I must admit I have mixed feelings on the whole actix-web fiasco.
I am of the belief than an open-source maintainer who is not paid for their work doesn't owe it to anyone to implement any particular feature, fix bugs etc.
On the other, we live in a world where our privacy is assaulted at every corner, so shipping knowingly (!) unsafe software is really irresponsible not only to one's direct users, but to downstream ones as well.
We should leave thank you notes to maintainers more often.
> so shipping knowingly (!) unsafe software is really irresponsible
So nobody should ship anything except rust? I think you're exaggerating a bit here.
@mariusor That's not what I meant at all.
After all actix-web was a Rust project itself,
I personally write non-Rust code daily.
What I meant is that the maintainer was alerted multiple times to unsoudness and safety violations & he dismissed suggested patches addressing them as boring.
There's some degree of 'good internet citizen' required, but I think a small one-liner in the README that soundness and safety are not the goal would be kind.
Tor & other privacy SW have disclaimers too.
@mariusor I agree, thus I never suggested that they did, however I do think from an ethical standpoint it would be nice to know what their stance on soundness and safety are, especially after repeatedly asked.
Not a requirement for sure, certainly not a legal one, but as I said, at least a disclaimer would've been nice. Especially because this concerns security, not feature requests.
I don't like the framing necessarily, but it could be considered somewhat of a 'moral responsibility' perhaps
Metalhead.club is a Mastodon instance hosted in Germany and powered by 100% green energy.