Comment by CDSlice
5 years ago
Obviously being vocally abused is not OK no matter what the victim has done. This is a big problem and I think Steve's article that is currently on the top page of HN gives a good overview of that part of the situation.
My problem with viewing all open source as a gift to the world, take it or leave it, is that when people create open source packages, market them as being ready for production use and as the best option for said production use, and then act unprofessionally towards security issues and reject patches that fix the security issues for no reason other than being "boring" and "not creative enough" people should be able to call them out on it as unacceptable behavior for an open source maintainer. If actix didn't claim to be production ready and instead stated that it was an experimental code base designed to advance the state of the art in web server performance I wouldn't have a problem with how it was managed. However, once you claim that something is production ready I think you need to be ready to take responsibility for it.
I strongly disagree, with extreme passion.
They could have marketed it as the greatest gift to humanity for all I care. It's your responsibility to handle your use of code. Sure, you may find issue's in your dependencies, and you're welcome to submit a bug or provide a fix, but if you expect anything more than the code as it is, it's still your problem how to deal with it.
The entitlement is astounding. A person providing free code doesn't owe you anything or "need to take responsibility" or whatever else you may want.
While that's true, expecting bad maintainership to not have any effect and third parties not discussing about the quality of the software is also delusion. (And in practice, maintainers maintain, and I'm glad they do, because otherwise e.g. Linux distro would be complete absolute crap.)
What is also a in the realm of possibilities is that a project gets a bad reputation and for indirect effects or others, dies. That happened here. However, in the effects we saw here, while the people proposing patches and debating in a civil way about technical flaws (or at the very least widely perceived as such) were fine, the brigading was absolutely inexcusable, as well as the unproductive/nasty comments.
And we yet to see any actual real-life problems with these "unsoundness" problems. Most of these issues raised in Actix were about theoretical problems.