Open Source

39788 readers

385 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago

MODERATORS

Cloak@lemmy.ml

kevincox@lemmy.ml

CrypticCoffee@lemmy.ml

Lettuceeatlettuce@lemmy.ml

209

Nginx gets forked by core developer (mailman.nginx.org)

submitted 2 years ago by poVoq@slrpnk.net to c/opensource@lemmy.ml

31 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[+] cybersandwich@lemmy.world 15 points 2 years ago* (last edited 6 months ago) (3 children)

[deleted]

[–] fernandofig@reddthat.com 27 points 2 years ago

This sounds like dev sour grapes but what the company was asking them to do seems better from the customer pov and for cyber security I'm general.

As a developer myself (though not on the level of these guys): sorry, but just, no.

The key point is this:

[...] we did not issue CVEs for experimental features and instead would patch the relevant code and release it as part of a standard release.

Emphasis mine. In software, features marked as "experimental" usually are not meant to be used in a production environment, and if they are, it's in a "do it at your own risk" understanding. Software features in an experimental state are expected to be less tested and have bugs - it's essentially a "beta" feature. It has a security bug? Though - you weren't supposed to be using it in a security-sensitive environment in the first place, it sounds perfectly reasonable to me that it should be addressed in a normal release as opposed to an out-of-band one.

We can argue if forking the project is or isn't extreme, but the devs absolutely have good reason to be pissed. This is typical management making decisions without understanding technical nuances and - from what is being told by the devs - not talking it through before doing it.

[+] BaumGeist@lemmy.ml 20 points 2 years ago* (last edited 2 months ago) (4 children)

[deleted]

[–] chameleon@kbin.social 7 points 2 years ago

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental

Do note that despite not being enabled by default, it is enabled in the official binary packages.

There's a funny amount of layers to this thing but as far as I'm concerned, if it's a feature you ship in the default binary packages on your site, that is definitively enough for a CVE even if it's disabled by default.

[–] lorty@lemmygrad.ml 5 points 2 years ago

Doesn't expose information
the service/thread just restarts
Is an experimental feature
that's not enabled by default

Yeah I can definitely see why the devs decided to just fix it on the next patch. Reporting a CVE for this feels very unnecessary.

[–] fernandofig@reddthat.com 4 points 2 years ago

Thank you for digging this out. Turns out it's even worse than what I gleaned from my surface-level take.

[–] NaoPb@eviltoast.org 3 points 2 years ago

Thanks for this. I get now why the devs are pissed.