| ▲ | Timshel 12 hours ago |
| Especially since it appears there is a solution if you truly need a fix. > Or you get a support contract and we get to read about it earlier. |
|
| ▲ | bawolff 11 hours ago | parent | next [-] |
| > Especially since it appears there is a solution if you truly need a fix. If you ever really need anything fixed in the open source world, there is always the option of doing it yourself |
| |
| ▲ | matthewdgreen 5 hours ago | parent | next [-] | | Doing the fix yourself is almost always the easy part. Disclosing it and getting a patch shipped across the entire Internet is the hard part. | | |
| ▲ | layer8 4 hours ago | parent [-] | | Why would you personally need the entire internet to receive a fix? | | |
| ▲ | toast0 an hour ago | parent | next [-] | | It's handy if you run a service and the internet runs clients you didn't write to access said service. (or vice versa) Also handy if the internet is running a DDoS reflector and you're being targetted. Otherwise, usually no sense of urgency for fixes I did for me/my employer and want the rest of the world to benefit. My problem is solved now, everyone else can get it when it ships. | |
| ▲ | arwineap 3 hours ago | parent | prev [-] | | Running a fork is a lot of work. You need your fixes upstreamed so that you don't need to backport other people's fixes | | |
|
| |
| ▲ | alibarber 10 hours ago | parent | prev [-] | | Yes - and realistically, if you're $BIGCO who's shipped a billion devices with some obscure curl vulnerability you just discovered, then the hard part is going to be rolling out a patch to all of them anyway, which is still a 'you' problem. |
|
|
| ▲ | cat_plus_plus 11 hours ago | parent | prev [-] |
| In 2026 there is a considerably cheaper/quicker solution, but that in no way invalidates OSS maintainers' right to enjoy a summer vacation without interruption. |
