[logophobia]

It's not coding style, it's refusing to investigate use-after-free vulnerabilities in code because it's "boring". Noone should care if a maintainer uses tabs or spaces, or has weird variable naming, but if "coding-style" leads to security issues (due to hand-rolling unsafe memory-primitives), then it is an actual issue, especially if it's for a popular web-framework.

Don't like it, don't use it doesn't really apply to security vulnerabilities in such major packages.

Flaming and personal attacks are not the solution to this stuff, but this drama feels somewhat self-inflicted.

[zzzcpan]

> it's refusing to investigate use-after-free vulnerabilities

Please investigate yourself, don't ask others to do the work you consider important for you for free.

[jeltz]

People did investigate for him and write a patch for him and he dismissed the patch with it being "boring".

[zzzcpan]

Well, maybe people didn't provide detailed enough explanation for the author to understand and merge the patch, so he didn't bother.

[jeltz]

Judge for yourself: https://web.archive.org/web/20200116203731/https://github.co...

[ryandrake]

It seems like the better solution here would have been for the folks who wanted a fixed version of the software to create and maintain a "actix-done-right" fork themselves. This is what we all do in the professional world when a maintainer doesn't want to upstream critical patches for whatever reason.

They're under no obligation to upstream your patch, but it's open source so you're not powerless either! Why so much drama over a rejected PR?

[XelNika]

Creating a fork is generally not the optimal solution. Both current and future users benefit from a patch, only those that hear about it benefit from a fork.

Now, in a case like this where the maintainer won't accept patches, yes, fork and move on would have been better.

[Sharlin]

The reporter included a patch.

[stjohnswarts]

"Don't like it, don't use it" applies in all situations where the code is free to you and you didn't enter into a contract to "correct" those things that you don't like. People were always free to fork the code and fix what they don't like.

[beatgammit]

> somewhat self-inflicted

Let's not start victim-blaming please.

Yes, the maintainer could have made his reasons for making the project more clear, and the maintainer could have been more clear on the intended use of the project (not for production, personal project to see how fast Rust can be, etc). There are a lot of things the maintainer could have done.

However, that doesn't mean there wasn't a problem. There was a ton of negativity around "unsafe" when the author first released the code, and it has kind of become a meme at this point. If a project consistently uses code in an unsafe way, is it really worth spending your time vetting it for your production use case? There are plenty of web severs out there, pick one that aligns with your goals.

For future maintainers of projects, please do yourself a favor and clearly state the intentions of your project. Is it for production use or just a personal project to see how far you can take an idea? Make it clear and get into the habit of reminding people of the project's goals. I am very grateful for projects that do that since it helps me save a ton of time for both the maintainers and myself.

There seems to be a mismatch between the maintainer's expectations of the project and the community's expectations. It's unfortunate that the author decided to pull it, but hopefully this is a lesson to the community to make sure a project is a good fit before diving in with suggestions.

[logophobia]

> However, that doesn't mean there wasn't a problem. There was a ton of negativity around "unsafe" when the author first released the code, and it has kind of become a meme at this point. If a project consistently uses code in an unsafe way, is it really worth spending your time vetting it for your production use case? There are plenty of web severs out there, pick one that aligns with your goals.

Should people wait until credit-card data or PII is leaked due to security vulnerabilities? The problem with security is that it impacts more than just the programmers using the framework, it impacts everyone. Does the author deserve the nastiness? No. Do security issues need to be reported, and if not fixed, called out? Yes, for big and advertised projects issues like that need to be reported. If not, there will be users that would naively expect the web-framework they're using to be somewhat secure.

The framework had a professional looking website advertising the project, it had good documentation, a user-friendly API. It advertised a actix open-source community. Had over a million downloads. I would say that expecting actix to be run like a somewhat professional project is not a strange assumption.

The way it was called out was pretty terrible though, and I doubt anyone is happy with what happened.

[blub]

If personal info or CC data gets leaked, the company which used this library/framework will be found legally liable. Using random code from github is not a valid product development strategy.

The author can write their entire code in an unsafe block for all they care. The buck stops with those that use the framework and that is made quite clear in the license.

[strbean]

Welp.

Time to close up shop folks, we didn't personally perform a deep security audit of every single open source project we depend on!