New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
https://dustri.org/b/carrot-disclosure-forgejo.html
https://lwn.net/Articles/1071499/
Basically, their security process is so helpless that reporting bugs isn't even practical, and a security researcher had to (in a very controversial move) withhold the actual PoC to force Forgejo to do a comprehensive security audit rather than just fixing the individual bug. From some random news site:
take some reset from privacy and watch anime
Good idea. Some Black Lagoon should do me good.
Did he even tried to let them know of it before "carrot" approach? Looks like reporter is too entitled and doesn't really care about improving anything.
Yes, but they demanded that he patch it himself when his point wasn't "there's one bug" but "the entire security process with your project is broken", and they refused to discuss it otherwise.
I don't see why Forgejo is to be blamed for asking reporter for a fix. It's not like they have solid funding, isn't it 100% community (i.e. best) effort?
Security researchers are weird sometimes and expect everyone to take their hobby as serious as they do themself. I mean sure in an ideal world security would be important to everyone but we don't live in an ideal world so if project X doesn't care enough just release the exploit. If it's actually bad enough to hurt their public image they'll learn sooner or later. The whole back and forth thing is just autistic...
Imagine if you spent a few hours and found a dozen bugs, then were told to jump through hoops just to report a single one. Most security researchers would just give up. His actions were controversial but they did bring the serious security issues to people's attention, which wouldn't have happened if he just fixed one or a few bugs and then moved on.
It's a supply chain issue. Fedora itself uses Forgejo, so a vulnerability in Forgejo can potentially result in exploiting an entire distro's supply chain. Many privacy and security-centric projects use Fedora as a base, from Qubes to SecureBlue.
Maybe the Forgejo devs don't prioritize security, but the Fedora devs surely do, and they were (until recently) unaware of what a clusterfuck the Forgejo codebase was.
You seem to ignore the other issue projects face - spam with slop reports. I am not sure what's the best approach to deal with these, and it could be a time consuming process for the other end to check them. Therefore I do understand why these "hoops" might exist.
But I think what @totally_not_banned said is the best approach for both sides:
They probably also would have noticed while removing 5 backdoors from their codebase
Isn't that why he showed them a PoC?
People have tried that. I don't advocate for carrot disclosure, but even dumping a fuckton of 0days won't help in many cases. A lot of people don't seem to consciously realize that the bugs have always existed. They don't only start to become a problem when someone discovers them.
There's this Schneier classic from 1998:
If we were talking about a commercial project, I would stand your side. However what different in this case is that Forgejo is community-effort FOSS project. If you want to make it better, you collaborate. If you don't, just don't bother with vulnerability disclosure then.
However, I am surprised that Fedora haven't done or paid for extensive audit before deploying it themselves.
and heres also forgejo's side of it.
https://codeberg.org/forgejo/website/issues/839#issuecomment-14208296
There was too much for him to patch alone. All he could do is indicate to them that a comprehensive audit was required. And he succeeded: People are now looking into the security architecture of Forgejo.
The alternative would be to dump a few 0days, have them fix it and say "it's all good now" and nothing really changes.