Hacker News new | ask | show | jobs
by johnklos 640 days ago
Someone who writes a response to a security vulnerability report, includes nobody else in the discussion, then leaves for vacation within 15 minutes of sending that report is irresponsible. Giving someone a week to respond is not unreasonable. If nobody responds in a week, it can safely be assumed that they don't take security seriously, and the responsible thing is to let the community know.

Spin it how you like, but the "we're too important to respond" shtick is old and tired.
3 comments
elorm 640 days ago
This is a very poor take.

The security team is composed of unpaid volunteers who work on numerous time-sensitive projects simultaneously. You may not be aware, but since a group of maintainers and contributors left earlier this year to form their own fork called "Lix," there have been many vacant positions across several Nix teams.

They actually held a meeting about the security issue earlier in the day before the disclosure and had reached out to the reporter(0).

The sense of entitlement here is pretty much rank because any animosity between the Lix team and Nix teams going forward will only be to the detriment of the Lix team. Everyone's really tight at the moment and no one is paid for this much drama every couple of months.

https://discourse.nixos.org/t/2024-09-09-nix-team-meeting-mi...

link
saghm 640 days ago
> The security team is composed of unpaid volunteers who work on numerous time-sensitive projects simultaneously. You may not be aware, but since a group of maintainers and contributors left earlier this year to form their own fork called "Lix," there have been many vacant positions across several Nix teams.

> The security team is composed of unpaid volunteers who work on numerous time-sensitive projects simultaneously. You may not be aware, but since a group of maintainers and contributors left earlier this year to form their own fork called "Lix," there have been many vacant positions across several Nix teams

Normally I'm sympathetic to claims about people being entitled to work from open source projects, but in this instance, I don't think this is the case. If this were a request for a feature or a bug without significant security impact, expecting any sort of timeline at all would be unreasonable, but I don't see how not having enough people to work on a project would imply that users should be left vulnerable for longer. In my opinion, it's much more "entitled" to demand that a known security bug in your own code base be hidden from your users because you would prefer to keep working on whatever you're currently doing.

link
grayhatter 640 days ago
> The security team is composed of unpaid volunteers who work on numerous time-sensitive projects simultaneously.

If the nix volunteers aren't held to reasonable security defect reporting standards, why do you hold the vulnerability reporter to higher standards? I'd say, if the rule is volunteers are able to YOLO with other users' security so can the reporters right?

link
johnklos 640 days ago
> before the disclosure and had reached out to the reporter(0).

First, the only link you provided doesn't look to be related to this issue.

Edit: I see it bizarrely redirects to "https://discourse.nixos.org/t/iohk-hiring-devops-with-nix-ex...". What happened to the minutes?

Second, I understand that it's run by volunteers, that they might not have the humanpower they need, and so on - as a volunteer who spends a good bit of time working on an open source project, I get it - but if someone's about to go on vacation, they shouldn't just fire off an email with no information and leave. They should reply with information: "I'm leaving for vacation and we have no other people to handle this", or "I can't do anything myself for the next week, but let's cc someone else", or something.

Also, when they finally did reach out, they didn't say it was being worked on, nor did they ask for an extension, nor give any kind of timeframe. Creating a point release means volunteers were working on things, and releasing it without the fix means they didn't take the security report seriously.

Unless someone shows me something that doesn't point to a completely opaque process, I have to say I would likely've done the same thing.

After all, if I reported something to an organization, and the organization didn't assure me they were working on it and offer some kind of time frame, and in the meanwhile released an update that didn't have a fix, I'd take that at face value: they just don't care about security (or don't understand the security implications, which is even worse - there's nothing wrong with being ignorant about a thing, but deciding to do nothing about a thing because of ignorance is inexcusable).

So was puck being malicious by releasing this information? I don't think so. If I were a Nix user, I'd want to know about a security issue that might affect me, so I'd welcome this as someone trying to help Nix users. If it hurts the Nix organization, then tough cookies. They should've taken action and communicated better.

Is the issue even fixed yet?

link
elorm 640 days ago
Can't tell what happened to the earlier link but I've fixed the it.

Puck was being malicious in releasing the information. There's no favourable way of describing disclosing a vulnerability on social media because the maintainers didn't meet your 7 day deadline.

It's more of "we're forcing their hands since they haven't met our expectations yet" thing.

There's so many ways they could've gotten a timely fix without "doing everyone a favour by not fully disclosing the entire 0 day." approach but like you said .... tough cookies all round.

And to answer your final question, there's a patch available.

https://github.com/NixOS/nixpkgs/pull/340885

link
3np 639 days ago
Calling the reporter malicious is not constructive and does not help Nix (even if you are right). From all I can tell, there was no request to extend the deadline or proactively coordinating disclosure when the reporter pushed for it. That would have been preferred and could have avoided this situation. I would hope for a later postmortem incorporating the lesson of more proactive communication with reporters.
link
soraminazuki 639 days ago
That the Nix team didn’t cooperate is a trivially disprovable excuse being pushed by people surrounding the fork.

https://matrix.to/#/!VRULIdgoKmKPzJZzjj:nixos.org/$tJgEBGqKs...

link
3np 639 days ago
Can we please stop this polarizing drama, from both sides? I never said that anyone wasn't cooperating. Quoting your link:

> > is there any update on the root escalation vulnerability in 2.24?

