I find your attitude the ruder. Users of paid products have the right to complain about stuff like that; it's literally what they paid for. Users of open source projects have no such right: if you know what to do, why not make yourself useful instead of bitching out someone who's volunteered their free time to make your life easier? I have very little patience with armchair pundits myself, if you submit a pull request we can happily have a conversation, but everybody's a critic and some of us are trying to get things done.
Nonsense. Users of free and open source software have every right to point out flaws in the design and implementation of that software. And this is an invaluable service to the authors and community. While finding and fixing an issue is nice, it's certainly not required, and not everyone capable of identifying issues has the time, ability, and inclination to fix those issues.
Furthermore, the conversation at issue was initiated by a community member asking why Weave's authors chose to implement their own security mechanism. The point of this kind of question is to assess whether the authors had good reasons, bad reasons, or no reason at all behind a questionable decision. This helps determine whether the effort to resolve the issue would be well-spent. If the authors aren't convinced that other solutions would be superior, they may be unwilling to accept a contribution, and you are potentially wasting your time producing a patch.
"why not make yourself useful instead of bitching out someone who's volunteered their free time to make your life easier"
Because as soon as you've found issues with more than, say, 3 things, you no longer have enough of your own free time to volunteer to solve the problem in a better way, let alone whatever you were already working on. Do you honestly believe that criticism has no value?
Complaining on twitter is not the same as finding an issue! Criticism has value, but not all commentary deserves equal weight or time before it is reasonable to request reciprocal effort.
It has vanishingly little and there's certainly no shortage of people handing it out for free. There's a reason for aphorisms such as "talk is cheap" and "my two cents". You seem to value your own time extremely highly; where's the respect for others?
You think security domain experts don't have the "right" to "bitch" (or perhaps, say, "inform") about potential security problems?
I understand you're trying to "get things done" but crypto is an area where you have to tread carefully, and talking down or ignoring people trying to inform you about security flaws is only encouraging the development of insecure software.
I'm pretty sure the point is more that - had Weave used a standard and already-vetted encryption method instead of rolling their own crypto - they could have put that free time into more useful things instead of now having to maintain yet another crypto implementation on top of their main project.
This isn't to say that there's never room for improvement in the crypto space - I personally disagree with the assertion that rolling one's own crypto is inherently bad in all cases, and instead believe that we need a maximum of innovation attempts now so that they can be evaluated and audited and identified as useful - but unless you're actually fixing a problem, Not-Invented-Here syndrome is dangerous and a waste of time better spent elsewhere.
We did not roll our own crypto. We used NaCl. The rationale is explained here - http://weaveworks.github.io/weave/how-it-works.html#crypto We agree that other approaches are possible, but this is the one we picked for our first version.
