Only if they actually communicate what they’ve learned from it and what changes they’re making to prevent such mistakes in the future / catch them before release. Until then you can assume that they’ll keep making similar classes of mistakes.
What did George ever do to you that warrants this level of contempt and condescension? Am I missing something, because there are so many activists like you having an inexplicable vendetta against iTerm2 all over this thread.
This is sad because iTerm2 is one of the best terminal emulators out there. It's the first terminal emulator that popularized shell integration. Newer terminal emulators are still catching up, a decade later. tmux integration is another popular feature that's still unique to iTerm2. George has been working tirelessly on iTerm2 pretty much solo for 15 years [1]. To this day, he continuously brings new improvements to the terminal experience that keeps being copied by other terminal emulators. Developers benefit from his work, iTerm2 users and non-users alike. We should be expressing our gratitude instead of doing whatever people are doing in this thread.
George found this security issue the day after New Year's day and immediately released a fix [2]. That's commitment. And while the effects of this bug can be severe, most people wouldn't have triggered the bug.
> 1. Either:
> a) You used the it2ssh command, or
> b) In Settings > Profiles > General, the
> Command popup menu was set to "SSH" (not
> "Login Shell", "Command", or "Custom
> Command") AND "SSH Integration" was checked
> in the SSH configuration dialog. That dialog
> is shown when you click the Configure button
> next to the ssh arguments field in Settings.
It's almost as if some people are jumping at any chance of retribution, justified or not. This all sure intensified after iTerm2 at one point introduced an AI-related feature into the default build that one can just safely forget exists by not actively enabling and engaging with it. Some in the Mastodon community even went as far as openly fantasizing about inflicting violence on the poor dev [3]. I just can't understand the morality of some of the people you see online.
It's insane and horribly disrespectful. I don't understand the animus either. I just sent a $ donation to the maintainer.
The response to this bug is completely over the top. He found a security issue in an optional feature, immediately fixed it over the New Year holiday, and provided clear documentation about who was affected and how to address it. That's exactly how responsible disclosure should work.
The level of hostility - especially over adding optional features that people can simply choose not to use - suggests this is more about bandwagoning than legitimate criticism. We should be supporting developers who maintain critical open source infrastructure, not attacking them over a prompt response to a contained issue.
There is absolutely 0 condescension in my comment. All I highlighted is the flaw in the argument that a mistake made is a lesson learned. Indeed, there’s no indication the root cause of the lesson leading to this situation has indeed been learned.
You seem to be triggered by a perceived critical comment of a piece of software you’ve developed an emotional attachment to. I have not attacked anyone associated with the iterm2 project nor have I questioned his talent in creating a popular project or his commitment to it. Lumping me in with toxic people you encountered on social networks is completely uncalled for and I’ve never called for violence against anyone.
You asserted that author hasn't "learned" anything from this bug in a drive-by comment that starts with "Only if they actually ~". I can assure you that's incredibly condescending.
It's uncalled for too. iTerm2 has a good track record responding to user issues, even obscure ones involving Japanese input. The dev even listened to the demands of trolls who raided the issue tracker from Mastodon [1]. Security fixes are released quickly. Nothing about the project warrants the kind of cheap dismissal in display all over this thread.
You mentioned emotional attachment twice in this thread as reason some people have problems with dismissive, aggressive, or mean comments against iTerm2. No, it's basic empathy and appreciation for the thankless work going into this FOSS project.
No it’s not condescending to highlight the author hasn’t indicated they have learned from the broader set of circumstances that led to this bug in the first place. Ripping out a feature is a first step not the only step.
I mention emotional attachment twice because twice to logical and attempted factual comments I’ve gotten emotional comments back verging on attacking me personally. I don’t use iterm2 nor is it a piece of software that takes up any mindspace for me but attacking this aggressively anyone even mildly critical because you feel like you’re part of this minority group and you need to defend yourself because you feel constantly attacked is tribalism, not empathy and appreciation.
When you tell me that you're the lone voice of reason amid the emotional tribal backlash against you, despite people breaking down all the reasons they're calling you out step by step, I have nothing more to tell you. You might want to remember that your supposed "logic" won't stand in any FOSS community though. Or like, any community. I honestly hope that you can one day become a different person from the one who proudly proclaims that disregarding other people's work is proof of rationality.
