this post was submitted on 16 Feb 2024
207 points (98.1% liked)

Technology

59605 readers
3302 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 
  • A core developer of Nginx, the popular web server, has quit the project and started a fork called freenginx.
  • The developer cited disagreements with the new management at F5, which acquired Nginx Inc. in 2019, over security policies.
  • The dispute arose from the assigning of Common Vulnerabilities and Exposures (CVEs) to bugs in the experimental HTTP/3 code.

Archive link: https://archive.ph/U4XRN

you are viewing a single comment's thread
view the rest of the comments
[–] assembly@lemmy.world 66 points 9 months ago (7 children)

So I am a bit confused on this one. Why does this particular developer or anyone really, disagree with assigning CVEs to releases code? I mean I get that it is experimental but having associated CVEs adds to disclosure on the experimental features. What is the downside of the assigned CVEs? I was all ready to jump on F5 being wrong but it sounds like they may have taken the right position. Can someone elaborate on why that may not be the case?

[–] just_another_person@lemmy.world 25 points 9 months ago (5 children)

I believe what this is saying is that management decided to only fix CVEs in certain versions going forward, instead of older versions. It's hard to tell for sure.

[–] JakenVeina@lemm.ee 12 points 9 months ago (4 children)

There was another article I read that had a snippet from F5. As I read it, their concern was that they have two release tracks: the paid/subscription track, and the free track. They are actually the same code, but the free track is just 2 releases behind, so the idea is that if you want the "latest and greatest" stuff, you gotta pay. It's a fairly common strategy in the industry.

So, the concern is that for security vulnerabilities that are not CVEs, info about the vulnerability (and how to exploit it) is out in the wild for two whole releases, before the patch reaches the free-tier users.

Seems like an actively good position on F5's part, from this angle.

[–] lemmyingly@lemm.ee 2 points 9 months ago

What's considered as a release in the nginx world?

Any minor update or just the major updates?

Eg. 1.25.4 was recently released. 4 months prior was 1.25.3. 2 months prior to that it was 1.25.2. etc

load more comments (3 replies)
load more comments (3 replies)
load more comments (4 replies)