> Especially since it appears there is a solution if you truly need a fix.

If you ever really need anything fixed in the open source world, there is always the option of doing it yourself

matthewdgreen 7 hours ago | parent | next [-]

Doing the fix yourself is almost always the easy part. Disclosing it and getting a patch shipped across the entire Internet is the hard part.

▲

layer8 7 hours ago | parent [-]

Why would you personally need the entire internet to receive a fix?

▲

toast0 4 hours ago | parent | next [-]

It's handy if you run a service and the internet runs clients you didn't write to access said service. (or vice versa)

Also handy if the internet is running a DDoS reflector and you're being targetted.

Otherwise, usually no sense of urgency for fixes I did for me/my employer and want the rest of the world to benefit. My problem is solved now, everyone else can get it when it ships.

▲

arwineap 6 hours ago | parent | prev [-]

Running a fork is a lot of work. You need your fixes upstreamed so that you don't need to backport other people's fixes

	▲	lokar 5 hours ago \| parent \| next [-]
		For a couple months? Not a big deal
	▲	bawolff 3 hours ago \| parent \| prev \| next [-]
		Nobody said doing it yourself was neccesarily easy. Its just an option that is there.
	▲	layer8 2 hours ago \| parent \| prev [-]
		You don’t need to backport other people’s fixes. You only need to re-merge your patches into updated versions of the upstream (aka vendor branch), which usually is straightforward. Maybe you mean that if there are many people like you, they’d want to integrate each other’s fixes. But then you’d probably have the combined manpower to start maintaining a true fork.

▲

alibarber 13 hours ago | parent | prev [-]

Yes - and realistically, if you're $BIGCO who's shipped a billion devices with some obscure curl vulnerability you just discovered, then the hard part is going to be rolling out a patch to all of them anyway, which is still a 'you' problem.