[makomk]

So basically, if you use open source code in your code, you should expect there to be security vulnerabilities which people know about and are keeping quiet about because it'd be unfair to the unpaid creator to criticise them? Tbat sure makes it sound like it's morally irresponsible to use open-source rather than purchased commercial code in something like a web-facing service in 2020, especially given what we know now about the damage compromises can do and the resulting legal climate.

[komali2]

You can report on security vulnerabilities in a library without being vitriolic.

Find vulnerability. Already, awesome of you to have done. Issue patch request. That's 10x even better, you're a boon to the community. You submit it, it gets rejected, you find out why and it's the maintainer is just not feeling it or some other irrational reason. Fork, put in the readme why you forked, write a blog post without being a dick about it, done.

The article we're talking about is referring to the bloodbath of a Reddit pile-on. That's totally unacceptable behavior from an adult.

[deng]

Please don't twist my words. I never said you have to keep quiet or that you're not allowed to criticize. If you see that a project has serious issues, feel free to write a blog post about it. Maybe offer to help, but don't demand your help being accepted.

[asjw]

> if you use open source code in your code, you should expect there to be security vulnerabilities

You should be able.to fix them yourself

That's the premise of OSS

if you don't want to pay for a cab or a driver, you should be able to drive

[badloginagain]

You can fix them yourself, by duplicating the car and fixing it yourself. You can't force someone else to fix the locks on their car

[aurosul]

The only guarantee OSS gives is

- full access to the source code

- full rights to modify it and use it as it was your own

There's no other guarantee.

So if someone writes some code that becomes highly popular, they have no obligation whatsoever to maintain it the way people want.

They don't even have to maintain it at all, if they don't want to!

It's out in the public, it's free, that's the end of the agreement on the creato's side.

If a writer gave away their writings for free, could people pretend that they write what people want them to write, the way they want?

Is it fair to judge the writer because the answer was "WONTFIX"?

But the reality is worse than that.

A lot of companies are literally making billions using OSS, but they are not paying for it, a lot of programmers are making a lot of money by assembling OSS for their clients, but they are not paying for it, hell most of them are not even contributing in _any_ way, what does entitle them to pretend the attention of the OSS maintainer or that the maintainer should act in a way or another, according to the "community" desires?

[UncleMeat]

Yes. I would expect there to be vulns and inconsistent patching for all OSS that I depend on and where I don't have a professional contract with its maintainers.