| (Disclaimer: I'm the other guy behind BundleScout.) The Django project does a fantastic job with announcements. (So does Rails.) And if every open source project had the infrastructure to make that much noise, the world would be a better place. But of the 100k or so Python/Ruby/NPM projects I know about, only a small handful do, or could even manage it. And if they did, would you want to be on every one of their mailing lists? Bleach, for example, has more users than I have twitter followers, so I doubt most of them heard about v1.2.1. (Out today! Go get it!) > but it kinda sucks that you'd make people pay to hear about security issues Well, like you said, there are other ways to hear about updates, at least from the big projects. This is the convenience of not needing to join dozens of mailing lists and/or check dozens of websites periodically. |
I see a real value in a service to let me know that there's a new version of one of the dozens of things I depend on. But like I said, it seems janky to rely on a for-pay service to find out about security vulnerabilities. So what about making the security notification free to all users, with the non-security update notifications a for-pay addon? Seems like a good way to strike a balance between developing a self-sustaining business and helping out a community.