how-to block ads
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
| Re: Doh In the case of the MT folks, they've been generally pretty responsible when it comes to providing patches and being up-front with users about the impact of bugs or security flaws. It's good to see that some open-source developers still believe in taking responsibility for their code.
My statement was more general than it was specific to the MT authors; the majority of my experiences with OSS authors has been "since we give you the code, you can fix the problem yourself." It's that kind-of excuse which makes me wonder how many people live in hobbit holes...
--
Making life hard for others since 1977. | |
|  
justin
Australian
join:1999-05-28
Brooklyn, NY | Re: Doh really? that doesn't sound like any OSS projects I can imagine. Are you sure you are not confusing requests for features you want, which may of course be ignored, with notification of important bugs and security problems? | |
| |
koitsu
Premium
join:2002-07-16
Mountain View, CA
| Re: Doh I've spent too many years working with OSS to confuse the two. The response I speak of I've received from members of the Apache team (re: RFC931/1413 flaw which could lead to a buffer overflow and still exists today, re: zombie processes caused on many systems in 1.3.29), developers of SpamAssassin (re: spamd leaving zombie processes around on BSD systems), BIND 8.x (re: potential security hole: zone transfer tempfiles put in main root dir only when using key-based authentication, requiring the daemon to have full rwx access to /etc/namedb, rather than putting them in the appropriate zone directory from each zone directive), GNU screen (re: code checking for ~/.nethackrc despite "nethack off" being specified in .screenrc), PHP 4.x (re: returning status code of 200 regardless of what Apache says is a legitimate command; still exists today), FreeBSD sendmail updates (re: expanding etc/mail/Makefile to support sendmail's "cidrexpand" script so one can use CIDR notation in etc/mail/access; this is more of a feature, but the response was a real let-down) and numerous other mainstream applications.
I've been trying to keep a list of all the issues I've reported which go either unresponded to or illicit the standard "You have the source, fix it yourself" response, but I run into stuff too often to maintain a coherent list...
I'm just one guy with very interesting experiences with the OSS community, most of them negative. But it still warms my heart (honestly) when I see an OSS developer step in and say "Thanks for reporting this! I'll provide and commit a patch in a few minutes," or simply push out a new release.
Anyways, without getting too off track, my point is that peoples' responsibilities shouldn't be nullified whether or not the application is free or commercial.
--
Making life hard for others since 1977. | |
| | | |
|
