> I don't even care who's right about the vulnerability, threatening legal action in a case like this is so beyond the pale
At some point, you need to make them react. And the only way a small open source project can get an answer from a big company is usually threat to attack their wallet.
Sure, it might have been not the best thing to say, but I don't know how else we can make them react on the various issues that have been going on for years with Secunia.
Aside from the fact that it was socially unacceptable, do you realize you could have exposed yourself to legal attack?
I don't know what rules are typical in Europe for declaratory judgement actions, but in the US, Secunia would have basis for filing against you to have their speech declared non-defamatory.
If you don't have a lawyer to do it for you, don't threaten legal action.
Publishing private emails is probably illegal too (it is in Germany, in France and Italy)... And claiming a POC is 'arbitrary execution' when it is not... We go that road for a long time, you know...
I would prefer spending my free time working on VLC (which I do usually) than having to deal with those things... Especially since we still have no vulnerability POC...
> Publishing private emails is probably illegal too (it is in Germany, in France and Italy)...
It is not illegal in Denmark, if one of the participants publishes it. Similarly, it is not illegal to record a conversation in Denmark without acknowledgement from the other participants, if one of the participants is the one recording it.
> Publishing private emails is probably illegal too
I don't claim to know the law on this in those countries, though Svip says it's not illegal in Denmark (Secunia's jurisdiction).
Letter of the law aside, are court records not public in your jurisdiction? In the US, that email would have been promptly entered into evidence without redaction. In that light, posting it now makes no practical difference. You'd already dishonestly informed them you were commencing suit in 24 hours.
> I would prefer spending my free time working on VLC
Then do so. And if you really feel the VLC project needs to respond to Secunia in any way, have someone else do it. You're not very good at it.
A grep of your git log indicates at least 7 developers with >100 commits in recent history. I'd hope there's a decent chance at least one of them is better at crisis management and general PR. Certainly collectively you could have done better than the rushed (and at times nearly incomprehensible) statements you've been making.
It's sad that your reaction to reasoned advice is to lash out with snark rather than simply to appreciate that you've been given a playbook for dealing with both current and future issues of this kind. The first play, by the way, being "stop lashing out".
At some point, you need to make them react. And the only way a small open source project can get an answer from a big company is usually threat to attack their wallet.
Sure, it might have been not the best thing to say, but I don't know how else we can make them react on the various issues that have been going on for years with Secunia.