On 2016-04-25 09:27:34, Raphael Hertzog wrote:
> - I don't think that the bounty model gives the correct incentive for
> the security work, and you would have a hard time covering the hard
> packages...
I think this is a critical part of it. Bounties are fine and fun if you
want to scratch an itch and someone happens to want to pay for it. But
then you'd probably do it anyways if there was no bounty either. It's a
small incentive, often not sufficient to get hard things done, and most
of the time not enough to pay the rent.
Security work is basically the opposite of that. You need to triage
painfully through obscure issues in programming languages you are not
necessarily comfortable with. There's a lot of legwork that needs to
happen before a patch actually comes through: sometimes, most of the
work is just that: triaging and closing issues... And even if you
actually close a CVE, you are actually porting an already existing patch
most of the time: it's not original work. So in the end, why should
*you* get that bounty and not the original author? It gets weird real
quickly IMHO.
A.
--
Premature optimization is the root of all evil
- Donald Knuth
