Yeah, from a rando this would be just bad vagueposting but Rachel is absolutely someone who could know about a very good reason why we should uninstall atop but be unable to legally say why. I would heed her warning.
I would disagree and still say that this is bad vagueposting. It doesn't matter how reputable the source is: if you say "don't do X" but don't give a reason why, I'm not inclined to listen. Granted I don't use atop anyways, but I don't think a vague blog post - even one from a respected person - is sufficient justification to change what software one uses.
This seems completely backwards... if someone says to do something but doesn't give a reason, then the ONLY thing to base your decision on whether to listen is their reputation and your trust in them.
If someone I trust tells me to trust them, I will.
First, I decided I am going to avoid atop. Even if Rachel would be wrong, it doesn't hurt not to use some specific software I don't depend on.
> If someone I trust tells me to trust them, I will.
Huh? When I trust someone, then I trust already and there's no need being told to trust. When I don't trust someone, then I run away when being told to trust. Hell, if someone tells me to trust them, it's a red flag and I drop the trust.
Your believe seems to hinge on the idea that there are zero situations where someone could need you to trust them but don't have the ability to tell you why.
I think there ARE some situations like that, especially when the conversation is public like this. It is pretty easy to think of a lot of good reasons why Rachel can't explain why you need to trust them in this situation. I think saying, "I can't tell you why, please trust me" is a perfectly reasonable thing for someone you trust to say, and I would absolutely listen to them if they say that.
That seems.. whatever the opposite of pragmatic is, but not in a good way, as in “principled”. There are very good reasons one would be required to be vague in a situation like this, but still know about a very serious issue.
It’s like seeing a road sign that says “danger ahead” and ignoring it because it wasn’t very specific. It’s just.. not a sensible move.
Yeah, this is the behavior of the stuffy administrator in an 80's sci-fi comedy, minutes before the horror the heroes are trying to warn him from is unleashed.
The only question left is "who is going to deliver the quippy one-liner afterwards?"
"Don't go down 6th street now" means very different things depending on whether it comes from your buddy, or the bomb squad.
> if you say "don't do X" but don't give a reason why, I'm not inclined to listen.
I hear ya, but, there are sometimes valid reasons people can't say things; and this may well be one of those times. You have every right to do as you like, but it's not necessarily smart now that you've been warned by a respected professional.
Lol, this is going over my head a bit, but in case I was misunderstood, I had a role once that was secops adjacent but not strictly "security," just ended up doing a lot of favors for a security team. There was a recommendation that was super low hanging with extremely high impact, but the sec team determined it was "too low risk to action on without better reasoning" or something, they got hit pretty hard by it and I was involved in some triage, shaking my head the entire time. Very similar reasoning. "I need a bulletproof reason to update or change something" is like, to me, not a productive attitude.
Skimming through the code (particularly from past issues and PRs) highlights a number of things that look sketchy to me at first glance (in a coding practices way, not in a malicious way) - my gut feeling is that someone smarter than me going through much of this with a fine-toothed-comb would likely find something exploitable.
It could also be any number of other things too, like it's severe enough that the author feels its responsible to wait for mitigation efforts before disclosing anything about the issue that could lead to it being exploited.
"screams NDA" is not the same as "might be covered under an NDA". And in any case, very likely the said company has already taken mitigative action like removing atop already.