Vulnerability reports are not special anymore

enraged_camel 8 hours ago||

>> A requirement for staying sane while working in public as an open source maintainer is realizing that every issue, PR, and piece of feedback is a present, not an obligation.

I don't think the gift analogy works well. In most cultures, turning down or even ignoring a gift is considered anywhere from impolite to hugely offensive. But that's the opposite of open source: there's nothing wrong with requesting changes to a PR or even closing it.

cpuguy83 8 hours ago|

Plenty of people offended by closing a PR or issue unresolved.

gib444 2 hours ago||

I guess we now need AI tools to filter security report spam. I'll go out on a limb and say such products already exist.

zeveb 9 hours ago||

> If a security vulnerability is reported by someone who is also violating the CoC, what do you do? Do you ignore it? Fix it silently?

Is this even a question? You triage and fix the vulnerability just like any other one. Are truths spoken by folks one dislikes — even for perfectly valid reasons — any less true?

The only way I can imagine this somehow applying is if someone has a habit of reporting vulnerabilities which do not exist, or of exaggerating their severity. Is crying wolf a CoC violation? If so, then I can imagine that particular sort of bad behaviour justifying some consideration before acting on a report.

fragmede 8 hours ago||

How badly are they violating the code of conduct? It wouldn't be the first time a security researcher got thrown into prison or jail, in this line of work.

calvinmorrison 9 hours ago||

Will xorg backport patches from Xlibre?

inigyou 7 hours ago||

No, because xorg is a dead project that doesn't take any patches from anywhere and xlibre has shit code quality and is probably vibecoded now

sheerazali 3 hours ago||

[flagged]

shipfastai 6 hours ago|

[dead]