Re: Assuming makes an ass out of you and some guy named 'Ming'
"WTF? All documentation has out of date topics that need to be fixed, agreed. That is usually done when somebody, usually the developer who changed the code files a bug report for documentation to be adapted. You also have users noticing issues and creating bug reports ... that get fixed."
That assumes that someone is monitoring the bug reports. I've experienced a few projects (admittedly not in the Linux arena) where people have filed bug reports only to find that the team working on the project isn't anymore, so the reports have gone unanswered. This hasn't happened in the case of encfs, but it does happen.
I've worked in various development projects, and found that developers can be the worst people to document their own code. I worked on one project where several systems (ranging from locally stored applications to web sites for different users with different functionality needed) hooked in to one core SOAP based webservice (they all needed some of the same core functionality, and all accessed an SQL database, and this was deemed to be the most efficient way to do that at the time). The webservice API had a couple of hundred functions. The user documentation for this API ran to one side of A4 paper.
The problem wasn't that the developers couldn't be bothered to update the documentation. The first release of the service had a fraction of the functionality of the final version, and no one on the team had time to update the documentation.
Not saying you are wrong. While I am a fairly experienced Linux user (although I actually use a combination of macOS and Windows day to day), I don't have enough knowledge to say for certain whether you are wrong or right. Just outlining that it's not as simple as saying that the developer files a bug report and the documentation is updated, even though that may happen in 90% of cases.
This whole thing is an example of where I think open source is not necessarily the best thing if you need guarantees.
If you buy software (be it an OS, Application, device driver, firmware etc), the law gives you a *lot* of protection should the software not live up to expectations, or fail in some way. I don't know the specifics, but I do know that you would be afforded protection by several acts (including, I think, the Sale of Goods act) of Parliament. You also have someone who would be considered liable should you decide to launch legal action. The companies in question also have some incentive (assuming the product is selling) to keep updating it, at least with security fixes.
The law does not give you any automatic protection when you install Open Source products. Most open source licences I have seen specifically state that the author of the product is not to be held liable for any damage done while the product is being used. You can buy/rent support from existing companies (IBM, Redhat etc), but I suspect any legal protection you get would be regarding the supply of that support rather than what the product does/does not do.
There is also the problem of what happens when the author of some software drops the project. This does happen in closed source software as well, but the larger closed source companies tend to advertise the fact they are dropping their products well in advance, at least to their enterprise customers, and they often provide security bug fixes for years after. I am not naive enough to assume that all companies do this. They don't. If they don't, and you launch legal action, you do have someone you can sue though.
This does not happen with Open Source. I am quite a fierce advocate for open source. I think it's a good thing, and when it works well, I think it's actually better for bug finding than closed source (as everyone who wishes to can look at the source code). The problem is that projects do often just die, with no updates from the developer and no updates from other users. At least if someone is paid to update it, they may be more likely to update it than if they aren't.
This is a problem security wise because people are told Open Source is inherently secure because everyone can view the code. This is what happened with Open SSL. As I understand it, a lot of companies included it in their products because it was assumed to be secure, then the heartbleed bug was found, and it turned out that people had filed bug reports before but the developers had not updated it. Yes, they rushed out a fix when the problem went public, but who would be held legally liable in the even of action.