Are these bugs deliberate?
It's clearly a programmer error - it's not valid to call that function without valid credentials!
At least that's the sort of response I get when I report bugs.
I reported today how bash's printf %q format can leave a dangling unused backslash which voids the whole safety benefit of %q
Apparently it's a programmer error to expect to use %q as advertised.
It's not safe to use a truncating size specifier with %q e.g. %.8q
It could be made safe, but why bother for "a programmer error"?
I don't think these sorts of bugs are deliberate but I know others do.