this post was submitted on 15 Feb 2024
205 points (97.2% liked)
Open Source
31385 readers
150 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Nah, c suite was pretty clearly in the right here. Dude left because he was pissed that a vulnerability got assigned a CVE instead of just... Not informing anyone so they could quietly fix it.
It's an experimental feature. It doesn't need a bugfix release because you're not supposed to run it in production, and it's just a DoS, not privilege escalation or something
Experimental features are explicitly defined as requiring CVEs. You are supposed to run them in production, that's why they're available as expiermental features and not on a development branch somewhere. You're just supposed to run them carefully, and examine what they're doing, so they can move out of experiment into mainline.
And that requires knowledge about any vulnerabilities, hence why it's required to assigned CVEs to experimental features.
And I'm not sure why you think a DoS isn't a vulnerability, that's literally one of the most classic CVEs there are. A DoS is much, much more severe than a DDoS.
If you do examine what it's doing you will catch this as soon as an attacker exploits it, and can disable it. Also, you should maybe not run the entire production with experimental features enabled. In a stable feature this would absolutely be a CVE, but this is marked experimental because it might not work right or even crash, like here
Correct, I agree you run it with an eye on it (which you should probably do anyway) instead of firing and forgetting (which, to nginx's credit, is typically stable enough you can do that just fine).
That said, nginx treats experimental as something you explicitly run in production- when they announced they added it into experimental they actually specifically say to run it in prod in an A/B setup.
https://www.nginx.com/blog/our-roadmap-quic-http-3-support-nginx/
That means if you're large enough that A can pick up the slack if B shits the bed. The only impact would be that you have to use HTTP2
Have you looked into the CVE? Apparently it is a non issue. You could use it to dos a service that have an experimental feature enabled, which is disabled by default, on a non stable Version. I understand the dev. CVE should be for serious issues. And they alerted their users over an email list
It can be used for dos, as it is crashing workers, but they will be restarted anyway.
There is an astounding number of lies in your post, good lord.
There is an astounding number of lies/misrepresentations in your post, good lord.
Where were my lies? I mean I showed you yours.
Source: https://cve.mitre.org/about/
Since you seem to have no idea about how web servers work, or indeed, experimental features, I'll let you in on a secret- The only difference between a non-experiemntal option in nginx and an experimental option is that they're unsure if they want that feature in nginx, and are seeing how many people are actually using it/interested in, or they think that usage patterns of the feature might indicate another, better method of implementation. "Experimental" does not mean "unfinished" or "untested."
If you know nothing about programming, CVEs, or even web engines, please stop embarrassing yourself by trying to trumpet ill-thought out bad takes on subjects you don't understand.
Please don’t complain to us mod/admins about someone making things personal, when you’re the one calling someone a liar and a know-knowing about their field of work.
Really dude? I never once devolved to name calling, I stated that s/he lied when s/he made false statements. What else am I supposed to say there?
I also don't understand how saying they doesn't know what the subject matter s/he's taking a stance on is 'know-knowing' either? S/He's straight up said they doesn't know what a CVE is, doesn't know what experimental means, and while they claims to be in this field of work, they doesn't know what a web worker is and confused a web transaction with a database transaction.
Sure, I could have been nicer about it when they started escalating, but I never made it personal, and have no intentions of doing so either.
EDIT: realized I was assuming their gender.
Dude, can you be less rude? Calling me a liar, without point out a lie. At best, you found a misunderstanding of cve on my end which wouldn't be a lie and isn't in the part that you called a lie. Also I don't think that there was a misunderstanding on my end of what cve means. Then you call me basically a clueless idiot for not having a clue about web servers. While I actually currently am working for a multi billion dollars companies as a backend dev and never worked anything but web dev. Then you complain about a straw man when you don't bother to express what your actual argument was and I had to guess.
You might realize that I am not bothering to argue your points, there is a simple reason why, you are being a dick. Make your points clearly like you did just a moment ago and don't be rude while doing it and you get an interesting conversation.
In case, you are curious, I am actually rather neutral on whether or not, it should be cves. I see the devs reasons and think they are reasonable and I understand why f5 would report it. A new fork seems to be an overreaction though. I bet you didn't expect me to hold this position because you were busy being a dick instead of having a conversation