On 10/7/19 4:31 PM, Terry Judd via use-livecode wrote:
These seem to be bounties for finding critical (mostly security-related) bugs rather than fixing them - hard to see large tech companies outsourcing their security fixes.
You'd have to separate proprietary from FOSS products here. One of the primary drivers of open-source software is that the innards are there for you to poke around in and fix. It's a community effort based on making the product better for everyone. If you find a bug, submit a patch that fixes it. That becomes part of the core and everybody's happy.
A reason that security bugs are reported often on proprietary software is that they're relatively easy to spot without having access to the source code. But this is more on the level of "here's the symptom, here's what you should do to fix it, now it's up to you to fix".
We already have an established system for reporting bugs, and LC are actively attending to fixing some/most of them. The problem (real or perceived) seems to be that either some bugs are left unattended for too long, or appear to attract such a low priority that they are effectively abandoned. Maybe a bounty system could work if LC were prepared to tag bugs all bugs with a priority level, with each level having an estimated fix time associated with it. This would provide us (as potential clients of bounty hunters) with a semi-objective indication of whether it was worth stumping up some cash for a quick fix or simply waiting for LC to act. More work for LC though, tagging bugs and updating those tags fairly regularly.
Back in the old days LC/RR had a voting system on bugzilla. You had five votes you could allocate to bug reports, and this gave an indication of how many people were affected by a given bug. Since you have a limited number of votes, you get to select your Top Five - if a bug no longer affects you as much you can rescind that vote and allocate it to another report. I think reinstating this would be part of the solution.
But there's another quantitative ranking which has to come from the team, and that involves both bug severity and urgency/priority. I think with those three vectors of information (and perhaps a fourth, an estimate of the amount of work required to address the bug; although I've always hated to have to estimate that and end up being wildly optimistic) it might be possible to have a reasonable estimate of what it would take to get a given bug fixed.
My two centavos for the day. -- Mark Wieder ahsoftw...@gmail.com _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
