Reading the issue[1] I think the IBM request is a lot more reasonable than this tweet makes it seem. The issue is that a mitmproxy dependency has a CVE, mitmproy updated the dependency (in March), but hasn't made a stable release yet with this update (last release from Nov 2022), and IBM guy is asking "when do you plan to tag a release? Do you have a timeline for this so we can communicate this to our customers?"<p>Notably it's NOT asking for a fix; "when will you fix it?" is not accurate as there is nothing to be fixed. It's just asking "when do you plan to make a new release with this dependency update?"<p>I don't think that's an unreasonable question. I <i>also</i> don't think it's unreasonable to ask for a support contract if you want these kind of fixes shipped within a certain timeframe, but the question is a lot more reasonable than it seems at a glance and immediately coming back with "email me for a support contract" seems a bit over the top to me. I could have asked this question and I think most people here could.<p>[1]: <a href="https://github.com/mitmproxy/mitmproxy/issues/6051">https://github.com/mitmproxy/mitmproxy/issues/6051</a>
OP here. To be clear, I don't mind the release question at all, it's valid! But the context should be along the lines of "we have an interest in this, how can we help make it happen" (contributions or $) and not "you are causing problems for our customers". I don't want the requestor to have a miserable time because of a badly-worded comment, I want large companies to have a healthy relationship with FOSS.
This sounds very much like the idiocy of "infosec" lunkheads who know nothing about what they're "fixing" but if an automated system tells them a CVE exists, they've absolutely got to have it "patched". They don't look into what the claims of the CVE are, or whether their specific use case is vulnerable. They don't know, they don't care, they're not even programmers. All they know is a box needs ticking.<p>A similar thing happened with h2database - a "security researcher" found that if you do something you're <i>told not to do</i>, then bad things happen.. but they demanded and got a CVE allocated anyway. Anyone who looks at it realises it's bullshit, but the mere existence of a CVE is all that matters to these idiots.<p>What the h2database developer said about it: <a href="https://github.com/h2database/h2database/issues/3686#issuecomment-1448502155">https://github.com/h2database/h2database/issues/3686#issueco...</a><p>> I struggle to understand why I should feel the slightest shred of sympathy for "major corporations" that are using a volunteer-developed open-source project. Feel free to get your corporation to pay someone to deal with this, or pay for a similar commercial library.
I’ve had sudden spike of ”when will you fix this” and „I am also affected, this is important!” comments on one of my projects. It was very odd to see sudden interest like that.<p>But around the same time I’ve got an email with apology explaining that company’s boss asked employees to stir up the pot to pressure me into a fix, pretending its affecting far more people than it really did.
Sounds to me like somebody learned that using an aggressive/threatening tone has been highly effective at their own job and doesn't their negotiating position here is quite different.
There is a subtle difference between "I would like to know when this will happen so I can make plans"and "I need this done because I'm being paid for your work, please hurry". If the requester left out the background information, the tone of the request would have been more of the former and less of the latter.
Corporate entitlement about using open source (and demand support for it) is enormous. I would love if licences with usage restrictions were more popular, and the OSI wouldn't just say "that's not open source!!!". It would prevent these kinds of situations.
While the behavior from "FrugalGuy" is immature and childish, a better way for the mitmproxy maintainer would be to post a polite but firm response, one that leaves no room for error or drama such as this one:<p>> As per the mitmproxy license, the software is provided as-is without warranty, and project maintainers are currently constrained by other priorities and deliverables.<p>> As such, statements on the Github issue tracker are not considered as sufficient justification for the prioritization of issues. The only way to prioritize issues would be to enter a support contract, available [here], the terms of which we will be happy to discuss further.
I think a year's salary of an engineer (which is NOTHING at certain corporate scales) would make the fix happen in matter of weeks and it is only fair.<p>OR if you absolutely don't want to pay then other way would be to allocate one of your own engineer for few months to patch the parts you need for the paying customers and contribute upstream.<p>EDIT: SORRY - This one year one engineer compensation is just my own limited incorrect estimation. I am no position to say what's exactly worth in but I would estimate few months of effort for an engineer that's NOT familiar with the code base, probably.
I've just realized, if you don't want your code to be used for commercial purposes, instead of using the GPL, just claim your project has a critical risk vulnerability.
It seems more interesting to discuss the implied underlying situation here than focus on any individual actor's tone.<p>It seems from the interaction that a part of IBM has (1) taken software that explicitly has no warranties, (2) repackaged it and sold it for profit by unilaterally adding new warranties of their own creation, and (3) attempted to redirect the burden of compliance with those warranties to the original authors (who had explicitly disclaimed any such warranties).
