this post was submitted on 16 Feb 2024
174 points (97.8% liked)

Technology

59389 readers
2959 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 
  • A core developer of Nginx, the popular web server, has quit the project and started a fork called freenginx.
  • The developer cited disagreements with the new management at F5, which acquired Nginx Inc. in 2019, over security policies.
  • The dispute arose from the assigning of Common Vulnerabilities and Exposures (CVEs) to bugs in the experimental HTTP/3 code.

Archive link: https://archive.ph/U4XRN

top 17 comments
sorted by: hot top controversial new old
[–] assembly@lemmy.world 59 points 9 months ago (2 children)

So I am a bit confused on this one. Why does this particular developer or anyone really, disagree with assigning CVEs to releases code? I mean I get that it is experimental but having associated CVEs adds to disclosure on the experimental features. What is the downside of the assigned CVEs? I was all ready to jump on F5 being wrong but it sounds like they may have taken the right position. Can someone elaborate on why that may not be the case?

[–] Deebster@programming.dev 40 points 9 months ago

I think most people share your confusion. It seems that F5 was following their responsibility as a CNA, but one guy disagreed enough to leave with all his toys.

[–] just_another_person@lemmy.world 21 points 9 months ago (1 children)

I believe what this is saying is that management decided to only fix CVEs in certain versions going forward, instead of older versions. It's hard to tell for sure.

[–] JakenVeina@lemm.ee 15 points 9 months ago (4 children)

There was another article I read that had a snippet from F5. As I read it, their concern was that they have two release tracks: the paid/subscription track, and the free track. They are actually the same code, but the free track is just 2 releases behind, so the idea is that if you want the "latest and greatest" stuff, you gotta pay. It's a fairly common strategy in the industry.

So, the concern is that for security vulnerabilities that are not CVEs, info about the vulnerability (and how to exploit it) is out in the wild for two whole releases, before the patch reaches the free-tier users.

Seems like an actively good position on F5's part, from this angle.

[–] just_another_person@lemmy.world 6 points 9 months ago

Not particularly when you consider it is standard practice to NOT be charging for CVE and emergency for released products from similar companies. Hell, even RedHat pushed upstream and downstream packages to CentOS if they were the first to patch. Happens with Canonical and the Debian team as well. This engineer saw what F5 was doing, thought it was wrong, and bailed. Seems like a valid response to me.

[–] neclimdul@lemmy.world 3 points 9 months ago

Thanks for that.

Its a weird that the couldn't just choose to back port the fixes that have security implications even if it wouldn't deserve a cve.

[–] mods_are_assholes@lemmy.world 1 points 9 months ago

Just a reminder that most things nowadays that put greedy corporations into 'a good position' is detrimental to everyone else.

[–] lemmyingly@lemm.ee 1 points 9 months ago

What's considered as a release in the nginx world?

Any minor update or just the major updates?

Eg. 1.25.4 was recently released. 4 months prior was 1.25.3. 2 months prior to that it was 1.25.2. etc

[–] DirigibleProtein@aussie.zone 30 points 9 months ago (5 children)

So the team were actually having a serious discussion this afternoon.

Is the new project called:

  • Free-en-jin-ex
  • Freen-ginks
  • Free-ne-ginks
  • something else
[–] treadful@lemmy.zip 6 points 9 months ago

Friend-gin-ex

[–] AMillionMonkeys@lemmy.world 4 points 9 months ago (1 children)

They should parse it the same way as "postgresql".

[–] AtmaJnana@lemmy.world 5 points 9 months ago* (last edited 9 months ago) (1 children)

You mean "Postgres"?

shh

I call it this every chance I get because its like nails on a chalkboard to many DBAs.

edit: huh. both my clients have spoiler tags, but both are apparently broken. I can't decipher what Lemmy wants me to do for the markdown to fix it, probably the client not displaying it right.

[–] Skyhighatrist@lemmy.ca 2 points 9 months ago

Your spoiler tag works fine on the web client. That is the supported way to do spoilers on Lemmy. However, Sync, if you use that doesn't support Lemmy spoilers and only supports reddit spoilers. Unfortunately no matter what spoiler method you use, it will not work for someone, somewhere. There is no unified spoiler markup across the fediverse, but there really should be.

[–] xia@links.hackliberty.org 2 points 9 months ago

Assuming they keep the upstream pronunciation theory, I think it would be: fringe-n-x

[–] electricprism@lemmy.ml 1 points 9 months ago

Take a page from gnome and make the G silent for "reasons" ; P

[–] autotldr@lemmings.world 9 points 9 months ago

This is the best summary I could come up with:


A core developer of Nginx, currently the world's most popular web server, has quit the project, stating that he no longer sees it as "a free and open source project… for the public good."

Later that year, two of Nginx's leaders, Maxim Konovalov and Igor Sysoev, were detained and interrogated in their homes by armed Russian state agents.

While the criminal charges and rights do not appear to have materialized, the implications of a Russian company's intrusion into a popular open source piece of the web's infrastructure caused some alarm.

Comments on Hacker News, including one by a purported employee of F5, suggest Dounin opposed the assigning of published CVEs (Common Vulnerabilities and Exposures) to bugs in aspects of QUIC.

MegaZone wrote to Ars (noting that he only spoke for himself and not F5), stating, "It's an unfortunate situation, but I think we did the right thing for the users in assigning CVEs and following public disclosure practices.

F5 is committed to delivering successful open source projects that require a large and diverse community of contributors, as well as applying rigorous industry standards forassigning and scoring identified vulnerabilities.


The original article contains 833 words, the summary contains 188 words. Saved 77%. I'm a bot and I'm open source!