top | item 30732489

(no title)

lal | 4 years ago

I'm two days late but this is an argument for a developer not removing a security vulnerability from a dead project they've stopped maintaining, not this. I feel like not actively choosing to push malware to a repository where you know many, many automated systems will pull that malware onto the systems of your end-users due to a poor security model in the ecosystem you're developing in is a very very low bar of obligation as a maintainer.

Like, okay, you can't expect a doctor to save the life of every person who comes into the ER, but you can hopefully expect them not to start stabbing patients to death, and something should probably happen if they do, right?

Your argument makes sense for inaction (and is important and not brought up enough, honestly; there is a lot of entitlement in the open source world and people treat library developers in some pretty nasty ways), but not for action, as is the case here. The only obligation anyone expected here was the obligation to hold yourself back from making your project that gets millions of downloads per week point to malware.

discuss

urthor|4 years ago

I agree, I think I misread.

If you actively distribute, as in push your code out to the world via pushing it into npm, that's very different to sharing the code on GitHub.