It should be noted that Google Project Zero doesn't care whether a software product is maintained by multi-trillion corporations or a single volunteer. Imposing an "industry-standard" 90-day deadline on a unpaid solo developer without offering any help or compensation whatsoever is not sustainable. It forced me to step down as maintainer of libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
The linked conversation looked pretty civil - looks as though you decided to step down, which is entirely reasonable, but I don't see anything forcing you or imposing anything on you.
It seems lately every piece of software is getting more and more vulnerabilities, failures, crashes. Microsoft products are exceptionally high in the list.
I don't understand why they wouldn't give a pre-release patch to the bug reporter (especially if it's someone like Google) for them to analyse before doing a final release.
If they were actively working with Project Zero instead of being seemingly silent, this wouldn't happen
This is where FOSS is still winning and will always win. Fixed happen in the open and bad fixes can be called out
It should be noted that Google Project Zero doesn't care whether a software product is maintained by multi-trillion corporations or a single volunteer. Imposing an "industry-standard" 90-day deadline on a unpaid solo developer without offering any help or compensation whatsoever is not sustainable. It forced me to step down as maintainer of libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
The linked conversation looked pretty civil - looks as though you decided to step down, which is entirely reasonable, but I don't see anything forcing you or imposing anything on you.
What do you think of https://bughunters.google.com/open-source-security/patch-rew...?
It seems lately every piece of software is getting more and more vulnerabilities, failures, crashes. Microsoft products are exceptionally high in the list.
I don't understand why they wouldn't give a pre-release patch to the bug reporter (especially if it's someone like Google) for them to analyse before doing a final release.
If they were actively working with Project Zero instead of being seemingly silent, this wouldn't happen
This is where FOSS is still winning and will always win. Fixed happen in the open and bad fixes can be called out