> you either be receptive to security concerns or you clearly label your project as a toy project.
Or, assume all OSS projects are toy projects unless stated otherwise.
Usually the serious ones offer a support license for a fee, or are supported financially by companies. Otherwise, it's just someone building cool stuff for free.
Also, it's probably fair that most OSS maintainers aren't marketing their projects too aggressively outside of a blog post or a Reddit submission. When they take off, it's usually other developers hyping them and that hype usually comes from being lightweight, easy to configure or super fast. It's not until a project has been hyped by the community do people start trying to put it into production and looking into security issues.
One thing that nobody here seems to have mentioned is that, as far as I can tell, the actix.rs website was not created by the author of Actix itself. Just compare the writing on the website with the author's own postmortem. I don't know who wrote the website; I can't find an author's name or a Git repo for the site itself. But whoever they were, it seems that they, not the author of Actix itself, did the marketing that gave many of us our primary impression of what kind of project this is. If anyone reading this knows more about the history of the website, I'd appreciate any additional background or pointers to more details.
Edit: After running some git blame commands on the https://github.com/actix/actix-website repository (thanks Nikolay for keeping it there), it seems that the most eloquent marketing for the project was written by Armin Ronacher. I'm sure this was all done with Nikolay's permission, since it's under the actix GitHub organization, but my point is that Nikolay himself didn't say the things that have been quoted from the website, and they didn't necessarily reflect his own attitude about the project. So that might have caused some confusion.
Or, assume all OSS projects are toy projects unless stated otherwise.
Usually the serious ones offer a support license for a fee, or are supported financially by companies. Otherwise, it's just someone building cool stuff for free.
Also, it's probably fair that most OSS maintainers aren't marketing their projects too aggressively outside of a blog post or a Reddit submission. When they take off, it's usually other developers hyping them and that hype usually comes from being lightweight, easy to configure or super fast. It's not until a project has been hyped by the community do people start trying to put it into production and looking into security issues.