12 May
2025
12 May
'25
6:20 p.m.
Well, a one man company probably shouldn't be a maintainer on something unless it is
critical to their business. As he discovered, the model is that big rich companies pay
someone to maintain the stuff that they need. Customers like it open source. Multiple
companies maintaining the same stuff makes it easier to ensure that everyone that needs
the product gets to keep using it and reduces the cost.
Personally, I don't really like products where one overworked guy is the maintainer.
It sounds fragile to me. That is why I never used putty, for example. And wouldn't
incorporate it into things at work. And, if you found a bug in a library, you are
probably a developer. It's open source, submit a patch with your security bug.
I agree with the author, if it isn't a high priority/critical security bug, its just a
bug and can be picked up in the normal release schedule. I'm not even really sure what
a security bug is that isn't high priority, but that is another matter.
--
-Gary
It is a simple thing to make things complex,
a complex thing to make things simple.
On Mon, May 12, 2025 at 10:10:36AM -0700, Brian E. Lavender wrote:
LibXml2 seems to be one of those un glorious packages
to maintain. I saw
the following posted by a project maintainer.
https://gitlab.gnome.org/GNOME/libxml2/-/issues/913
His observations on disclosing security vulnerabilities seem to be
interesting.
Brian
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
_______________________________________________
Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com