←back to thread

An analysis of the Keycloak authentication system

(security.humanativaspa.it)
189 points udev4096 | 2 comments | 14 Nov 24 13:32 UTC | HN request time: 0s | source
Show context
mickael-kerjean ◴[14 Nov 24 14:57 UTC] No.42136723[source]
What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Having very high expectations when using the software without contributing anything else than public shaming on something that clearly state in the license: "Licensor provides the Work ... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND" shouldn't be ok, this is quite literally how you make open source developer to burn out

replies(7): >>42136837 #>>42136872 #>>42136966 #>>42137033 #>>42137338 #>>42137517 #>>42137650 #
some_furry ◴[14 Nov 24 15:06 UTC] No.42136837[source]
> What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Yeah, no. That's not how security research works.

If I disclose a security issue to you, it doesn't matter if you're a multinational trillion dollar corporation or a hobbyist in Nebraska, the onus is on you to fix it. Not the security researcher. Their job is done once it's disclosed.

From the timeline:

> 28/03/2024 – First communication sent with all details and a proposed fix.

After that point, any additional help (including a pull request) is going above and beyond.

I run into this attitude you're exhibiting a lot. Where proprietary software has the legal threats, the open source community is plagued by patch entitlement.

Knowledge of a security issue in a project is, in and of itself, a valuable contribution. Expecting a PR devalues this work.

replies(2): >>42136977 #>>42137118 #
noselasd ◴[14 Nov 24 15:16 UTC] No.42136977[source]
> If I disclose a security issue to you, it doesn't matter if you're a multinational trillion dollar corporation or a hobbyist in Nebraska, the onus is on you to fix it. Not the security researcher. Their job is done once it's disclosed.

On the other hand, if I'm a hobbyist, I have 0 obligations to do or fix anything I've made open source. Patches are welcome ofcourse.

replies(5): >>42136995 #>>42137081 #>>42137644 #>>42139052 #>>42161121 #
marcosdumay ◴[14 Nov 24 16:13 UTC] No.42137644[source]
As long as you disclose that right-front on your value statement, yeah, you don't have any other obligation.
replies(3): >>42137696 #>>42137821 #>>42167646 #
vetinari ◴[14 Nov 24 16:28 UTC] No.42137821[source]
It is right in the license.
replies(2): >>42138158 #>>42139660 #
KajMagnus ◴[14 Nov 24 16:56 UTC] No.42138158[source]
That's not what these licenses have come to mean. They're a way to reduce the risk that you'll get sued,

but not any "I don't give a fuck" statement.

You could add "I don't care about fixing security vulnerabilities" somewhere in the beginning of the readme, if you're developing security related OSS software? That'd be more clear.

Maybe the WTFPL actually a little bit indicates that the developers maybe don't give a fuck, though: https://en.wikipedia.org/wiki/WTFPL ?

replies(2): >>42138621 #>>42139020 #
1. hifromwork ◴[14 Nov 24 17:57 UTC] No.42139020{3}[source]
>You could add "I don't care about fixing security vulnerabilities" somewhere in the beginning of the readme

I care about fixing security vulnerabilities in my OS projects, but I care more about my sanity, my family, getting enough money to survive, and a few other things. Unless you pay me I don't care about your problems with my free (as in a beer) software.

And that's a good thing btw - I tried to ask for donations once, got the equivalent of a few cups of coffee per month, and... burned out almost immediately. I started to feel responsible for that project, staying up late to fix reported minor bugs, and it turns out watching Github issues 365 days a year for a few dollars monthly is not a great business strategy.

replies(1): >>42139110 #
2. ziddoap ◴[14 Nov 24 18:03 UTC] No.42139110[source]
This is not a one-person project ran by someone in their spare time, posted online for fun.

They are going out of their way to advertise so that people use their security-critical software in security-critical applications, and then they neglect the security.

While they aren't under any legal obligation, it's (in my worldview at least) pretty damn unethical.

All they would have to do to not be unethical is make it clear that this software should not be used in any security-critical application because it is not properly/frequently maintained. Put that in a header on the website.