On Thu, 21 Aug 2014, dev wrote:

>> In general this is a good thing: it makes the fix get tested for real
>> sooner and it helps their users avoid known problems sooner.
>
> OKay, I am pretty familiar with the process as I have been doing this sort
> of thing for a decade now. What always irks me is that some downstream
> organization ( I am glaring at Oracle ) will take source code from an open
> source project and then make changes and never release nor feed back the
> changes. That always makes me very curious and also get a bit tin-foil hat
> concerned.

Right, this happens. Without mentioning any names, I'm aware of distributions
that have been patching their curl packages for well over a decade without
ever even trying to send their patches to us. License wise we're about as free
and liberal as anyone can be and they're completely allowed to do this.

I'm not worried about this. We develop curl at such a rapid pace that very few
organisations willingly want to maintain lots of patches on the side for a
longer period. Sure it'll happen, but it doesn't happen at a scale that risks
becoming a danger to the project.

> Red Hat has been, for the most part, pretty damn good and they don't slide a
> back door into communications code. However there are code bits out there
> from other projects that have been viciously forked and then borked ( wodim
> is a good example ).

Yes but when using and installing binary packages from an organisation you
must of course trust that organisation to give you good stuff. Anyone
distributing software can mess it up for users, on purpose or by mistake.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html