Hacker News new | ask | show | jobs
by nrabulinski 644 days ago
The deadline was literally publicly available in the public matrix channel which anyone can read even without a matrix account. The reporter also said they were willing to extend the deadline, if the nix team reached out. They didn’t and chose to ignore the publicly available messages. Given past experiences (it’s not the first vulnerability that was outright ignored) I think it’s fair to say “you have a week to respond, otherwise I’m dropping the vuln”. If only they responded and said “hey, we’re working on this but we need more time” nothing would’ve happened. But they didn’t.
1 comments
soraminazuki 644 days ago
That's just flat out false. Both parties admit that the author and Nix maintainers were in touch regarding this vulnerability. Public accounts and meeting minutes prove that Nix maintainers were preparing a fix.

The short deadline was only mentioned once, again separate from where the main discussion took place. There are dozens of Nix Matrix channels and so many messages being exchanged there every day. It's easy to miss. The author isn't a newcomer to Nix and most certainly knows this too. So the way the author dropped the 0 day on social media was outright and needlessly hostile considering that the vulnerability was acknowledged and being worked on.

link
nrabulinski 644 days ago
We must have different definitions of “being in touch”. Sending an email and going on vacation, then actively ignoring incoming messages isn’t being in touch. And I don’t blame the person from the Nix team who went on vacation, but not forwarding the researcher to anyone else is solely on the nix team. They responded to the message in the matrix channel which included the deadline so they were well aware of it. If they knew they wouldn’t be able to release the fix before the deadline, they could’ve (and should’ve) asked for an extension. Which they did not
link
soraminazuki 644 days ago
This message was sent last Sunday in a public Matrix discussion involving the author.

> Eelco is working on it, there's a patch on the GitHub advisory, we plan to get it out on Monday, but no promises yet if everything will get done by then

https://matrix.to/#/!VRULIdgoKmKPzJZzjj:nixos.org/$tJgEBGqKs...

In what world is this "not being in touch," "actively ignoring messages," or "not forwarding the researcher to anyone else"? Also, Nix maintainers clearly state in the Mastodon thread that they weren't "aware" of the deadline. Very different definitions of words indeed.

link