Strangely aggressive and unproductive response. GP has valid points. They are not acting entitled in any way.

I disagree. An obvious interpretation of what is quoted is entitlement.

How would you say someone should express such concerns without coming off as entitled? Or do you think they're not valid concerns? Or do you really think that if someone has such concerns, their only recourse is to start contributing to the project? That project of course being one of the most security-sensitive projects one could imagine.

> How would you say someone should express such concerns without coming off as entitled?

> Or do you really think that if someone has such concerns, their only recourse is to start contributing to the project?

Yes, I think one way to not come off as entitled when being critical to volunteers is to also offer volunteer work yourself.

And it's most helpful to provide feedback directly to the developers through their preferred means of communication.

> Or do you think they're not valid concerns?

Irrelevant what I think here, that's kind of the point. That's just my opinion.

> That project of course being one of the most security-sensitive projects one could imagine.

Agreed that the project is important. However, this is irrelevant, too, unless you're bolstering your "valid concerns" argument.

> Yes, I think one way to not come off as entitled when being critical to volunteers is to also offer volunteer work yourself.

So what level of contribution is the bar here? I mean, what's the commit count? Do I have to be developing core features for years? Does writing docs count? Do I have to volunteer for a particular project before I can in any way criticize it, or is just any open source work okay?

> And it's most helpful to provide feedback directly to the developers through their preferred means of communication.

This is not feedback meant directly for the developer - it's valid questions that were meant to spark a discussion here on HN. Of course, with users like you around, that's difficult.

> However, this is irrelevant, too, unless you're bolstering your "valid concerns" argument.

It is relevant, because it's absurd to think that just any developer can just go and contribute to such a project.

I'm not trying to come off as combative, it seems that you are.

All I offered was a way to not sound entitled. Personally, I certainly hold the opinions of someone that's helping me much higher than the opinion of someone that isn't.

Another approach to avoid sounding entitled could be to post a more thoughtful and comprehensive analysis on HN or a blog, rather than nitpicking a commit and posting broad questions like "what could have prevented this?" and insinuating that the volunteers need to do better.

Finally, if it's true that not "just any developer" can contribute to OpenSSH... well it's open-source. Fork it. Or build your own.

You come off as combative when you dismiss valid, innocent questions as being "entitled" or attributing insinuations to GP that simply aren't there.

> Finally, if it's true that not "just any developer" can contribute to OpenSSH... well it's open-source. Fork it. Or build your own.

What good would that do? Would that enable the forker to voice their complaints about the original OpenSSH that's used by literally everyone else without people like you chiming in?

By the by, is it at all relevant that OpenSSH development is funded by at least 1 non-profit and probably other sources as well? They're not volunteers.

(And even if they were volunteers, users are quite within their rights to voice concerns and criticisms about software in a constructive manner. If open source developers don't want to face that, they can not develop open source software.)

> You come off as combative when you dismiss valid, innocent questions as being "entitled" or attributing insinuations to GP that simply aren't there.

We've been over this. I disagree that there isn't insinuations or isn't entitlement in GP. It's okay to disagree.

> What good would that do? Would that enable the forker to voice their complaints about the original OpenSSH that's used by literally everyone else without people like you chiming in?

This can do a lot of good. This a solution to the problem that you have. If others agree with your critique and approach (which is likely), then they also will appreciate your project. This is how projects like Neovim started, and arguably why Neovim has been as successful as it is.

> By the by, is it at all relevant that OpenSSH development is funded by at least 1 non-profit and probably other sources as well? They're not volunteers.

I was under the impression that it was largely volunteer work, or at least, severely underpaid development which is pretty normal in the open source world. I will take your word on this one, I don't have the time to go look at non-profit financials.

> And even if they were volunteers, users are quite within their rights to voice concerns and criticisms about software in a constructive manner.

100% agree, the keywords being "constructive manner." Higher effort than nitpicking a commit and asking broad questions.

For what it's worth, I think you're probably doing more harm than good to the open source movement. Reconsider your approach, or focus it on the users who are actually acting entitled.

> All I offered was a way to not sound entitled

And I must've missed this bit in your original few comments.