[mhils]

OP here. To be clear, I don't mind the release question at all, it's valid! But the context should be along the lines of "we have an interest in this, how can we help make it happen" (contributions or $) and not "you are causing problems for our customers". I don't want the requestor to have a miserable time because of a badly-worded comment, I want large companies to have a healthy relationship with FOSS.

[hibbelig]

If it was my project I wouldn’t have offered a support contract because the labor law and tax law situation is too complex for me.

It’s actually very kind of you to offer such a contract.

FrugalGuy could have gotten the response “please submit a PR”. Not sure if that would have made them happy.

[lolinder]

The code they're looking for is already in the repo (just a version bump on some dependencies), so the response would actually have been "instructions for building from source can be found here [0]".

[0] https://docs.mitmproxy.org/stable/overview-installation/#adv...

[nrvn]

As a user I have two options:

- follow the official installation instructions;

- build from source.

The documentation(https://docs.mitmproxy.org/stable/overview-installation/) says among the rest:

> The recommended way to install mitmproxy on Linux is to download the standalone binaries on mitmproxy.org.

> Dependencies in the binary packages are frozen on release, and can’t be updated in situ. This means that we necessarily capture any bugs or security issues that may be present. We don’t generally release new binary packages simply to update dependencies (though we may do so if we become aware of a really serious issue).

[nrvn]

If we put the emotions and people aside. What stops mitmproxy as a software project to release a new version right now?

Just curious.

[mhils]

We transitioned from S3 to R2 for downloads.mitmproxy.org because egress got prohibitively expensive for a hobby ($300/month). CI for 9.x still points to the old infrastructure. This does not mean we couldn't ship a patch release right now, but it would take me 1-2 hours.

The vulnerability in question is in parts not used by mitmproxy. We looked at it when it came out, and I'd even say it's more of a bug than a security vulnerability. Again, in either case it's not used by mitmproxy.

[mcpackieh]

Lack of interest? Other priorities in his personal life? Volunteers don't need to justify their schedules.

[Skunkleton]

Even the term "volunteer" implies too much responsibility. This is a project to which people contribute their time, for whatever personal reason motivates them. If they don't want to do a release ever again, or they don't feel like updating a dependency, or decide the purpose of the project should change in some fundamental way, too bad. This is Free Software, if you don't like what is happening in some project the only thing you are entitled to is a fork.

[smrq]

Given that nobody is paying them, "I don't feel like it right now" is as perfectly valid a reason as any. With an email response like that, I certainly wouldn't feel like it for as long as possible.

[zorrobyte]

Feel free to delete my GH comment, I wanted to after reading this, but the thread was locked

[Hamuko]

How are contributions or money going to solve a release issue? If the issue is a bug, I can fix it and submit it as a patch. But if the issue is that there's no release for already made fixes, how do I fix that with a contribution or money?

[radiator]

Can you not offer compensation for the time it will cost the developer to make the release you need?

[Hamuko]

For what, pushing a tag to GitHub? I don't think most people would consider that something as needing compensation.

[radiator]

But apparently many developers of open source software would not consider that something they do for fun. I.e. it is work.

[harrid]

But it was an extortion attempt

[justinclift]

Hmmm. Lets say you have a plumber install a sink at your house, and you're happy with it.

If you later on decide you want something extra done to the sink, and the plumber says "oh, that's easy I can do that for you for free in a few weeks..." that would generally be a positive right?

But lets say you wanted it done Real Soon Now instead. Like tomorrow or the next day.

If the plumber's response was "Well, that can be done but I'll have to charge you our normal rates", that doesn't sound unreasonable does it?

That's what this situation seems like to me. I'm not sure why you're thinking there's attempted extortion involved?

[harrid]

Bad analogy. There is reasonable expectation that security related bugs will be fixed in a reasonable time. And that it won't be a premium feature. Not legally of course as it's free etc. But that's commonly how the world works.

A better analogy would be Microsoft asking for money to fix a security bug in Windows.

[smarnach]

This, I think, is the core issue of this thread. It's totally not reasonable to expect anything from people who were kind enough to put their code on the internet for free for others to use. The requester is using the code someone gifted them to make money, and expects the other person continue volunteering their time for free so they can make more money. Moreover, there is no actual security vulnerability here.

[Skunkleton]

Most Free Software projects are not professional. Time is spent on them for personal reasons. Those reasons may not align with users of that project, but that is just too bad. If you don't like it, all you are entitled to is the source code.

> A better analogy would be Microsoft asking for money to fix a security bug in Windows.

Microsoft has the exact same practice. If you want to tell Microsoft how to spend their time, you better be prepared to fork over lots of money.

[harrid]

Ok then how if Firefox would only release a critical Bugfix to paying users. Same thing - they would rightfully be called out on that.

[Skunkleton]

Firefox is maintained by paid employees. This is not the same thing. There is no talk of making this a paid only release anywhere. Please avoid strawmen.

[wickedsickeune]

Windows is a paid product, FOSS is not. Plus you not only cannot, it's also illegal to fix the security bug yourself in Windows. Meanwhile, if someone needs something changed in FOSS they are free to do it themselves (it wasn't even a change, just a stupid rubber stamp)

[pests]

> reasonable expectation that security related bugs will be fixed in a reasonable time

Who gave you this expectation?

[justinclift]

Heh Heh Heh. On a tangent, that seems to be what Canonical is doing with Ubuntu subscriptions these days. :/

[smoldesu]

Extortion implies an illegal abuse of power to obtain property. A cursory glace at the MIT license (which mitmproxy is licensed under) proves you wrong:

> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software [...]

It's all there, black and white, clear as crystal. They knew what they were getting into when they agreed to the license of the software they use. Hell, IBM could fork the project and sell the code back to the original developer, if they wanted. If they disagree with the license, well... caveat emptor:

> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

[petee]

Demands for output are met with request for compensation. Was there a threat made? No, so not extortion, by definition.

If they said, "Since you asked I want money or ill plant a backdoor to ruin you", sure thats extortion, but that didn't happen.