[mhink]

Given the brevity of the security report, I figure the author wanted to get the relevant details about the *incident* posted as fast as humanly possible. However, it does seem appropriate to acknowledge that just because they're being terse doesn't mean they don't understand how big of a mistake it was.

That being said, I would also strongly expect a more in-depth blog post following up, with details about just the sort of thing you're mentioning.

[smallnix]

I understand the interest about this bug, but to my understanding this is an unpaid hobby project?

If that's true I don't feel entitled to expect anything here.

[mort96]

I think your parent comment used "expect" to mean "predict" rather than "demand"?

[lupire]

You can expect anything you want in software you use, and choose not do you software that fails to meet expectations.

A software author who takes pains to publish his work and who accepts financial donations, is likely interested in maintaining his reputation and improving his skill and quality.

Finally, security bugs are in a class of their own. Giving out free junk is OK. Giving out free secret poison is not.

[shwouchk]

> Finally, security bugs are in a class of their own. Giving out free junk is OK. Giving out free secret poison is not.

It is not if it was done maliciously. If the code you got for free contained some mistakes it's ultimately your responsibility - You didn't have to take that pill you got at the party.

Accepting donations could change this, but I would say it depends on how they are presented - "campaign donations" ala Joey Hess or "Hey thanks for the the party last night, here's $40 to cover some of the booze!"

Alternatively, I'm curious how you feel about companies offering you "free email, free search, free image hosting, free social media" etc, (actually, in exchange for all your behavioral data) ((actually, even if you never directly accept anything from us))?