Some idiot just commented on the Github issue attacking the guy and telling him "Welcome to Hacker News".<p>That commenter is equally stupid. Has no involvement with the project and nothing to gain by being inflammatory.
I've worked on many commercial products that have incorporated open source components (and respected their licenses.) I was always under the assumption that it there was a problem with the open source bits, it was MY responsibility to resolve those problems for my customers, because it was part of the product I was shipping. Full Stop.<p>That almost always meant getting into the code and fixing what I needed fixed and (hopefully) getting a PR accepted so it'd be in the next release. If I needed fixes from the maintainer to support my commercial product, I'd expect that I'd need to pay...something to make it a priority for them. I mean, my problems aren't their problems, right?
Have developers forgotten how to publish community forks to package managers? I believe the reason projects wait for releases is to allow the community to find bugs and the release to stabilize. If the community is rushing the publisher, they would be better off cutting their own beta releases, because a primary namespace semver does not magically make the changes stable.
PM gone astray, wow. I can understand asking - even being a bit robotic in doing so. The first time. The email is too much, you got your answer.<p>To get a firm date you need a contract
This points to such a great communication principle, including one that HN/dang promotes -- if the point remains the same, then take out anything else, especially when it's personal or potentially inflammatory.<p>Now, instead of a fairly simple and straightforward issue as the current top comment points out, this has blown up between parties and on the internet because of the completely unnecessary "extortion" remark.
I think even more disheartening here would be giving a response the commenter requested and then not even getting a "thank you" in return, which happens all too often.
This is the correct response whenever a corporate OSS user shows up and reveals themselves as such. 'For corporate users, we can arrange a support contract to answer questions. For non-corporate users, support is provided via the community forum.'
Context: the fix is already in a main branch, waiting for a release tag.<p>I wonder if it is possible to fork the repo as is, build the product/library on question and use it? What is the procedure to convince the regulator that CWE is fixed and it's okay to go on?
Is it really rude to <i>ask</i> an OS maintainer when they plan to release X, and explaining why they care about this topic? Emphasis on ask - not demand. The maintainer is well within his rights to ignore or refuse the request. But going on twitter to put someone on blast for "may not be the best way to introduce yourself"? I have no idea who Maximilian is, but he doesn't come across well in this exchange.
More and more convinced that full FOSS is not the way to go. It is a thankless job. There has to be a mixed license where it is Free until Revenue X$ and after that one has to acquire commercial license. It doesn't matter what the software is. Once you reach a certain threshold of revenue you have to pay for commercial license. Period.
Anyone wonders what their actual use case for mitmproxy for them is? For what they are using that type of software? I know infosec uses, but for what are they using it in this case.
Assuming this is Ron Craig from IBM, the bastions of funding open source projects & not winning outsourcing contracts by using FOSS software without donations.<p>Just pathetic
The dev's response on Github was unhelpful. The original comment just asked for a target date for the next release. Why didn't he just tell them? And if he didn't have a release scheduled (which I believe is the case here) then he should have just said so. Instead, he gave zero context and just asked for money. I agree that the person from the original post sent a VERY rude and useless email, but it's not like it was unprovoked.
The original question was polite and gave his reason for asking.<p>The developer's response was not helpful and a bit snarky.<p>A better response? "No, I don't have a target date; this is X on my priority list, after my paying work. If your company is willing to contract me for support, I can prioritize the release. Email me if you'd like to do that."<p>Companies pay for software all the time. Just make it easy for them to do so (IIRC that was posted on HN a little bit ago) and direct folks to that if they need priority support.<p>Otherwise, it can appear as if the developer has a "first one's free" mentality, where the user is now dependent upon broken software and the developer wants to charge for the fix.<p>"But the corporate guy's e-mail was rude and aggressive!" Yes, but his original questions was not; it was mhils who first responded like a jerk.
I don't think his characterization of this interaction is accurate. A plain reading of is question is he was just asking when the next released was planned, and without knowing more about what their native language is, and how they normally speak, I don't think you can really read anything more into it, especially over text.<p>And frankly from their perspective, your response does kind of read like extortion, e.g. "shut up or pay me". The thread already indicated that this was fixed and waiting for the next release [1] so I don't see how your response is appropriate to the asking when that was planned.<p>I can certainly understand why this guy is frustrated as an open source maintainer, but snapping like this doesn't help anything.<p>[1] <a href="https://github.com/mitmproxy/mitmproxy/issues/6051#issuecomment-1498535463">https://github.com/mitmproxy/mitmproxy/issues/6051#issuecomm...</a>
Why maintain, publicize, and promote an open source project if you're not willing to maintain it?<p>I also work in a highly regulated industry. IBM's request is reasonable.