JLLeitschuh commented on PR #371: URL: https://github.com/apache/commons-io/pull/371#issuecomment-1200526484
> Otherwise, even though I believe fixing these issues is beneficial to users, in the end your pull requests may end up stalled for a long time until a volunteer has time to reproduce, add tests, prepare the CVE/disclosure, etc. And it wouldn't be doing any benefit to users or maintainers in this case. This is an unfortunate trade off of this methodology. I don't have any control over the maintainer vulnerability handling timeline. I agree that, the net benifit when looking at this on a project-by-project basis is less than ideal. But when looked at at scale, the value proposition to the entire internet becomes clearer. I can relate to the plight of the OSS maintainer. I am one myself, although not on one with quite as many users as this project. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
