From the sibling comments, it seems like you're just referring to his history of abrasive social interactions on bug tickets. Granted it is strikingly abrasive, but that really isn't a good reason to forego donating. At the very least don't actively convince others not to donate.
When you interact with customer service as a paying customer you get to expect courtesy. Some people seem to expect obsequiousness but I digress.
By what chain of reasoning do you derive the existence of the moral obligation to users who have paid exactly nothing let alone the obligation to consider what the broader world thinks of open source developers. It's pretty clear Kovid is a bit of an asshole and sometimes outspokenly incorrect but what right do we have to demand different? Usually such an obligation is transactional. Even if unspoken and devoid of monetary context there is some broader context SOMETHING of value is gained or lost.
So far as I can see the only thing we give Kovid is attention which is cheap and he gives us work which is dear. If you don't agree that the present transaction of putting up with the existence of opinionated posts which you don't have to read for a useful piece of software you don't actually have to use it.
It would even be useful for you to expand on why you think its insecure because that may inform users who can then see to their own interests better for having the benefit of your counsel but don't bore us with talk of his moral obligation unless you can't substantiate such.
The spoiler alert is that you cannot because you have confused the right to control the mores of a particular community with the right to impose those on non-members.
I don't think being a paying customer changes much here either unless there's some sort of explicit customer support package in the deal, especially when we're just talking about donors.
I once made the mistake of accepting donations for a forum I run and learned how people will expect the world from you, like 1:1 customer support whenever they need it, just because they once gave me $5.
Eventually all the "this is outrageous, I am a paying customer!" made me refund everyone and I never accepted donations again.
That is kinda the point of being an open source project, though, isn't it? The lead dev says, "It's going to be way too difficult for me to convert this codebase to Python 3, I don't want to do it." A group of volunteers then decide to undertake the effort themselves because they wish to ensure the project's continued viability for the future. AFAIK, he hasn't nixed the idea completely if others are handling the legwork.
You might want to add some specifics and references to back up such a statement. Otherwise it very much looks like a fairly cheap character attack to an outsider such as myself.
Where's the controversy? A maintainer and a contributor disagreeing about a bug report, and it gets a bit heated. Nothing important to see there, and nothing we haven't seen a thousand times in public bug trackers.
The submitter was pretty civil for the most part, and Kovid ended with:
> Something answering posts from fools like you over the years should have taught me a long time ago.
And submitter is correct - he does this often. I recall a security bug that he refused to fix as fixing it would break some convenient feature. That one got really heated, and only when distributions declared they will stop carrying calibre in their package management system did he cave in and fix it.
Nevertheless, I don't see these as obvious reasons not to support him in Patreon.
I stumbled into that git issue and couldn't stop reading. He was immediately dismissive of the security suggestion, even when that person had gone out of their way to provide verifiable examples of the vulnerability. I ended up not installing the software.
You mean you didn't install Calibre because of a bug report where the author allegedly misbehaved? That's odd. A lot of open source software is riddled with ego and personality clashes, and because they play out in public forums, mailing lists and bug trackers for everyone to see, these flamewars tend to be very visible (also see: Linus Torvalds' outbursts). Do you also not use these programs?
Did you need Calibre in the first place? If so, what did you end up using instead?
There are many other such instances in which the lead dev immediately responds to bug reports with 'works on my machine' without even asking for details to reproduce the bug. Any further words from the bug reporter are met with sarcasm or words worse than I would term "a bit heated".
How much, exactly, are any of these people reporting bugs paying for this software?
You use open source software that is made by one guy and offered to the world for free, you kind of have to deal with the possibility that that guy has better things to do than fuss over every bug report.
I have no way of knowing how much these people paid, if anything, to the dev's Patreon or Liberapay or Donate to PayPal. What they did do was spend their time reporting serious issues for zero payment. Bugs are important to fix, some bugs can be critically important to fix. If the dev chooses to fix these bugs, it is the dev that will receive all credit for doing so. The person who made the effort (albeit minor in comparison) of reporting the issue will not be credited or acknowledged in any way.
Also, I think a vulnerability that allows unprivileged users to gain root on a system on which Calibre is installed is worth fussing over.
I would argue its always better if people form their own opinions, so I just suggested that people should look it up themselves and come to their own conclusions.