Give a bug a hug

Mark Wieder ahsoftware at sonic.net
Mon Oct 7 20:01:02 EDT 2019


On 10/7/19 4:31 PM, Terry Judd via use-livecode wrote:
> These seem to be bounties for finding critical (mostly security-related) bugs rather than fixing them - hard to see large tech companies outsourcing their security fixes.

You'd have to separate proprietary from FOSS products here. One of the 
primary drivers of open-source software is that the innards are there 
for you to poke around in and fix. It's a community effort based on 
making the product better for everyone. If you find a bug, submit a 
patch that fixes it. That becomes part of the core and everybody's happy.

A reason that security bugs are reported often on proprietary software 
is that they're relatively easy to spot without having access to the 
source code. But this is more on the level of "here's the symptom, 
here's what you should do to fix it, now it's up to you to fix".

> 
> We already have an established system for reporting bugs, and LC are actively attending to fixing some/most of them. The problem (real or perceived) seems to be that either some bugs are left unattended for too long, or appear to attract such a low priority that they are effectively abandoned. Maybe a bounty system could work if LC were prepared to tag bugs all bugs with a priority level, with each level having an estimated fix time associated with it. This would provide us (as potential clients of bounty hunters) with a semi-objective indication of whether it was worth stumping up some cash for a quick fix or simply waiting for LC to act. More work for LC though, tagging bugs and updating those tags fairly regularly.

Back in the old days LC/RR had a voting system on bugzilla. You had five 
votes you could allocate to bug reports, and this gave an indication of 
how many people were affected by a given bug. Since you have a limited 
number of votes, you get to select your Top Five - if a bug no longer 
affects you as much you can rescind that vote and allocate it to another 
report. I think reinstating this would be part of the solution.

But there's another quantitative ranking which has to come from the 
team, and that involves both bug severity and urgency/priority. I think 
with those three vectors of information (and perhaps a fourth, an 
estimate of the amount of work required to address the bug; although 
I've always hated to have to estimate that and end up being wildly 
optimistic) it might be possible to have a reasonable estimate of what 
it would take to get a given bug fixed.

My two centavos for the day.

-- 
  Mark Wieder
  ahsoftware at gmail.com




More information about the use-livecode mailing list