On Thu, Nov 13, 2025 at 4:54 PM Phil Steitz <[email protected]> wrote:
> The problem with that is who is authorized to "turn it off." And in a lot > of cases with deep nesting it really is not practical to analyze in detail > whether a vuln is actually a risk, *and to ensure it does not become one.* > For that reason, a lot of our users don't have the choice to ignore these > things. Really? What happens if they ignore them? The sky turns blue? A dog barks in the night time? Elon Musk posts something stupid on Twitter? I don't believe open source maintainers are responsible for fixing or working around the broken development processes of large corporations that aren't paying for that work. Static analysis does sometimes find real issues, but most static analyzers mostly report non-issues most of the time. Worse yet, they compete with each other to see who reports the most non-issues. It's just not reasonable to expect warning free builds. -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
