- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
You must log in or register to comment.
deleted by creator
deleted by creator
This sounds like dev sour grapes but what the company was asking them to do seems better from the customer pov and for cyber security I’m general.
As a developer myself (though not on the level of these guys): sorry, but just, no.
The key point is this:
[…] we did not issue CVEs for experimental features and instead would patch the relevant code and release it as part of a standard release.
Emphasis mine. In software, features marked as “experimental” usually are not meant to be used in a production environment, and if they are, it’s in a “do it at your own risk” understanding. Software features in an experimental state are expected to be less tested and have bugs - it’s essentially a “beta” feature. It has a security bug? Though - you weren’t supposed to be using it in a security-sensitive environment in the first place, it sounds perfectly reasonable to me that it should be addressed in a normal release as opposed to an out-of-band one.
We can argue if forking the project is or isn’t extreme, but the devs absolutely have good reason to be pissed. This is typical management making decisions without understanding technical nuances and - from what is being told by the devs - not talking it through before doing it.
deleted by creator
Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental
Do note that despite not being enabled by default, it is enabled in the official binary packages.
There’s a funny amount of layers to this thing but as far as I’m concerned, if it’s a feature you ship in the default binary packages on your site, that is definitively enough for a CVE even if it’s disabled by default.
Thank you for digging this out. Turns out it’s even worse than what I gleaned from my surface-level take.
Thanks for this. I get now why the devs are pissed.
You’re not missing anything, dude just threw a hissy fit because he’s not the king of his fiefdom anymore.
Huh. I didn’t even know F5 was Russian. I didn’t even know there were behind nginx.
I’m so disconnected.
I’m also surprised to see F5 technologies being used even though it’s Russian.
F5 is American, they just had a Moscow office.
However the creator of nginx, Igor Sysoev, is Russian.
I don’t think f5 is Russian, but Maxim might be?
Also, they did not create nginx, but bought it a while back.
You’re not alone in any of that.
the CVE thing seems to be a straw that broke the camel’s back if anything. it seems a bit fucky to expect a core maintainer to work on your project without pay because you wanted to look virtuous by firing them during the initial invasion of Ukraine.
I’m sure if they, yaknow, paid him, the corporate procedures he was still bound to wouldn’t be so bad.
doubt freegnix will get far, mind you, but I don’t think it’s entirely fair to call his reaction “sour grapes”
Stuff like this is a great reminder about the power of Open Source. Even if it’s inconvenient for the downstream user(/admin/etc), it contributes to strengthening software as a whole
user(/admin/etc)
/etc/{admin,user}FTFY
Lol, thanks
Haha… It actually makes sense that something complex like nginx is created by some genius russian guy.
Nginx is not 100℅ ruzzian, but newly created fork is. And for me its not a good idea to use it.
Yeah fuck 'em ruskies, amirite? Gotta be so dumb to choose the wrong nationality at birth, jeansibelius didn’t make that mistake, look at him go! 😎😎😎
