|
|
|
|
|
|
by abhinavk
650 days ago
|
|
|
More context: > The vulnerability report doesn’t mention it directly, but the discussion thread about it on Fedi gives some more context on that deadline: the reporter has had several previous vulnerability reports completely ignored by the Nix development team, including one open since February and still untriaged. The Nix development team received and acknowledged this new Nix 2.24 vulnerability on August 30th (so, > 9 days ago) and they seem to have mostly sat on it until today (the reporter received no further comms), to the extent that a new point release of Nix was released a few days after the vuln was reported and did not contain a fix. Source: https://lobste.rs/s/ixb3v7/nix_2_24_is_vulnerable_remote_pri... The first one from Feb: https://matrix-client.matrix.org/_matrix/media/v3/download/p... It's a community project run by volunteers but I don't think such response ("Impact: blabla") to a vulnerability gives a good impression to your users. |
|
|
There is a group working to smear Nix, Eelco, and everyone related to the project who are now playing the innocent victims and pretending they didn't sign a letter that started with the words "Eelco Dolstra’s leadership is corrosive to the Nix project." This is where people citing GH issue templates that contain "blabla" reinforces the narrative that the people who were working with Puck to solve the issue before she dropped a zero-day in public are somehow irresponsible. It is just that - a narrative. Everyone cannot stop staring at the sheer amount of narcissism on display in support of this narrative.
The grain of truth is that it's probably not Puck's fault, and the security disclosure process could also be improved since it's evident a ball was accidentally dropped somewhere. More points of constant contact involved in solving these problems are good for everyone.