top | item 46300196

(no title)

nwellnhof | 2 months ago

It should be noted that Google Project Zero doesn't care whether a software product is maintained by multi-trillion corporations or a single volunteer. Imposing an "industry-standard" 90-day deadline on a unpaid solo developer without offering any help or compensation whatsoever is not sustainable. It forced me to step down as maintainer of libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127

discuss

philipallstar|2 months ago

The linked conversation looked pretty civil - looks as though you decided to step down, which is entirely reasonable, but I don't see anything forcing you or imposing anything on you.

ThunderSizzle|2 months ago

Civil, but unreasonable. An unpaid maintainer of a free library isn't a vendor, and shouldn't be treated in any such way. A vendor is paid.

hnburnsy|2 months ago

Google is a bunch of hypocrites, there are other cases where Google asked third parties for a disclosure extension and the fixes took longer than 90 days, but here is the most recent one I noticed...

https://news.ycombinator.com/item?id=43032464

Jiro|2 months ago

You said "Being an unpaid volunteer, I also don't really care about external deadlines. I'll just make the issue and the fix public and people can patch libxslt themselves." But that's what they were going to do anyway if you didn't fix it--they were going to make the issue public. What's the problem?

transpute|2 months ago

What do you think of https://bughunters.google.com/open-source-security/patch-rew...?

naian|2 months ago

[deleted]