Comment by bawolff
13 hours ago
> Especially since it appears there is a solution if you truly need a fix.
If you ever really need anything fixed in the open source world, there is always the option of doing it yourself
13 hours ago
> Especially since it appears there is a solution if you truly need a fix.
If you ever really need anything fixed in the open source world, there is always the option of doing it yourself
Doing the fix yourself is almost always the easy part. Disclosing it and getting a patch shipped across the entire Internet is the hard part.
Why would you personally need the entire internet to receive a fix?
It's handy if you run a service and the internet runs clients you didn't write to access said service. (or vice versa)
Also handy if the internet is running a DDoS reflector and you're being targetted.
Otherwise, usually no sense of urgency for fixes I did for me/my employer and want the rest of the world to benefit. My problem is solved now, everyone else can get it when it ships.
Running a fork is a lot of work. You need your fixes upstreamed so that you don't need to backport other people's fixes
3 replies →
Yes - and realistically, if you're $BIGCO who's shipped a billion devices with some obscure curl vulnerability you just discovered, then the hard part is going to be rolling out a patch to all of them anyway, which is still a 'you' problem.