(10-26-2010 08:50 AM)leefish Wrote: So he has tried to tell people - but often they dont want to hear it, given their options of
1) Take down the plugin and admit they made poor code
2) Leave it up there and bask in all the "Thanks man" posts.
I think option 3)( the "right" option) Fix it and release a fixed version is not an option for many people who make these codes as they don't know HOW to fix it.
That example linked to was a prime case of a numpty who just doesn't want to hear it and has blanked an attempt to highlight errors in his plugin. He's been given the opportunity to sort it, so deserves whatever happens now that he's ignored the information.
With regards to "coders" not knowing how to sort problems, they don't have that as an excuse. Even if they're inexperienced, half a hour on various sites explaining how exploits can happen would have given him the knowledge to sort that exploit, so ignorance is only a transient excuse they can use.
(10-26-2010 10:33 AM)ZiNgA BuRgA Wrote: I don't really have a preference actually. Whether they report it publicly or privately is their choice.
I would MUCH rather it being reported, through any means, rather than it being kept private. Only then do I have the ability to improve.
And no, I don't expect that my code is 100% perfect, but similarly, if there is an issue in it (within reason), I'm 100% responsible for it.
Code can be made exploit free with good design (of course, this is rarely followed). If you code correctly, the probability that there actually will be an exploit will be close to 0%. No-one turns out 100% perfect code, but you can certainly get close to it.
When put that way, it sounds better than in your previous post.
I totally agree on your point of good coding practice minimising the probability of anything unexpected or untoward occuring, btw. Unfortunately, those of us who do care about our coding standards seem to be in the minority, as you've obviously noticed too. Saying that though, after making one schoolboy type error the other month, (still kicking myself over the fact I overlooked something so simple), I can also appreciate just how easy it is, on occasion, to overlook something which can have a detrimental effect. It was a simple fix, granted, but a slip nonetheless.
Quote:Anyway YES, it IS nicer to report privately (for most people that is; I don't mind either way), just as it IS nicer to donate your life savings to charity, or spend your whole life developing for a free project.
I'm saying here that I'm not that sort of person and I don't have the time for it. I have tried many, many times in the past to report issues, but practically they've been ignored every single time. And this is all the SAME problem. This is NOT a case of people merely making mistakes. This IS a case of the community just being stupid as a whole, and simply refusing to learn (assuming they ever had the ability to do so to begin with).
I presume you're talking mostly from the point of view of an outsider, but once you've actually experienced how bad customisations generally are, perhaps you'll understand better. A systematic problem requires a systematic fix, and your solution is simply a waste of time.
With regards to a certain communities ability to take bug reports and suchlike onboard and act on them, I can understand what you mean there. I know from previous times I've seen mention that it does appear you are attempting to plait snuff over there when reporting problems. On a wider scale, developers do tend to be far more receptive to bug reports though. I think the above site tends to taint ones opinion a tad in that regard.
Quote:I don't care what people think of me. I never did, and I'm not trying to appear altruistic like many others out there (who really aren't) and hide hidden agendas. So think of me any way you wish.
Nowt wrong with that attitude.
Your stance on things does make far more sense now that you've explained it in more depth though. It just seemed a bit blaise the first time around.
Quote:And FYI, MANY exploits are made public because the large companies behind the product simply refuse to put the effort to fix anything unless it's made public. How about we just ditch this stupid additional process and jump straight to the point already?
They make the rod for their own back, so they have no reason to complain and deserve whatever outcome they get. Conversely though, when a software Dev or team are very receptive to all problem/bug reports, it is better to give them a slight lead on sorting a problem before it going public. No need to tar all Dev's with the same brush.
Quote:Actually, I don't think I'll bother. I don't know why I should even bother wasting time pointing out this. Leave the exploits in the code, maybe some hacker will discover it and put it to his advantage some time.
From your previous post, I couldn't quite figure out whether you were just young or merely older and jaded. I'm guessing now though that it's the latter of the two?
p.s: Apologies for the length of this post.