potiuk commented on issue #65010: URL: https://github.com/apache/airflow/issues/65010#issuecomment-4233048882
> It is an architectural disgrace. Why did you release something like that? Release 3.1.9 at least, fix the JWT vulnerability. And then you can take 6 months to rework 3.2.0. Not sure if you are aware, but It's been at least 4 weeks testing beta2 and rcs - and @dedalozzo - I have not seen you testing it ? Or did I miss it? It's a bit disgrace to not see you testing it and complaining after. Did I miss your issues and testing reports? Have you send them our way? Maybe they were lost somewhere in spam? Stating some issues with the new release would have been helpful before we released, apparently however you missed your opportunity to give back for the free software you get from people who created it. Unfortunately, it's likely something that affects your configuratiion - and I believe It would really help if you follow what @kaxil asked for rather than throwing invectives at people. What might also help is increasing the resources while testing and seeing if it helps - and then reports the details asked, in case you have problems with your 8GB. Or just wait until others will. I assume you are talking about CVE-2025-57735 - JWT issue was a low one, we usually would not announce a critical issue without waiting to see if we need to upgrade to a new versio. However, I am wondering (because releasing older versions of airflow with backported fixes, costs an extra time) - we are discussing how we can respond to the expectations of our users, to have older versios with security fixes, and I wonder - maybe you or your company would like to pay extra for it? We are currently discussing about changing vulnerability handling for open-source and paying for some kind of priority security for older versions seems like an option we consider - because obviously you realise that you ask for more money for the volunteers to backport a low-severity issue to older version - you do realise that this is what you ask for ? Yes we might have some teething issues in 3.2.0, but it's a bit of a bold statement stating `disgrace` for people who invest their soul and volunteer time to implement something, you can take for free, without any guarantees or expectations - onlyot by seeing few cases where connection usage grew. It's a bit of overstatement. Yes, It might turn out that some more resources are needed in 3.2.0 We do not guarantee you will still be able to use exactly the same resources, and maybe there is a butg or two that will be fixed as soon as people like you who decide to help rather than throw invectives at open-source developers who contribute often their free time, so that you can use the software for free. We are all humans, we make mistakes - no-one is free of them - and I think when you get something for free, helping to solve your problem so that you can get fixed versions for free is probably. best course of action. I understand that you might have bigger expectations here, but if you consider how much you paid (0) for the software, your expectations should be somewhat adjusted - especially that you have not helped to test the release when we asked. However, it's not too late., You can still help. I think there are quite few constructive ways you can do here: a) (a bit too late - you missed it) - test a new version when beta/rc releases come out (but you can catch up next time) b) provide helpful diagnostics so that people who spend their free time to be able to find the issues and release fixed version quickly/ When we will ask for testing a new version (which usually last 3 days and have an issue where you can install and test things) - you can even verify if the issue is fixed when it will be. Highly recommended as it will allow us to release better software and avold more disgruntled and complaining users. Genereally - I personally think - being nicer to people who spend their weekends and nights away of their family and friends so that they can produce a software you can use for absolutely free, is a very good idea. It usually works better for example when you need help in the future - which (providing that you are nicely asking for help and show you've done your part) you might sometimes get from them. But also when you have a problem, those people might be exactly those who might help to solve your problem @dedalozzo. This is usually what most people do - only few have unrealistic expectations, and demands "paid" level of services from open-source and free projects, and I guess being part of the community and majority is a good idea. I think it would be great if you try to actually help in solving the issue - following the ask from @kaxil, or at the very least encourage others to provide enough info and express your gratitued for the software you have and at the very least cheer-lead those who work on making your issues disappear. That woudl be my suggestion @dedalozzo -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
