| ▲ | hypeatei a day ago |
| The maintainer should just open a new issue for RFC compliance himself since that's a pretty big issue and he obviously thinks OP spams too much. This game of stalling / obfuscating via the issue tracker gets very old. |
|
| ▲ | lelanthran 4 hours ago | parent | next [-] |
| > The maintainer should just open a new issue for RFC compliance himself since that's a pretty big issue and he obviously thinks OP spams too much. Reading the issue tracker, why would he do that unless he could repro? > Hi @feld , I can't really tell if this is related to the ticket that you pointed out. I'll be helping you with this issue as well as looking into the other ticket. Can you give me step by step instructions on how to reproduce what you are seeing? Please note that I have limitted experience with HAProxy and Erlang. > ... > I've successfully connected to the server with the examples/client/client and I cannot reproduce what you are seeing. I've built with both WOLFSSL_TLS13_MIDDLEBOX_COMPAT defined and undefined. He only gets a reply six months later! This, I feel, clearly shows Feld's intentions - he wasn't interested in agetting it fixed, it was not a bug for him, but he was interested in spreading the word about it. i.e. To me, anyway, it looks like Feld is more interested in writing outrage-bait than getting a working product. I've used WolfSSL in anger and the experience was much better than OpenSSL and AWS-lc. Looking at the ticket itself, I consider the responses from the dev team to be pretty good support - better than some paid products I have used. |
|
| ▲ | toast0 12 hours ago | parent | prev | next [-] |
| I can see both ways here. If the maintainer just opens the concise bug report they want (RFC .... Section ... If TLS1.3 is negotiated and client sends session id, server must send cipherchangespec), they have what they want and can move on with their life. However, if the maintainer can get the reporter to do it, the reporter has become a better reporter and the world has become a better place. IMHO, the original bug report was pretty out there. Asking a library developer to debug a client they don't use with a sever they didn't write either is pretty demanding. I know openssl has a minimal server, I expect woflssl does too? that would be easier to debug. Actually, on re-reading the original report, the reporter links to a discussion where they have all the RFC references. Had the reporter summarized that to begin with, rather than suggesting a whole lot of other stuff (like a different wolfssl issue that has to be completely unrelated), I think the issue would have gone better. I will further add that putting a MUST in an appendix seems kind of poor editing. It should have been noted in section 4.1.2 and/or 4.1.3 that a non-empty legacy_session_id indicates that the server MUST send a cipher change spec. It's not totally obvious, but if the client requests middlebox compatability, the RFC says the server MUST do it. If the client doesn't request it by sending a legacy session id, the server can still send a superfluous change cipher spec message if it wants, although I don't know if it will help without the session id. |
|
| ▲ | deng a day ago | parent | prev | next [-] |
| > The maintainer should just Out of interest: which FOSS projects are you maintaining, and how many users do these have, approximately? |
| |
| ▲ | thayne 9 hours ago | parent | next [-] | | I maintain several FOSS projects, although none as popular as wolfssl and if I want to make a new issue to make it more clean, I usually do it myself, because then I can write it the way I want, and include the information, and only the information, that I think is important. If I ask someone else to do it, there's a pretty good chance they won't write it the way I would like, if they write it up at all. | |
| ▲ | hypeatei a day ago | parent | prev | next [-] | | Out of interest, how is that relevant? Are we not able to criticize a FOSS maintainers response unless we run a project of scale ourselves? The maintainer is clearly engaging and knows what the problem is but stalls on the "last mile" which is issue creation. Do you agree? wolfSSL also sells commercial licenses so it's not like they're going uncompensated for their work. Regardless, we shouldn't put people on pedestals because their title is "FOSS maintainer" | | |
| ▲ | phoronixrly 10 hours ago | parent | next [-] | | Unless you're paying you are not entitled to anything apart from forking and fixing it yourself. You are especially not entitled to bullying maintainers as has been unfortunately the standard in infosec. Open source is not about you. https://gist.github.com/richhickey/1563cddea1002958f96e7ba95... IMO more projects have to explicitly state this for example in a terms document, like https://github.com/mhoye/maintenance-terms/blob/main/MAINTEN... | | |
| ▲ | perching_aix 8 hours ago | parent [-] | | > Open source is not about you. You know a social movement went full circle when a criticism that is so scathing, you couldn't have possibly come up with it and make it trend before, even if you gave it your all, is now a motto and a point of pride for those who follow it. This is happening at the same time where hundreds of millions of regular variety consumers are being fed propaganda daily about how it's "finally time to switch to Linux", because it's so much better for them, the individual. If only they knew it's apparently not actually about them, never has been, and never will be. | | |
