> "you owe nothing and can do with it what you wish: sell it, fork it, modify it" in exchange for "the author provides no guarantees and is not liable for this software".
I do have some open-source code out there where people have been mostly pleasant and reasonable. It's targeted at developers in particular niches and they do act mostly as you describe.
But once it shifts from a peer relationship to a producer/consumer relationship, things can easily get ugly. Ugly in a way that drives people out of open source and keeps people from open-sourcing useful code. You appear to be fine with that. But if anybody's delusional here, it's the people who expect to keep taking from open-source software without worrying about its sustainability.
> Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.
Why don't they 'resolve' the security issue by removing the feature and then set up a bug bounty for backporting fixes to the shitty feature? Then the companies that depend on it will actually be on the hook for once.
Too much collateral damage for downstream F/OSS? Too unseemly a move, in a moment of ‘crisis’?
So your proposed solution is for the open source maintainers to release a hotfix build and to put up their own money to host a bug bounty program so someone else can fix it?
Commenting may work if the issue has one or two large backers that can independently be vetted to be trustworthy. But if there are several dozen small backers, having to track them all down after closing the issue seems less than ideal.
This is demonstrably not how many people many treat open-source authors. Just look at how the Log4J folks are feeling right now: https://twitter.com/yazicivo/status/1469349956880408583
I do have some open-source code out there where people have been mostly pleasant and reasonable. It's targeted at developers in particular niches and they do act mostly as you describe.
But once it shifts from a peer relationship to a producer/consumer relationship, things can easily get ugly. Ugly in a way that drives people out of open source and keeps people from open-sourcing useful code. You appear to be fine with that. But if anybody's delusional here, it's the people who expect to keep taking from open-source software without worrying about its sustainability.