> Eelco is working on it, there's a patch on the GitHub advisory, we plan to get it out on Monday, but no promises yet if everything will get done by then

This is what I mean is not sufficient in terms of disclosure coordination... Doesn't seem like anyone was necessarily acting in bad faith, just mutual frustration and room for improvement on professionalism on all sides. Though I'd hold NixOS maintainers to a higher expectation of professionalism than random independent security researchers. The important thing is that people draw the right lessons. "The X people suck" isn't a valuable lesson for any value of X. And if you're seeing bad intent on the reporter and them trying to prove a point; well yeah, maybe, and point proven? Processes should cover for these eventualities.

link
NotEvil 640 days ago
That's not a patch. It's just downgrades the nix version to 23 in nixpkgs.

It doesn't help people who are already using the vulnerable version and also new users cuz installers install latest versions

link
grayhatter 640 days ago
> Puck was being malicious in releasing the information.

[citation needed]

> There's no favourable way of describing disclosing a vulnerability on social media because the maintainers didn't meet your 7 day deadline.

personally I'm grateful he didn't sit on a remote privexc vulnerability for 90days when he was confident it wasn't going to be fixed. I think you're conflating public disclosure (security though obscurity) with real harm, compromise due to the bug. If Puck found it, others who would gladly sell it for coin on the black market, would have found it.

link
RaitoBezarius 640 days ago
> The security team is composed of unpaid volunteers who work on numerous time-sensitive projects simultaneously. You may not be aware, but since a group of maintainers and contributors left earlier this year to form their own fork called "Lix," there have been many vacant positions across several Nix teams.

This is not true, there have been many vacant positions across several Nix teams because the original project has been unable to keep these people. When challenged about this inevitable situation of depleted labor, the answer of people involved in leadership was, "It's OK, we will have new people joining us anyway.".

Lix has been trying to connect with the Nix maintenance team, with very timid results from the Nix side. We continue to hope this will lead to a better cooperation.

Also, you say that they are "unpaid volunteers", the Nix maintenance team is composed of folks who have full-time responsibilities in VC companies who sells Nix-based products.

link
myst1c 640 days ago
> This is not true, there have been many vacant positions across several Nix teams because the original project has been unable to keep these people.

Might it have something to do with the culture of bullying and intimidation that you were responsible for on the Discourse?

[1] https://discourse.nixos.org/t/lix-an-independent-variant-of-...

link
3np 639 days ago
I've clicked through a bunch of your references and am yet to see any of the "bullying" you keep talking about across the thread... Please be more concrete and on-point or this is just ad-hominems, insinuations and drama...
link
anonfordays 639 days ago
I've clicked through a bunch of the references and definitely see lots of crybullying and clearly breaking the CoC. There was an example where the subject of this thread was temporarily banned.
link
myst1c 638 days ago
The crybullying in the nearby comment is part of the observation. The two people in that thread have been ganging up on others in the Nix community for months now. Another thread[1]; note the same couple people.

> For example, you were able to dedicate two hours twice a week to attending meetings that you were not welcome at. A lot of people were not able to do that; they did not have the time or energy levels to be able to afford that in the first place.

> What I’m trying to say here is: yes, your situation sucked, and it should not have been necessary. But imagine how much more this might have sucked for other people who did not even have the affordances that you had to cope with this(...)

Then the other person:

> Your projects had multiple issues that were clear and apparent to outsiders that leaked outside your team and had to become a Nixpkgs problem (as I had to become against my own will a Nix maintainer in Nixpkgs). You never acted on that, you never took the necessary actions to show that you (:= your team) know how to manage an open source project.

(...)

> I feel you on the sadness. I am sorry you feel like this. Likewise, I remember what it was for me for the past year to feel like shit when I received this message

This is pretty classic abusive breaking someone down to build them up and tell them how the abuser was much worse off, and the reports from several meetings are much worse. Hitlists of people to remove from the project, that sort of thing. The power games going on are frankly sick, and the most unprofessional thing I have ever heard of in an open source project.

All I'm saying: try to get the other side's perspective. I think there are many people tired of this behavior. When it is presented with a one-sided perspective, the solution seems obvious, but this hostility has colored the past few months of interaction in the Nix community.

[1] https://discourse.nixos.org/t/objection-to-minority-represen...

link
srid 639 days ago
And this?

https://discourse.nixos.org/t/delroths-muting-in-the-moderat...

link
soraminazuki 640 days ago
> If nobody responds in a week, it can safely be assumed that they don't take security seriously, and the responsible thing is to let the community know.

That's an if that did not happen:

> Eelco is working on it, there's a patch on the GitHub advisory, we plan to get it out on Monday, but no promises yet if everything will get done by then

https://matrix.to/#/!VRULIdgoKmKPzJZzjj:nixos.org/$tJgEBGqKs...

link
exe34 640 days ago
that's a bit entitled. I'm coming over for dinner, I hope you're prepared.
link
saghm 640 days ago
This isn't "I'm entitled to free dinner", this is "your dinner guests are getting sick from food poisoning, and you're demanding I don't tell them".
link
exe34 640 days ago
it's free food.
link
saghm 639 days ago
So it's okay to knowingly poison people and cover up the fact, as long as you don't charge them?
link
exe34 639 days ago
I don't think anybody got poisoned.
link