It means we need to raise the bar for contributors and maintainers. If they are not using 100% code coverage fuzz testing in their unit tests (the bare minimum a security researcher will use against a product to detect exploitable code) then they don't need to be a maintainer. End of discussion. Period. You either maintain unit tests with at least range checking (which you can automatically generate if your doc comments aren't stupid) and fuzz tests for the same unit tests (which can be generated from the unit tests) for every damn line of your code, or you need to STOP. Period. No one else should be running your fucking piece of shit untested code. If you CAN'T do this basic fucking step of code coverage, unit tests for edge cases and fuzz testing then you should not be releasing open source software. Period. If you're not doing this and you're the maintainer of a security related product? Well, then you should hang yourself as soon as possible, because you are a worthless despicable piece of shit. Period.
And, if you are an arm-chair apologist who thinks I'm being too harsh in my insistence maintainers and developers follow basic security precautions or not work on open source, because you don't give a flying fuck about security: Fuck you too, You're part of the problem. Go jump in a tar-pit because you're hindering the herd.
Bottom line: People who don't give a flying fuck about security shouldn't be producing software. You shouldn't let such people maintain FLOSS projects. You get the fucking security you pay for. Yes it's free, but I'm talking development costs. Since NONE OF YOU FUCKERS actually cares about security YOU DO NOT HAVE ANY.
Either SHUT THE FUCK UP, or USE THE DAMN TOOLS WE GAVE YOU AND DEMAND THE OTHER IDIOTS DO TO.
"Wah, we don't fucking care about security! Why don't we have any security?!" Blow it out your ass, morons. This is why I develop my own hobby OSs and compilers. Because you really can't trust ANYONE to do it right in this day and age. Your moronic double standards are your own damn fault. You don't want to pay the time in development costs to test your software properly, but you want it to be secure. Something has to give, idiots! All the pundits sound like a bunch of imbeciles. Fact: The were NOT using the available memory checking, code coverage and input fuzzing tools. OF COURSE IT'S NOT SECURE!