In some open source projects there is a lot of leeching and little contributions.

In 2020 the sole developer of Invidious stepped away from development because of burn out. https://omar.yt/posts/stepping-away-from-open-source

Also in 2020 developer Raymond Hill archived the uMatrix browser add-on https://news.ycombinator.com/item?id=24532973

I will never hand over development to whoever, I had my lesson in the past -- I wouldn't like that someone would turn the project into something I never intended it to become (monetization, feature bloat, etc.). At most I would archive the project and whoever is free to fork under a new name. For now I resisted doing this, so people will have to be patient for new stable release.

What would actually help is that people help to completely investigate existing issues instead of keep asking me to add yet more features. Turns out people willing to step in the code to investigate and pinpoint exactly where is an issue (or that there is no issue) is incredibly rare.

Lol, you don't already operate this way in life?

Someone trying to guilt or pressure you has an agenda and isn't concerned with what's best for you.

Yes, you should totally do that. DO IT.

Open source is such a wild west at times.

You have your gatekeepers like Linus Torvalds who will call you a fucking moron if you submit something that looks remotely off.

You have your committees that you can submit a MR, but it has to go through the council of experts before it gets merged.

But the vast majority, it's a one or two person project and this was a side project because you had an issue you wanted solved. No financial reward, no acknowledgement. And so when someone gives it a iota of attention, you fall head over heels and hope they are like-minded and want to support this dream too.

I've always taken this attitude towards pushy people and tbh this is more or less why. Being pushy like this is inherently suspicious as fuck.

Anyone pushing you to do something you don't understand, or understand poorly. I could see an actual security researcher pushing for a code update to fix a vulnerability.

Heck, even as an occasional contributor I take some pride in seeing my fixes etc make it into the mainline codestream.

But yeah, you definitely need to be wary of somebody you only know from online pushing a change that doesn't make sense or you don't understand.

I've always been a fan of "pull requests welcome" when someone asks me for something.

Honestly that should go for all transactions. someone calls you to fix an issue or pressure you into buying something. Just hang up and call the company back. one thing I have learned from many years of support is the person calling always has power over the person being called. So flip the dynamic. same goes for car sales just walk away. hell go look at cars when you don't want one and practice just walking away and see how much power you get.

as a non developer myself, to my understanding, the vulnerabilities were implemented in test binaries?

If so, i question why those were shipped to the client. Unless they were built into the package itself on the mirror, in which case, still curious as to why that would be. I would think tests are entirely benign and do nothing. Seems like it would be incredibly bad practice to do otherwise?

Seems like an obvious vector to shutdown any potential fuckery. But what do i fucking know.