Rambo76098
join:2003-02-21
Pataskala, OH
| reply to justin
Re: Doh
said by justin  :
who says they are not being responsible? seems to me, they take at least as much an interest in a quick fix as any for-cash software company does. And try asking microsoft or oracle for damages when their software has a problem!
Yeah but the last time i checked this was free and all the microsoft products i have i paid out my ass for. If im paying as much as i did for windows or office then im expecting it to be a good, quality, error free program(which windows is not!) but if something is free i will be happy if it works at all b/c i paid nothing for it and as long as my comp is not damaged or compromised, then i could care less. |
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
| reply to justin
I've spent too many years working with OSS to confuse the two. The response I speak of I've received from members of the Apache team (re: RFC931/1413 flaw which could lead to a buffer overflow and still exists today, re: zombie processes caused on many systems in 1.3.29), developers of SpamAssassin (re: spamd leaving zombie processes around on BSD systems), BIND 8.x (re: potential security hole: zone transfer tempfiles put in main root dir only when using key-based authentication, requiring the daemon to have full rwx access to /etc/namedb, rather than putting them in the appropriate zone directory from each zone directive), GNU screen (re: code checking for ~/.nethackrc despite "nethack off" being specified in .screenrc), PHP 4.x (re: returning status code of 200 regardless of what Apache says is a legitimate command; still exists today), FreeBSD sendmail updates (re: expanding etc/mail/Makefile to support sendmail's "cidrexpand" script so one can use CIDR notation in etc/mail/access; this is more of a feature, but the response was a real let-down) and numerous other mainstream applications.
I've been trying to keep a list of all the issues I've reported which go either unresponded to or illicit the standard "You have the source, fix it yourself" response, but I run into stuff too often to maintain a coherent list...
I'm just one guy with very interesting experiences with the OSS community, most of them negative. But it still warms my heart (honestly) when I see an OSS developer step in and say "Thanks for reporting this! I'll provide and commit a patch in a few minutes," or simply push out a new release.
Anyways, without getting too off track, my point is that peoples' responsibilities shouldn't be nullified whether or not the application is free or commercial.
--
Making life hard for others since 1977. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | reply to koitsu
really? that doesn't sound like any OSS projects I can imagine. Are you sure you are not confusing requests for features you want, which may of course be ignored, with notification of important bugs and security problems? |
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
| reply to justin
In the case of the MT folks, they've been generally pretty responsible when it comes to providing patches and being up-front with users about the impact of bugs or security flaws. It's good to see that some open-source developers still believe in taking responsibility for their code.
My statement was more general than it was specific to the MT authors; the majority of my experiences with OSS authors has been "since we give you the code, you can fix the problem yourself." It's that kind-of excuse which makes me wonder how many people live in hobbit holes...
--
Making life hard for others since 1977. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | reply to koitsu
who says they are not being responsible? seems to me, they take at least as much an interest in a quick fix as any for-cash software company does. And try asking microsoft or oracle for damages when their software has a problem! |
|