Where did I ever claim I was the sole voice of reason? Plenty of people on here are having a rational discussion about how this happened and several people recommended tips such as commit hooks to prevent WIP work from getting committed and released. That would be an example of a lesson learned. Indeed, it's entirely possible that George has learned that lesson too. I was just literally describing the logical problem with the assumed logic of "mistake made = lesson learned", especially when there's no evidence outlining what the lesson learned was. Similarly plenty of comments in response to things I've said have been fairly well balanced.
As for the backlash, I just highlighted how 2 responses in particular seemed emotionally charged and border line attacked me for completely innocuous comments. The first was completely condescending and sarcastic while adding no additional value to the conversation on a completely unrelated comment thread where I suggested that maybe, just maybe, the terminal you choose isn't going to meaningfully improve your productivity. Your conversation has accused me of being in league with people threatening violence to the iTerm2 author and again adding nothing to the discussion about what lessons were actually learned and then attacking me and demeaning me in all sorts of ways and accusing me of saying things I simply have not. How would you describe that? A logical defense of someone I'm not attacking?
Bringing up an arbitrary list of demands so that a FOSS dev can "prove" to you he has "learned"? That, is what, in your words, "adds nothing to the discussion."
Again you are claiming I said things I simply didn’t. Where did I come up with a list of arbitrary demands for him to prove he learned something?
All I said is that he simply didn’t say what he learned and provided examples of what it could look like. Again, I was very specifically responding to the claim at the beginning of the thread that a mistake made is a lesson learned isn’t actually true just because a mistake is made. It’s a very basic logical fallacy made by OP. And I point out how while he says he learned something he doesn’t actually clarify what the lesson is and what steps he’s taking to prevent said mistakes in the future. You may disagree but I feel like that adds something to the discussion.
I’m pretty done talking with you since it’s clear that you will continue conversing in bad faith and ascribing to me things I simply didn’t say.
They didn't assert that the author hasn't learned anything. They said that in the absence of information that they have, what they have and what they will do to prevent such issues in the future, you can assume they will make similar mistakes. Which may be more of a "better safe than sorry" strategy than you think is warranted, but that I don't perceive as an attack on the author.
Yes, you are right. Sometimes, reactions cause chain overreactions. We have different intensities of the situation. I checked the iTerm2 author's notes and compared them with my setup and I thought ok. It looks like I'm safe. And I moved on. But when I read your previous comment. I am now unsure because I need to know when and what changes led to this issue in the first place.
The iTerm team is just an army of one. There may be a formal analysis of the security soon.
The root cause as I understand from other comments in this thread is a double whammy of the feature existing itself and that they managed to create a release with a WIP commit that enabled the feature. The resolved the issue by ripping out the feature. However, the latter issue remains unaddressed and to me is equally if not more concerning - there should be good practices in place to ensure that feature flags aren't even being controlled via code edits and instead there's .gitignor'ed config files that are read in a developer build for turning those features on. Additionally, git commit hooks that scan for WIP comments & prevent pushing them and sprinkling WIP comments around temporary changes might also be good defense in depth measures.
iTerm2 doesn't interfere with people wanting the same old experience and you don't even have to use it either. Being "triggered" by a free and open source passion project that has helped countless number of developers around the world is beyond absurd. "Ungrateful" doesn't even begin to describe it.
People have always been emotional about their choice of software, I guess. But people are treating George, who has shown nothing but good faith this past 15 years of iTerm2 development, like the product manager of Windows Recall. That's a whole new level of emotional response which I don't understand where it's even coming from.
No, all the patch notes say is “I learned from my mistake and ripped out all the logging code”.
That’s not actually a postmortem of a list of process changes. Nothing about how WIP changes made it through into a code release nor in how such mistakes will be prevented in the future. There’s a much richer discussion of options in this thread of things people do to prevent things like this. For example, reading environment variables from a file that’s gitignored so that you never accidentally commit something and you don’t need to mutate code to do a config change.
He may indeed have learned from his mistakes, but I’m pointing out the flaw of assuming every mistake was treated as a learning opportunity, especially when no real evidence exists to suggest that.