| ▲ | phoronixrly 7 hours ago | parent [-] | | When exactly is 'before'? Before Github existed to put front and center your code and its issues? Before it became an expectation to have a a rich Github profile when you're considered for a job position? Of course I wouldn't have been able to come up with this statement because the perverted view of OSS devs owing free work to the users of their software was not so pervaisive. On your edit: a bit rich saying the calls for switching to Linux propaganda, especially with the downturn of UX of windows and macos... Also why just hundreds of millions.. Go for hundreds of billions if you're just going to pull out numbers. Apart from that - even if Linux is not about the users, it is in many cases better for them as-is. Funny how that works with no conflict. | | |
| ▲ | perching_aix 7 hours ago | parent [-] | | > When exactly is 'before'? "Exactly"? I'm afraid that's not a very physically sound request. But let's say, prior to 2026-02-14T03:46:03Z then. I hope that suffices. > Of course I wouldn't have been able to come up with this statement That would make sense, because you specifically I never expected to: https://en.wikipedia.org/wiki/Generic_you > Also why just hundreds of millions.. Go for hundreds of billions if you're just going to pull out numbers You see, that would be because I did not just pull out an arbitrary number. "How many Windows users there are" is a reported fact you can just search for, and even the total is not "billions" (plural). I know, I was surprised too. From the horse's mouth: https://blogs.windows.com/windowsexperience/2025/06/24/stay-... | | |
| ▲ | phoronixrly 3 hours ago | parent [-] | | My first comment on this site pointing out that a FOSS user sounds entitled is from 2021. I've been saying it outside the site for 10+ years, spanning back to the time when it wasnt cringe to have a Github sticker on your laptop. |
|
|
|
| |
| ▲ | deng a day ago | parent | prev [-] | | [flagged] | | |
| ▲ | hypeatei a day ago | parent [-] | | > you probably wouldn't feel so entitled. ...what? Are we living in the same universe? What exactly did I say that makes me entitled? > The user in question does not have a commercial license Do you know that for sure or are you speculating? > We shouldn't shit on other people's work we got for free When did I shit on the work of wolfSSL? I'm saying that it appears they were engaging but got hung up on a small issue. > It's you who needs to get down from that pedestal. Respectfully, you need to get a grip. |
|
| |
| ▲ | pseudohadamard 3 hours ago | parent | prev [-] | | That's actually impossible to answer. I maintain or contribute to or have contributed to several FOSS projects whose number varies depending on how you want to count them, and neither myself nor anyone else who contributes to any FOSS project has the faintest idea how many people use them, especially if they're included in widely-used distros where the number is anything from zero to $number_of_distro_users. |
|
|
| ▲ | ablob 4 hours ago | parent | prev | next [-] |
| The blog-poster wasn't happy with the issue being closed, so somehow I doubt that opening a new issue and referencing this one would've yielded a different result from what we got now. |
|
| ▲ | otterley 12 hours ago | parent | prev [-] |
| Why should that be the maintainer's burden? |
| |
| ▲ | freeopinion 8 hours ago | parent | next [-] | | Presumably, the maintainer wants the best for the product and its users. So they have a definite interest in documenting a todo list. Presumably, the user wants the best for the product and their ability to use the product. So they have a definite interest in documenting a todo list. It doesn't make sense for the two to be at war with each other. It is no big deal for the maintainer to ask a favor. It's not too big of a deal for the user to decline. There's no need to attack. I have often dropped a note to the maintainer of a project I bumped into. I'm sure they would prefer a bug report in their official forge. But I don't really use their software except for this one time. I'm not willing to jump through the hoops to create an account in yet another SaaS just to file this one report. Just dropping them an email was a courtesy. But often they don't interpret it that way. I'm perfectly un-insulted if they just delete my note and never "fix" the issue because it didn't come through proper channels. No attacks. No war. Just well wishes. But I might very likely avoid the product if I'm ever back in those woods. Not out of anger or retribution. Just because I'll remember that the product had at least one sharp edge for my use case and the maintainer was a bit overwhelmed by the weight of supporting my niche use case. That doesn't make the maintainer a bad person or even a bad maintainer. | |
| ▲ | phyzome 8 hours ago | parent | prev | next [-] | | If the maintainer is trying to write something RFC-compliant, and someone reports a violation of the RFC, it sure seems reasonable for the maintainer to want to track that. If they don't want to, that's certainly their right, but it also tells us something about that project. | |
| ▲ | ikiris 6 hours ago | parent | prev | next [-] | | Because they're the ones asking for the administrative burden of refiling a basic RFC violation bug? | |
| ▲ | naasking 9 hours ago | parent | prev [-] | | If they're doing this and bothering to interact with tickets at all, presumably they've willingly taken on a duty to the software's quality and all that that entails. |
|
