Open Source

822 readers

2 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago

MODERATORS

Cloak@lemmy.ml

kevincox@lemmy.ml

CrypticCoffee@lemmy.ml

Lettuceeatlettuce@lemmy.ml

127

Nginx gets forked by core developer (mailman.nginx.org)

submitted 9 months ago by poVoq@slrpnk.net to c/opensource@lemmy.ml

6 comments fedilink hide all child comments

top 6 comments

sorted by: hot top controversial new old

[–] RobotToaster@mander.xyz 43 points 9 months ago

Seems like open source can't go a week without drama caused by c-suite lately.

[–] cyborganism@lemmy.ca 16 points 9 months ago (1 children)

Huh. I didn't even know F5 was Russian. I didn't even know there were behind nginx.

I'm so disconnected.

I'm also surprised to see F5 technologies being used even though it's Russian.

[–] catacomb 12 points 9 months ago

F5 is American, they just had a Moscow office.

However the creator of nginx, Igor Sysoev, is Russian.

[–] BaumGeist@lemmy.ml 15 points 9 months ago

Context:

TLDR: The devs don't like bugs in released software being assigned CVEs, which requires a special security update instead of a standard bugfix included in the regular update cycle.

:The most recent "security advisory" was released despite the fact
: that the particular bug in the experimental HTTP/3 code is
: expected to be fixed as a normal bug as per the existing security
: policy, and all the developers, including me, agree on this.
:
: And, while the particular action isn't exactly very bad, the
: approach in general is quite problematic.

There was no public discussion. The only discussion I'm aware of
happened on the security-alert@ list, and the consensus was that
the bug should be fixed as a normal bug. Still, I was reached
several days ago with the information that some unnamed management
requested an advisory and security release anyway, regardless of
the policy and developers position.

And nginx's announcement about these CVEs

Historically, we did not issue CVEs for experimental features and instead would patch the relevant code and release it as part of a standard release. For commercial customers of NGINX Plus, the previous two versions would be patched and released to customers. We felt that not issuing a similar patch for NGINX Open Source would be a disservice to our community. Additionally, fixing the issue in the open source branch would have exposed users to the vulnerability without providing a binary.

Our decision to release a patch for both NGINX Open Source and NGINX Plus is rooted in doing what is right – to deliver highly secure software for our customers and community. Furthermore, we’re making a commitment to document and release a clear policy for how future security vulnerabilities will be addressed in a timely and transparent manner.

[–] synae@lemmy.sdf.org 11 points 9 months ago

Stuff like this is a great reminder about the power of Open Source. Even if it's inconvenient for the downstream user(/admin/etc), it contributes to strengthening software as a whole

[–] N0x0n@lemmy.ml 11 points 9 months ago

Haha... It actually makes sense that something complex like nginx is created by some genius russian guy.