1 |
John Helmert III wrote: |
2 |
> So much yapping on the mailing lists, and no response in the bug which |
3 |
> triggered the last rites... |
4 |
|
5 |
Apologies if I responed in the wrong forum. I thought on list would |
6 |
be good, why are those mails on the list if not? |
7 |
|
8 |
|
9 |
> So, Peter, do you use Boa? |
10 |
|
11 |
Not right now, but I have before and I might again. |
12 |
|
13 |
|
14 |
> If you do, what niche does it fill that isn't filled by anything else? |
15 |
|
16 |
That's a strange question. Why should I agree with or even |
17 |
reconfigure because of something that is in fact an error? |
18 |
|
19 |
I ask you to revert the lastrite not because it would break a use |
20 |
case of mine but because the CVEs do not apply to boa itself but to |
21 |
some unknown appliance that uses boa to serve unknown buggy CGI scripts. |
22 |
|
23 |
|
24 |
> There are multiple CVEs for it, is it really on us to discriminate |
25 |
> between which CVEs are valid and which are not? |
26 |
|
27 |
Yes. |
28 |
|
29 |
You are obviously /not/ responsible for what bogus CVEs people may |
30 |
report, but we're all responsible for the commits we create. |
31 |
|
32 |
I assume that everyone wants to improve the overall state with each |
33 |
commit - that we want to make things more correct since that's what |
34 |
enables reliability, hence yes: it really is on every one of us to |
35 |
verify our inputs before taking action on them. |
36 |
|
37 |
|
38 |
> We can't possibly hope to do that accurately in all cases. |
39 |
|
40 |
Some times it will be easy, other times less easy. |
41 |
|
42 |
In this case the CVEs could be dismissed by searching the source code |
43 |
for the file names in the CVEs. Or by having experience with what the |
44 |
package provides, in particular that it doesn't include any CGI scripts. |
45 |
|
46 |
Maybe the accurate bigger picture is that no (current) Gentoo developer |
47 |
knows enough about the package and thus can't be expected to action |
48 |
such bogus CVEs correctly without a couple of minutes of investigation, |
49 |
which would be too long, then I guess maintainer-needed is the most honest? |
50 |
|
51 |
The mere existance of CVEs can not be reason enough for any change, |
52 |
that would mean resignation to fear instead of encouraging rational |
53 |
behavior as required to actually improve technology. It would also |
54 |
create incentive for permanent denial-of-service attacks by way of |
55 |
bogus CVEs manipulating people into incorrect lastrites and other |
56 |
changes. I don't want that to become common. |
57 |
|
58 |
My question about the lastriting process was not an attack but a |
59 |
genuine inquiry. The answer I receive so far is something like |
60 |
"it can't work better because we react indiscriminately to CVEs", |
61 |
that's an honest answer (thank you!) but not great quality. Does |
62 |
everyone mostly agree with that policy? |
63 |
|
64 |
|
65 |
Thanks |
66 |
|
67 |
//Peter |