I must admit I have mixed feelings on the whole actix-web fiasco.

I am of the belief than an open-source maintainer who is not paid for their work doesn't owe it to anyone to implement any particular feature, fix bugs etc.

On the other, we live in a world where our privacy is assaulted at every corner, so shipping knowingly (!) unsafe software is really irresponsible not only to one's direct users, but to downstream ones as well.

We should leave thank you notes to maintainers more often.

> so shipping knowingly (!) unsafe software is really irresponsible

@MatejLach

So nobody should ship anything except rust? I think you're exaggerating a bit here.

Follow

@mariusor That's not what I meant at all.

After all actix-web was a Rust project itself,

I personally write non-Rust code daily.

What I meant is that the maintainer was alerted multiple times to unsoudness and safety violations & he dismissed suggested patches addressing them as boring.

There's some degree of 'good internet citizen' required, but I think a small one-liner in the README that soundness and safety are not the goal would be kind.

Tor & other privacy SW have disclaimers too.

@mariusor This does not excuse nasty comments towards the maintainer like "never write Rust again" etc. which are inexcusable and dismiss the pioneering work that the maintainer did put in.

It was one of the first async Rust web frameworks for example, back then building anything async was an undertaking in itself.

That's why I said I am conflicted. None of the sides handled it well, but it wasn't 100% just people being unreasonable for no reason either.

@MatejLach I understood what you meant. I just think that a maintainer is under no obligation (especially if their code is under a "no warranties" licence) to do _anything_ that they don't want.

@mariusor I agree, thus I never suggested that they did, however I do think from an ethical standpoint it would be nice to know what their stance on soundness and safety are, especially after repeatedly asked.

Not a requirement for sure, certainly not a legal one, but as I said, at least a disclaimer would've been nice. Especially because this concerns security, not feature requests.

I don't like the framing necessarily, but it could be considered somewhat of a 'moral responsibility' perhaps

Sign in to participate in the conversation
Matej Lach's mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!