←back to thread

189 points udev4096 | 2 comments | | HN request time: 0.869s | source
1. BeefWellington ◴[] No.42138393[source]
I think most of the other commenters trying to suggest that RH is arms-length on Keycloak are missing that most of the core contributors work for RedHat.

> I am a strong proponent of open source. However, I believe that those who develop important projects should carefully consider the impact that their work can have. I think that for a centralized authentication system, a bypass of the two-factor authentication should be solved or at least mitigated in a timely manner: 10 months is a lot of time to fix a core feature of a security product.

What does the author propose as the solution here? Simply saying "you should be careful" isn't a solution. If you proposed a fix, where was the PR? Why is there no further discussion of what the holdups were?

My guess here, not being privy to internal communications: The RedHat folks were probably worried that a simple change like increasing the required access to add another 2FA would break some other functionality, or cause logical loopholes for situations where a user loses access to their 2nd factors. The result was that they were exceedingly careful/slow to get to testing and validation. Doesn't make it right. This guess comes from what I observed in my previous time at IBM -- I saw a lot of the company's open source contributions hung up in similar ways.

replies(1): >>42138479 #
2. brabel ◴[] No.42138479[source]
The author seems to be suggesting that if you don't have time to fix even basic security bugs in a security project, you may want to consider archiving it and making sure people know your project is unmaintained?! I kind of agree with that because lots of businesses may be impacted by this kind of bug, and if they knew the project was no longer maintained effectively, they might have considered migrating elsewhere.