from its users in this thread, compared to how security issues in other things typically get received. It's OK to admit that.