[johnklos]

> before the disclosure and had reached out to the reporter(0).

First, the only link you provided doesn't look to be related to this issue.

Edit: I see it bizarrely redirects to "https://discourse.nixos.org/t/iohk-hiring-devops-with-nix-ex...". What happened to the minutes?

Second, I understand that it's run by volunteers, that they might not have the humanpower they need, and so on - as a volunteer who spends a good bit of time working on an open source project, I get it - but if someone's about to go on vacation, they shouldn't just fire off an email with no information and leave. They should reply with information: "I'm leaving for vacation and we have no other people to handle this", or "I can't do anything myself for the next week, but let's cc someone else", or something.

Also, when they finally did reach out, they didn't say it was being worked on, nor did they ask for an extension, nor give any kind of timeframe. Creating a point release means volunteers were working on things, and releasing it without the fix means they didn't take the security report seriously.

Unless someone shows me something that doesn't point to a completely opaque process, I have to say I would likely've done the same thing.

After all, if I reported something to an organization, and the organization didn't assure me they were working on it and offer some kind of time frame, and in the meanwhile released an update that didn't have a fix, I'd take that at face value: they just don't care about security (or don't understand the security implications, which is even worse - there's nothing wrong with being ignorant about a thing, but deciding to do nothing about a thing because of ignorance is inexcusable).

So was puck being malicious by releasing this information? I don't think so. If I were a Nix user, I'd want to know about a security issue that might affect me, so I'd welcome this as someone trying to help Nix users. If it hurts the Nix organization, then tough cookies. They should've taken action and communicated better.

Is the issue even fixed yet?

[elorm]

Can't tell what happened to the earlier link but I've fixed the it.

Puck was being malicious in releasing the information. There's no favourable way of describing disclosing a vulnerability on social media because the maintainers didn't meet your 7 day deadline.

It's more of "we're forcing their hands since they haven't met our expectations yet" thing.

There's so many ways they could've gotten a timely fix without "doing everyone a favour by not fully disclosing the entire 0 day." approach but like you said .... tough cookies all round.

And to answer your final question, there's a patch available.

https://github.com/NixOS/nixpkgs/pull/340885

[3np]

Calling the reporter malicious is not constructive and does not help Nix (even if you are right). From all I can tell, there was no request to extend the deadline or proactively coordinating disclosure when the reporter pushed for it. That would have been preferred and could have avoided this situation. I would hope for a later postmortem incorporating the lesson of more proactive communication with reporters.

[soraminazuki]

That the Nix team didn’t cooperate is a trivially disprovable excuse being pushed by people surrounding the fork.

https://matrix.to/#/!VRULIdgoKmKPzJZzjj:nixos.org/$tJgEBGqKs...

[3np]

Can we please stop this polarizing drama, from both sides? I never said that anyone wasn't cooperating. Quoting your link:

> > is there any update on the root escalation vulnerability in 2.24?

> Eelco is working on it, there's a patch on the GitHub advisory, we plan to get it out on Monday, but no promises yet if everything will get done by then

This is what I mean is not sufficient in terms of disclosure coordination... Doesn't seem like anyone was necessarily acting in bad faith, just mutual frustration and room for improvement on professionalism on all sides. Though I'd hold NixOS maintainers to a higher expectation of professionalism than random independent security researchers. The important thing is that people draw the right lessons. "The X people suck" isn't a valuable lesson for any value of X. And if you're seeing bad intent on the reporter and them trying to prove a point; well yeah, maybe, and point proven? Processes should cover for these eventualities.

[soraminazuki]

The thing is, the reporter is not a random independent security researcher. She's a core team member of Lix, the fork, and is no stranger to the Nix community. This incident directly relates to the wider conflict between the two projects. That's why people are upset.

[johnklos]

So you're saying out loud that the person reporting the issue matters. It shouldn't matter who tells you that you have a security issue.

[NotEvil]

That's not a patch. It's just downgrades the nix version to 23 in nixpkgs.

It doesn't help people who are already using the vulnerable version and also new users cuz installers install latest versions

[grayhatter]

> Puck was being malicious in releasing the information.

[citation needed]

> There's no favourable way of describing disclosing a vulnerability on social media because the maintainers didn't meet your 7 day deadline.

personally I'm grateful he didn't sit on a remote privexc vulnerability for 90days when he was confident it wasn't going to be fixed. I think you're conflating public disclosure (security though obscurity) with real harm, compromise due to the bug. If Puck found it, others who would gladly sell it for coin on the black market, would have found it.