Considering NDAs to allow users to share more bug details privately

[mvdan]

A code obfuscator is a tricky open source project to maintain, because when users run into bugs, they often can't share exactly what they were doing as reproduction steps - often the code they are building is private and shouldn't be shared.

Some users have the time and skills to reproduce the bug in a sample program, or even to debug what the problem is and provide more insight. I'm really grateful when that happens. However, I understand that it cannot be expected of the users, and over half of bug reports result in a guessing game on our part.

I wonder how we could allow users to share more information about how they ran into a bug. This could include private access to a snapshot or repository of source code where garble build can be run, for example. Access to private source shouldn't be shared privately, but it could potentially be shared with a garble maintainer like me if there's an agreement in place, like a non-disclosure agreement.

For example, if I signed an NDA with company X who use garble on their private source code, they could email me privately with plenty of details when they run into garble bugs or problems, and I would be able to investigate and debug locally. Once the source of the bug is identified, I'd file an issue without any private information, and then work on a fix publicly.

Note that the signing of an NDA would not imply guaranteed support or any form of SLA; I would respond to these private bug reports much like I already do with public GitHub issues. That said, I'd likely ask for a reasonable GitHub sponsorship to be in place, given that signing an NDA adds a level of complexity for my work.

If this sounds interesting to any garble user, please email me at [email protected] :)

[mvdan]

If anyone prefers discussing this over chat, I'm mvdan#9105 on Discord, @mvdan on Slack servers like gophers.slack.com (join via https://invite.slack.golangbridge.org/), and also @mvdan:matrix.org.