• 0 Posts
  • 19 Comments
Joined 1 year ago
cake
Cake day: July 1st, 2023

help-circle

  • I’m not sure why you’re getting so aggressive over this, or so defensive about being told to separate your TV from your streaming tools so that if the streaming tools start to suck you can just replace a $20 stream stick instead of a several hundred to several thousand dollar TV you need to calm down and stop being a dick to people trying to politely help you and explain things to you.







  • Really dude? I never once devolved to name calling, I stated that s/he lied when s/he made false statements. What else am I supposed to say there?

    I also don’t understand how saying they doesn’t know what the subject matter s/he’s taking a stance on is ‘know-knowing’ either? S/He’s straight up said they doesn’t know what a CVE is, doesn’t know what experimental means, and while they claims to be in this field of work, they doesn’t know what a web worker is and confused a web transaction with a database transaction.

    Sure, I could have been nicer about it when they started escalating, but I never made it personal, and have no intentions of doing so either.

    EDIT: realized I was assuming their gender.


    1. I’m glad we agree a DoS is a vulnerability.
    2. CVE best practices state that CVEs are required to be assigned to experimental features. F5’s company policy is that CVE best practices are followed. F5 is the company that owns nginx. Therefore, it was required. Nice ‘legal requirement’ strawman. Also, ‘Common’ in this situation is not defined as ‘Widespread; prevalent,’ it’s defined as ‘Of or relating to the community as a whole; public.’
    3. That was a typo regarding ‘stable,’ my bad. I meant to say ‘It is just not available on stable, but is both via commercially and via the open source version.’ However, it’s still available on commercial versions and open source, and ‘non-stable’ versions are not inherently unstable, they’re just called ‘mainline’. Proof: https://nginx.org/en/download.html Stable is basically just ‘long term support/LTS’ versions of nginx.
    4. Again, you are intentionally misusing the definitions of the word common. Lets see what MITRE has to say about it, hmm?

    Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

    Source: https://cve.mitre.org/about/

    1. Yes, I would consider notifying the development mailing list as ‘quietly’ fixing it, as most all companies using it will not be on the development mailing list. It’s meant to be an area for developers to discuss things. They didn’t inform the public, they informed the devs.
    2. Where are you getting database from? You’ve randomly pivoted into talking about database transactions then started babbling about how you somehow think using a production mainline release with production options on a fully supported commercial binary is somehow inherently unsafe, as though it wouldn’t still be in dev or test.

    Since you seem to have no idea about how web servers work, or indeed, experimental features, I’ll let you in on a secret- The only difference between a non-experiemntal option in nginx and an experimental option is that they’re unsure if they want that feature in nginx, and are seeing how many people are actually using it/interested in, or they think that usage patterns of the feature might indicate another, better method of implementation. “Experimental” does not mean “unfinished” or “untested.”

    If you know nothing about programming, CVEs, or even web engines, please stop embarrassing yourself by trying to trumpet ill-thought out bad takes on subjects you don’t understand.


  • ysjet@lemmy.worldtoOpen Source@lemmy.mlNginx gets forked by core developer
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    3
    ·
    edit-2
    9 months ago

    There is an astounding number of lies in your post, good lord.

    1. It is an issue. A DoS is a fairly serious vulnerability, and very much is a vulnerability.
    2. Experimental features are explicitly defined to require their vulnerabilities to be assigned CVEs.
    3. It is not just available on the stable version, but both commercially and via the open source version.
    4. CVEs are not just for serious issues, they are for vulnerabilities. All vulnerabilities. It is a number that allows you to reference an vulnerability, nothing more, nothing less.
    5. Mentioning a CVE on the mailing list is the absolute least they should be doing.
    6. ‘workers can just be restarted anyway’ shows a deep misunderstanding of what a worker does. Any pending or active transactions that worker had now hangs, meaning that the service is still being denied. Trying to recover automatically from a DoS does not mean the DoS is not happening- it just means that the DoS is slower to get rolling, or intermittently seems to work mid-DoS.

  • ysjet@lemmy.worldtoOpen Source@lemmy.mlNginx gets forked by core developer
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    4
    ·
    9 months ago

    Experimental features are explicitly defined as requiring CVEs. You are supposed to run them in production, that’s why they’re available as expiermental features and not on a development branch somewhere. You’re just supposed to run them carefully, and examine what they’re doing, so they can move out of experiment into mainline.

    And that requires knowledge about any vulnerabilities, hence why it’s required to assigned CVEs to experimental features.

    And I’m not sure why you think a DoS isn’t a vulnerability, that’s literally one of the most classic CVEs there are. A DoS is much, much more severe than a DDoS.





  • I find it rather hilarious that you’re trying to warn me against discourse in the vein of "I assume you’re ignorant, so let me enlighten you’ while literally doing it yourself. You can try to pretend you’re not in #3, but you literally just spent like 8 paragraphs trying to do so. Incorrectly, at that, but since you clearly think you’re so much smarter than all the ignorant “muppets” (as you put it) out there who you’re dismissing as band-wagoners without doing any of your beloved deductive reasoning on the proof they’ve been providing I doubt you’ll actually consider it for a moment.

    Even funnier is the fact that you’re trying to drag out all these debates about the exact definitions and semantics when in the end this only came up because of your own strawman in the first place- that being your own assumption that an appeal to authority was even happening in the first place, when I specifically noted that one should examine what the experts are saying instead of just dismissing them as band-wagoners.


  • Actually, you’re misunderstanding why the Appeal to Authority is a fallacy- Appeal to Authority is one of the few fallacies that has both fallacious and non-fallacious uses. You shouldn’t take AtA being known as a fallacy as a reason to distrust authorities, or do some kind of ‘well I have to do my own, uneducated research on this subject.’ You shouldn’t take it as an automatic fallacy simply because the authority might have biases either. AtA is not an argument for anti-authoritarianism or anti-education.

    The key here is that an appeal to authority is fallacious when it’s stated to support a position that is not related, or the authority is not an authority in the subject.

    For example, if someone said “I’m a game developer, and I think this was stolen,” that could be a fallacious appeal to authority- they might work on sound engines! However, if someone says they’re an 3d modeler/animator and they think the mesh looks stolen because the edgelines for the tris map the same ways within the quads, which is unlikely to happen by accident, that’s a legitimate appeal to authority that is not fallacious. If someone says they’re a lawyer and think it’s stolen, this could be a fallacious appeal to authority- they might not be an IP lawyer.

    They key is ensuring that the appeal to authority is relevant and is not predicated on the idea of being true simply because of who they are.

    And no, ‘There is a theoretical possibility the authority could have had a bias’ is not an acceptable reason to dismiss an expert opinion as a fallacy.



  • Hate to break up the bandwagon, but the modder didn’t say he faked anything at all. He tweeted that while he originally said that the models were “exactly” the same, he clarified that while they were not precisely 1:1 without any modifications at all, they were still the same model with minor adjustments.

    Some other dude then jumped on the tweet and made up a narrative that the modder had faked everything. Then this “journalist” decided to make an entire article about a tweet from some random dude putting words in the modders mouth.

    Given the rest of the editorializing in the article, I think we can pretty safely say this dude is coping hard.