There is a huge gap between: a project (the corporation) and the volunteers have a track record of trying to work on things, and signal an intent to do so, resources permitting and they have a duty to people that use the code and the difference is basically the concept of liability. The license of NetBSD disclaims liability, and people who choose to use it do not have a basis to claim harm because TNF didn't do some update in a time frame they wanted. This is a huge point which cannot be overstated and should not be ignored. This is just the way it is everywhere, despite differences in wording. You are basically saying that TNF and the TNF volunteers have some sort of duty to meet some not-clearly-stated set of expectations, and made the assertion that TNF not somehow processing an openssl pullup (from an upstream that did not release a patch release of the previous API/ABI stable) is a breach of duty to you and others. From having worked on pkgsrc, it's obvious that there is an infinite amount of work to do, and that only some of it hapens. And only so many people volunteer, and they fix what matters to them. That's not really a problem -- just how the world is. To be logically consistent, you should complain to OpenSSL that they did not release a micro release that is basically the last version with *only* security patches. (I'm not complaining about that -- just pointing out that without that, managing openssl is harder.) What I object to is the assertion that TNF has a duty to you to meet some performance standard in security pullups, and the assertion that people are entitled to some level of service. It's dangerous because the liability landscape is troubling in general, and statements that there is a duty muddy the waters.
Attachment:
signature.asc
Description: PGP signature