Thanks to this topic I completely lost trust in NethServer…
Wait with disclosure vuln info till its fixed?? Seriously? The whole thing NethServer is some kind of sad joke… Was it community idea or was it ordered by CEO who only cares for money and to buy himself new SUV/house/whatever and giving shit what happens with NethServer?
This kind of attitude is stupid when it comes to OSS… Community has every right to know whats going on (especially with server-management sodtware like NethServer where security of servers is at stake).
CEO fears info leakage? Fire him/her at spot !!! Its shit - not CEO.
Its not just OSS who follow responsible Vulnerability Disclosure Procedures, companies which produce closed source products do the same.
Its not fear of info leakage or for a CEO who cares about money, its about giving the team responsible for the software a chance to develop a patch for it and to start the deployment process of the patch in order to reduce the risk of unfriendly blackhats using and abusing the vulnerability - that is the focus is proper Vulnerability Disclosure Procedures.
Now if a company or Dev Team ignores the report of the vulnerability or takes too long in developing a fix for it, I have no issue about the details being published so that others can develop mitigating solutions to protect their environments from the vulnerability.
Nope - full disclosure to the team responsible for the software with the vulnerability with full disclosure to the public at the appropriate time to allow the team responsible to respond appropriately.
That is the industry accepted standard and any involved with security will tell you that this is correct way to handle the situation.
Thats what I call unresponsible, as that would INSTANTLY put NethServer users at risk of script kiddies.
The responsible thing to do is give the devs a reasonable amount of time to fix the issue before you publish it in the wild. The only exception is when it is already in the wild.
Anybody telling you anything else hasnt got a clue what they are talking about.
Thats indeed accepted by industry, but not because community wants to, but because CEOs fear that if vulnerability is to be disclosed, they are going to lose profit from custmers (Morality of CEOs is different strory). Thats what they fear most, and thats why they opted for such policy to become standard.
Thats the truth. Sorrry - its CEO who make whole OSS industry look like it looks rightr now…
Fact is that OSS industry was spoiled by so-called CEO who cares for their income only. The give a shit what happens with product they lead. Often they dont even know whats OSS.
Above all, there is no CEO here just people who are trying to create the simplest server you’ve ever
and the topic above was a evidence of great teamwork
Said that, you can criticize that community and the project all you want but transparency is our FIRST pillars. I don’t have to explain why we adopted the process, a lot of people have already talked about that extensively
Please help us to improve the discussion.
@alefattorini you will not tell me that CEO of Nethesis does not have influence in Nethserver… Will not believe if you say that you (=project) guys are independent.
Make money of appliances for lazy admins that refuse to read the manual and need pampers or that just want to have a no-maintenance service that is reliable and gets things done.
Dude, what is your issue … Nethesis is a team of developers creating NethServer’s core, and selling it as appliances under the name Nethesis. You get fully working maintenance free appliances.
If you want to build them yourself, grab NethServer, and save a few bucks on the sale, but need to invest that as time to get things running smoothly.
It is a trade off, and a very honest one at that. You do not need Nethesis, but for those who can not spare a sysadmin tot be dedicated server admin, this is brilliant.
No, I’m sure he works for free and they give away hardware.
The current process, and the reasons for it, are discussed pretty extensively here. There are, of course, pros and cons to everything; those are addressed pretty well here as well. So what do you propose, and why do you think it’s better than the current process? And why should Neth do something different than literally everyone else, both Free Software and closed-source?
Fact that everyone does something doesnt mean its correct thing to do…
What I (and rest of clear-thinking devs of OSS) fail to see is the sense (purpose) of creating company behind opensource. Its obvious that once you create a company, you are out of OSS, as you develop not what community wants, but what CEO (being ass or not) wants because if you dont - you will be fired for disobeying orders… Many of so-called CEO of OSS will claim they listen to what community thinks… bullshit. Thery do not care less. In fact - what they do care about is money…
If you have a large userbase, they come to depend on you. If you can not service them, they will leave. Continuity is the reason if it’s done right. Profit when done wrong. There is a risk of projects going south after they formed a business. There are also examples where this went right.
Nethesis (NethServer sponsor) still has a lot of control on NethServer, (…)
I knew it…
If trhats the case, than it (NethServer) cannot be called OSS. Last word belonmgs to Nethesis’ CEO as they are sponsor and they think they can demand it in return for their sponsorship. You know what I say to this kind of CEO? “You are fired on the spot. Bye”