Let’s not get carried away.
…
Right…
Let’s not get carried away. Shared software systems are about more than the software. If you’re looking only at the software, and that was literally 100% of what is important here and nothing else, then yes, you’re right.
But you want it fixed less than you want it publicized
100%. Yes. Correct. I also want it fixed, but that’s completely trivial, with or without the pull request.
percent@infosec.pub 5 days ago
irishPotato@sh.itjust.works 5 days ago
I think there you hit the nail on the head! Just the fact that it is in there, whether intentionally or not is something that warrants warning people about. So that in the case someone goes to set up a server, they at least know that recently there was this rather severe risk of unnecessary credential exposure, again no matter if it was intentional or not.
However, I will say that I think I would have also opened the PR, not to help the original dev necessarily, but helping those that might come to use the software later.