Conversation

Notices

1. Embed this notice
   Fabian Giesen (rygorous@mastodon.gamedev.place)'s status on Sunday, 31-Mar-2024 21:00:11 JST Fabian Giesen

   And the reason I'm writing a whole thread about this is that fundamentally, I refuse to treat this as a problem when a lot of discourse around open-source libs very much wants to pretend that it is.

   I don't know, man. Some projects just exist to scratch a very particular niche itch and are maintained by people who have plenty of other things going on in their life and... that has to be OK?

   • Embed this notice
     Fabian Giesen (rygorous@mastodon.gamedev.place)'s status on Sunday, 31-Mar-2024 21:00:48 JST Fabian Giesen

     in reply to

     And "any open-source lib anywhere in the wild must be up to professional quality standards and respond to all bug reports in a timely fashion" is also a bullshit standard to apply to anything. It just doesn't work that way.

   • Embed this notice
     Fabian Giesen (rygorous@mastodon.gamedev.place)'s status on Sunday, 31-Mar-2024 21:00:49 JST Fabian Giesen

     in reply to

     ...so what's my point here?

     For foundational libs (including xz/liblzma) tons of people depend on, it sure would be nice if, assuming there are people who _want_ to be full-time maintainers, get to actually be paid for doing so.

     For something like the stb libs? I really don't know. I don't think we're foundational. If those libs disappeared overnight, nothing terrible would happen, people would just use other alternatives.

     pettter repeated this.
   • Embed this notice
     Fabian Giesen (rygorous@mastodon.gamedev.place)'s status on Sunday, 31-Mar-2024 21:00:50 JST Fabian Giesen

     in reply to

     I do have plenty of code that I professionally maintain (you know, at work, where I get paid to do so) where security issues get handled ASAP but... that's work.

     Like that's actual work. I do that (and other support, and other coding) full-time every week. I'm not going to spend my weekends doing the exact same thing I do at work too. (I did for a while and it was _bad_ for me. I'm not going back.)

   • Embed this notice
     Fabian Giesen (rygorous@mastodon.gamedev.place)'s status on Sunday, 31-Mar-2024 21:00:51 JST Fabian Giesen

     in reply to

     Like yes, I agree that it sucks that stb_image has a lot of exploitable bugs that often are around for months or years at a time but at the same time... we're completely transparent about this. Don't put this code in a security-sensitive context, especially if you need timely updates. We realistically can't serve that need and we have never claimed that we could.