• @startlefrenzy
    link
    English
    381 year ago

    Glad to see Lemmy is responding quick to exploits. Does Lemmy have a plan to prevent any other exploits that may be lying around such as a routine security audit?

    • @[email protected]OPM
      link
      fedilink
      English
      691 year ago

      All the code is open source, everyone is welcome to look through it for potential problems and report/fix them. we dont have any money to pay for a professional audit. Maybe there are some organizations which would do audits of open source projects for free, might be worth searching for.

      • @Zeth0s
        link
        English
        251 year ago

        We use sonarqube for code analysis that is pretty nice and has a community edition. It isn’t a bullet proof solution, but it is pretty convenient for maintainers and reviewers of PRs. The only thing missing from the enterprise edition are useless flashy dashboards to show to people who don’t understand computers

        • @[email protected]
          link
          fedilink
          English
          101 year ago

          I do have a Sonarqube server somewhere around. Is it considered an annoying behavior to scan an open source project and open issues for others to fix?

          • @[email protected]OPM
            link
            fedilink
            English
            231 year ago

            That depends, it would be annoying if you open lots of issues for minor, unimportant issues. But if you find a few major problems its good to report them. Of course its always ideal if you submit fixes as well, because there are never enough devs.

          • @JoeKrogan
            link
            English
            31 year ago

            I think its better to detect something early even if there is not a fix as it at least can be triaged and others can fix it if the original reporter is unable to devote the time or whatever

          • @Zeth0s
            link
            English
            21 year ago

            Better ask the lead developers… :)

          • @Zeth0s
            link
            English
            11 year ago

            No, you are right… Time to hire 3 PMOs per developer to copy and paste random numbers in well formatted tables on outlook, and send it around in the mailing list with CIO and directors.

            And publicly shame developers if some meaningless number goes down

            /s

  • Lvxferre
    link
    fedilink
    English
    161 year ago

    Given that the exploit was literally yesterday, you guys are damn fast!

  • Nick
    link
    fedilink
    English
    11 year ago

    Hey one quick question… the Ansible playbook doesn’t look like it’s been updated to 0.18.2 or at least the instructions don’t state how to pull it. Any chance this could get fixed/clarified in the release notes?