• A core developer of Nginx, the popular web server, has quit the project and started a fork called freenginx.
  • The developer cited disagreements with the new management at F5, which acquired Nginx Inc. in 2019, over security policies.
  • The dispute arose from the assigning of Common Vulnerabilities and Exposures (CVEs) to bugs in the experimental HTTP/3 code.

Archive link: https://archive.ph/U4XRN

  • @assembly
    link
    English
    669 months ago

    So I am a bit confused on this one. Why does this particular developer or anyone really, disagree with assigning CVEs to releases code? I mean I get that it is experimental but having associated CVEs adds to disclosure on the experimental features. What is the downside of the assigned CVEs? I was all ready to jump on F5 being wrong but it sounds like they may have taken the right position. Can someone elaborate on why that may not be the case?

    • Deebster
      link
      fedilink
      English
      469 months ago

      I think most people share your confusion. It seems that F5 was following their responsibility as a CNA, but one guy disagreed enough to leave with all his toys.

    • @just_another_person
      link
      English
      259 months ago

      I believe what this is saying is that management decided to only fix CVEs in certain versions going forward, instead of older versions. It’s hard to tell for sure.

      • @[email protected]
        link
        fedilink
        English
        129 months ago

        There was another article I read that had a snippet from F5. As I read it, their concern was that they have two release tracks: the paid/subscription track, and the free track. They are actually the same code, but the free track is just 2 releases behind, so the idea is that if you want the “latest and greatest” stuff, you gotta pay. It’s a fairly common strategy in the industry.

        So, the concern is that for security vulnerabilities that are not CVEs, info about the vulnerability (and how to exploit it) is out in the wild for two whole releases, before the patch reaches the free-tier users.

        Seems like an actively good position on F5’s part, from this angle.

        • @just_another_person
          link
          English
          79 months ago

          Not particularly when you consider it is standard practice to NOT be charging for CVE and emergency for released products from similar companies. Hell, even RedHat pushed upstream and downstream packages to CentOS if they were the first to patch. Happens with Canonical and the Debian team as well. This engineer saw what F5 was doing, thought it was wrong, and bailed. Seems like a valid response to me.

        • @neclimdul
          link
          English
          49 months ago

          Thanks for that.

          Its a weird that the couldn’t just choose to back port the fixes that have security implications even if it wouldn’t deserve a cve.

        • @mods_are_assholes
          link
          English
          29 months ago

          Just a reminder that most things nowadays that put greedy corporations into ‘a good position’ is detrimental to everyone else.

        • @[email protected]
          link
          fedilink
          English
          29 months ago

          What’s considered as a release in the nginx world?

          Any minor update or just the major updates?

          Eg. 1.25.4 was recently released. 4 months prior was 1.25.3. 2 months prior to that it was 1.25.2. etc