Nginx gets forked by core developer
Nginx gets forked by core developer
31 comments
-
-
-
-
This sounds like dev sour grapes but what the company was asking them to do seems better from the customer pov and for cyber security I'm general.
As a developer myself (though not on the level of these guys): sorry, but just, no.
The key point is this:
[...] we did not issue CVEs for experimental features and instead would patch the relevant code and release it as part of a standard release.
Emphasis mine. In software, features marked as "experimental" usually are not meant to be used in a production environment, and if they are, it's in a "do it at your own risk" understanding. Software features in an experimental state are expected to be less tested and have bugs - it's essentially a "beta" feature. It has a security bug? Though - you weren't supposed to be using it in a security-sensitive environment in the first place, it sounds perfectly reasonable to me that it should be addressed in a normal release as opposed to an out-of-band one.
We can argue if forking the project is or isn't extreme, but the devs absolutely have good reason to be pissed. This is typical management making decisions without understanding technical nuances and - from what is being told by the devs - not talking it through before doing it.
-
-
You're not missing anything, dude just threw a hissy fit because he's not the king of his fiefdom anymore.
-
-
-
-
F5 is American, they just had a Moscow office.
However the creator of nginx, Igor Sysoev, is Russian.
-
I donβt think f5 is Russian, but Maxim might be?
Also, they did not create nginx, but bought it a while back.
-
You're not alone in any of that.
-
-
the CVE thing seems to be a straw that broke the camel's back if anything. it seems a bit fucky to expect a core maintainer to work on your project without pay because you wanted to look virtuous by firing them during the initial invasion of Ukraine.
I'm sure if they, yaknow, paid him, the corporate procedures he was still bound to wouldn't be so bad.
doubt freegnix will get far, mind you, but I don't think it's entirely fair to call his reaction "sour grapes"
-
Stuff like this is a great reminder about the power of Open Source. Even if it's inconvenient for the downstream user(/admin/etc), it contributes to strengthening software as a whole
-
user(/admin/etc)
/etc/{admin,user}FTFY
-
Lol, thanks
-
-
-
Haha... It actually makes sense that something complex like nginx is created by some genius russian guy.
-
-
Yeah fuck 'em ruskies, amirite? Gotta be so dumb to choose the wrong nationality at birth, jeansibelius didn't make that mistake, look at him go! πππ
-
31 comments
Seems like open source can't go a week without drama caused by c-suite lately.
Seems like corporate greed can't go a week without enshitting on a open source project.
You could have ended that sentence with enshitting and still been correct.
Nah, c suite was pretty clearly in the right here. Dude left because he was pissed that a vulnerability got assigned a CVE instead of just... Not informing anyone so they could quietly fix it.
It's an experimental feature. It doesn't need a bugfix release because you're not supposed to run it in production, and it's just a DoS, not privilege escalation or something
Have you looked into the CVE? Apparently it is a non issue. You could use it to dos a service that have an experimental feature enabled, which is disabled by default, on a non stable Version. I understand the dev. CVE should be for serious issues. And they alerted their users over an email list
It can be used for dos, as it is crashing workers, but they will be restarted anyway.