| 1 |
John Helmert III wrote: |
| 2 |
> So much yapping on the mailing lists, and no response in the bug which |
| 3 |
> triggered the last rites... |
| 4 |
|
| 5 |
Apologies if I responed in the wrong forum. I thought on list would |
| 6 |
be good, why are those mails on the list if not? |
| 7 |
|
| 8 |
|
| 9 |
> So, Peter, do you use Boa? |
| 10 |
|
| 11 |
Not right now, but I have before and I might again. |
| 12 |
|
| 13 |
|
| 14 |
> If you do, what niche does it fill that isn't filled by anything else? |
| 15 |
|
| 16 |
That's a strange question. Why should I agree with or even |
| 17 |
reconfigure because of something that is in fact an error? |
| 18 |
|
| 19 |
I ask you to revert the lastrite not because it would break a use |
| 20 |
case of mine but because the CVEs do not apply to boa itself but to |
| 21 |
some unknown appliance that uses boa to serve unknown buggy CGI scripts. |
| 22 |
|
| 23 |
|
| 24 |
> There are multiple CVEs for it, is it really on us to discriminate |
| 25 |
> between which CVEs are valid and which are not? |
| 26 |
|
| 27 |
Yes. |
| 28 |
|
| 29 |
You are obviously /not/ responsible for what bogus CVEs people may |
| 30 |
report, but we're all responsible for the commits we create. |
| 31 |
|
| 32 |
I assume that everyone wants to improve the overall state with each |
| 33 |
commit - that we want to make things more correct since that's what |
| 34 |
enables reliability, hence yes: it really is on every one of us to |
| 35 |
verify our inputs before taking action on them. |
| 36 |
|
| 37 |
|
| 38 |
> We can't possibly hope to do that accurately in all cases. |
| 39 |
|
| 40 |
Some times it will be easy, other times less easy. |
| 41 |
|
| 42 |
In this case the CVEs could be dismissed by searching the source code |
| 43 |
for the file names in the CVEs. Or by having experience with what the |
| 44 |
package provides, in particular that it doesn't include any CGI scripts. |
| 45 |
|
| 46 |
Maybe the accurate bigger picture is that no (current) Gentoo developer |
| 47 |
knows enough about the package and thus can't be expected to action |
| 48 |
such bogus CVEs correctly without a couple of minutes of investigation, |
| 49 |
which would be too long, then I guess maintainer-needed is the most honest? |
| 50 |
|
| 51 |
The mere existance of CVEs can not be reason enough for any change, |
| 52 |
that would mean resignation to fear instead of encouraging rational |
| 53 |
behavior as required to actually improve technology. It would also |
| 54 |
create incentive for permanent denial-of-service attacks by way of |
| 55 |
bogus CVEs manipulating people into incorrect lastrites and other |
| 56 |
changes. I don't want that to become common. |
| 57 |
|
| 58 |
My question about the lastriting process was not an attack but a |
| 59 |
genuine inquiry. The answer I receive so far is something like |
| 60 |
"it can't work better because we react indiscriminately to CVEs", |
| 61 |
that's an honest answer (thank you!) but not great quality. Does |
| 62 |
everyone mostly agree with that policy? |
| 63 |
|
| 64 |
|
| 65 |
Thanks |
| 66 |
|
| 67 |
//Peter |
Archives