←back to thread

An analysis of the Keycloak authentication system

(security.humanativaspa.it)
189 points udev4096 | 1 comments | 14 Nov 24 13:32 UTC | HN request time: 0s | source
Show context
mickael-kerjean ◴[14 Nov 24 14:57 UTC] No.42136723[source]
What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Having very high expectations when using the software without contributing anything else than public shaming on something that clearly state in the license: "Licensor provides the Work ... WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND" shouldn't be ok, this is quite literally how you make open source developer to burn out

replies(7): >>42136837 #>>42136872 #>>42136966 #>>42137033 #>>42137338 #>>42137517 #>>42137650 #
some_furry ◴[14 Nov 24 15:06 UTC] No.42136837[source]
> What if instead of publicly blaming an OSS product, you try to get a support contract with some of the engineers behind it? If your company is too cheap for that, maybe a PR would have been nice?

Yeah, no. That's not how security research works.

If I disclose a security issue to you, it doesn't matter if you're a multinational trillion dollar corporation or a hobbyist in Nebraska, the onus is on you to fix it. Not the security researcher. Their job is done once it's disclosed.

From the timeline:

> 28/03/2024 – First communication sent with all details and a proposed fix.

After that point, any additional help (including a pull request) is going above and beyond.

I run into this attitude you're exhibiting a lot. Where proprietary software has the legal threats, the open source community is plagued by patch entitlement.

Knowledge of a security issue in a project is, in and of itself, a valuable contribution. Expecting a PR devalues this work.

replies(2): >>42136977 #>>42137118 #
rcxdude ◴[14 Nov 24 15:28 UTC] No.42137118[source]
There's no obligation for a hobbyist to fix the stuff they publish online. If they're selling the result, then sure, you can argue there's reasonable consideration, but just because a security researcher has made a contribution (and a valuable one) it doesn't compel any further contribution from the original author. Now, the lack of action does probably remove some of the credibility of the project as one that should be used in any security context (bit of a problem for something intended to be used as authentication).
replies(2): >>42137167 #>>42138856 #
prmoustache ◴[14 Nov 24 17:45 UTC] No.42138856[source]
> There's no obligation for a hobbyist to fix the stuff they publish online.

I may be wrong but this might not the case anymore in 2025 (not sure about the timeline) in the European Union because of the new cybersecurity acts.

replies(2): >>42139643 #>>42141707 #
1. rcxdude ◴[14 Nov 24 22:03 UTC] No.42141707{3}[source]
There's carve-outs in that for open source hobbyists ("not associated with commercial activity"). This was originally vaguely worded but they've now made it a lot less ambiguous, the only open source it covers is that which is being developed by a company which is also making money directly from it.

(And in the case that a company takes that code and uses it in a product, they are responsible to fix any security vulnerabilities but also to report it to the author)