←back to thread

189 points udev4096 | 1 comments | | HN request time: 0s | source
Show context
mickael-kerjean ◴[] No.42136723[source]
What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Having very high expectations when using the software without contributing anything else than public shaming on something that clearly state in the license: "Licensor provides the Work ... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND" shouldn't be ok, this is quite literally how you make open source developer to burn out

replies(7): >>42136837 #>>42136872 #>>42136966 #>>42137033 #>>42137338 #>>42137517 #>>42137650 #
some_furry ◴[] No.42136837[source]
> What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Yeah, no. That's not how security research works.

If I disclose a security issue to you, it doesn't matter if you're a multinational trillion dollar corporation or a hobbyist in Nebraska, the onus is on you to fix it. Not the security researcher. Their job is done once it's disclosed.

From the timeline:

> 28/03/2024 – First communication sent with all details and a proposed fix.

After that point, any additional help (including a pull request) is going above and beyond.

I run into this attitude you're exhibiting a lot. Where proprietary software has the legal threats, the open source community is plagued by patch entitlement.

Knowledge of a security issue in a project is, in and of itself, a valuable contribution. Expecting a PR devalues this work.

replies(2): >>42136977 #>>42137118 #
noselasd ◴[] No.42136977[source]
> If I disclose a security issue to you, it doesn't matter if you're a multinational trillion dollar corporation or a hobbyist in Nebraska, the onus is on you to fix it. Not the security researcher. Their job is done once it's disclosed.

On the other hand, if I'm a hobbyist, I have 0 obligations to do or fix anything I've made open source. Patches are welcome ofcourse.

replies(5): >>42136995 #>>42137081 #>>42137644 #>>42139052 #>>42161121 #
ziddoap ◴[] No.42137081[source]
>I have 0 obligations to do or fix anything I've made open source.

While technically true, this seems pretty scummy when you're advertising security software for real people and companies to use as their identity management.

Nowhere on the Keycloak home page does it say "just a hobby project" or anything that would remotely indicate that it is not a serious project and that you shouldn't use the software.

Instead, it seems like they are trying very hard to be taken seriously as an identity management product.

replies(1): >>42137119 #
flanked-evergl ◴[] No.42137119[source]
> Nowhere on the Keycloak home page does it say "just a hobby project" or anything that would remotely indicate that it is not a serious project and that you shouldn't use the software.

https://github.com/keycloak/keycloak/blob/main/LICENSE.txt#L...

Indeed

   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
replies(1): >>42137127 #
ziddoap ◴[] No.42137127[source]
Point 7 buried in the license document of the github repository is very much not https://www.keycloak.org/
replies(4): >>42137368 #>>42137403 #>>42137626 #>>42137846 #
lucianbr ◴[] No.42137403{3}[source]
You really feel that anything that is not directly on the home page does not matter? A link to a separate document explicitly named as containing the conditions of license, warranty and such should not count?

Seems like an absurd view to me.

For all that I think RedHat is not a poor hobbyist and morally at fault. It's just a different matter altogether. The terms under which the software is provided are clearly spelled and in public view. You're just inventing a reason to disregard them.

replies(1): >>42137434 #
ziddoap ◴[] No.42137434{4}[source]
>You really feel that anything that is not directly on the home page does not matter?

No, that's not what I said.

When it comes to software like this (one of the most important components of your security architecture), hiding the fact that you wont fix vulnerabilities unless you feel like it halfway down in your legalese-filled license is unethical.

I think it's absurd that people are defending this position. We're not talking about a weather app made by Joe Somebody for a weekend project.

replies(2): >>42141105 #>>42147981 #
lucianbr ◴[] No.42141105{5}[source]
> Point 7 buried in the license document of the github repository is very much not https://www.keycloak.org/

Not a single word in this comment refers to "software like this (one of the most important components of your security architecture)". I guess you realized the absurdity of your position and moved the goalposts to something else.

replies(1): >>42141309 #
1. ziddoap ◴[] No.42141309{6}[source]
What?

Can you explain where you think I set goalposts, and how you think I moved them? Because I am not following.