[eat_veggies]

They are contributing to the Tor project by sending detailed vulnerability reports. As for demanding that they fix/upstream changes themselves, then yes, that's likely too big of an ask, as even these reports are a gift. Tor has paid employees. "PRs welcome, wontfix" is not acceptable for security vulnerabilities in a security product.

[lucb1e]

To add to this, when reporting bugs (security or otherwise) I regularly feel like it's not worth my time to fix them because it takes me 2 hours to try to get the code to compile in the first place, sometimes you need to sign legalese to be allowed to help them, then I still need to figure out what the project's structure is and decide on how to best fix it (perhaps discuss it with the maintainer(s)), and then I haven't even started writing code yet. Meanwhile, I know that when maintaining my own software, it takes me 30 seconds to open up the project and I'll be literally 5 times faster working on a fix with all the context that is in my head and usually don't need to consult with others.

It's like if you kept trying to fix other people's cars when you know only the principles of a combustion engine, own an electric motorcycle yourself, and those cars would be very different from each other: I'd much rather someone does it who actually knows what they're doing, it would save all parties a lot of trouble. Diagnosing problems very specifically should already help them a lot of the time they would otherwise have to put in.

[strbean]

> it takes me 2 hours to try to get the code to compile in the first place

And then the tests won't pass on master!

[lucb1e]

Tell me about it. Instructions working on the first attempt on a standard Debian system is quite rare. Bigger projects with more contributors put more work into making it work, but also have more complex processes, so the result is that it's almost always trouble. Or they're simply more complex than necessary: no I don't want to download 12GB of IDE, SDK/compiler, emulated operating systems, and custom versions of dependencies installed system-wide in order to compile and run this project, I just want the code and dependencies in the local folder and apt install a compiler so I can simply build the apk and adb install it on my phone without screwing up my system or having to setup a new container/VM for the purpose.

[giomasce]

If someone gives you a gift, you are not forced to accept it. Tor paid employees probably have something else to work onto, given that they are paid my Tor's money, not by the bug reporter's money. Frankly, the issue about blocking connections is pretty useless: the author themselves admit that the underlying issue cannot be fixed, since the list of relays is public. And it's not a security issue anyway: of course your traffic carrier will always be able to drop your packets, but nobody consider this a security issue for any other application.

So they are basically reporting trivial issues (this is trivial, at least, I cannot judge for the others they say they have) and pretending that people paid by someone else now care just about that. Doesn't look like very smart.

[bredren]

This sort of reminds me of Burning Man Project. There is money, full time staff and a lot of attention paid to the main product. But a lack of excellent results.

I generally chalk this up to leadership issues.