NGINX Freed From Its Corporate Overlords

39 thoughts on “NGINX Freed From Its Corporate Overlords”

• One of the big points in the "Why not assign it a CVE?" is because a lot of customers are "corporate". Thes have policies that make no sense, written by people who mean well but don't know what they are doing. These are the people who run automated scans against their RHEL servers, see that some version number was reported as too old and then freak out because they think they're going to get hacked.

  By assigning this a CVE, they'll demand some form of security patch applied, and it'll be a lot of work for a lot of people, to "fix an issue" that isn't even an issue, because they don't use experimental code in a production system.

• LibreNGINX would probably been better, or maybe NGINlibre.

• I personally hate how nginx works now, because it assumes SO MANY defaults on you, enabling all kinds of crap, even when you just wanted to share folder with files. I just can't trust, at least, how a lot of repo builds are configured.

• The subtext here is…why get been bossed around for no pay?

• Another dev stuck in Russia making the news…

• He shouldn't name the project "freenginx", not because of the legal part, the name is just horrible

• This seems a policy failure on F5s part. Experimental features should be explicitly stated to have security supported or not. Seems there are people at the same org who aren't clear which it is. That's actually a bit troubling for how solid the security policy might be overall.

• Call it fringe, r is letter 18, f is letter 6, 6 + 18 is 24 which is x, it contains the letters FREI which in German means free, and the remaining letters come from nginx.

• I have a sneaking suspicion that this was the final straw in a long line of other straws!

• Speaking of nginx. I just find out that proxy_ssl_verify defaults to no today. 💩

• Non-technical management the bane of developers, designers and architects… the pointy-headed boss is all too real.

• If the code is in the shipping release binary, whether its enabled by default or not, thats production code in use. If you dont think the feature is ready yet, then dont merge it; use an opt-in nightly build channel for testing it instead.

• Sorry, but doing CVEs for experimental features/code branches/whatever, is literally Software Wokeness. If you as a client are able to consciously turn on a EXPERIMENTAL feature of a piece of software, You as a client are PERFECTLY AWARE this is a potential death pit, and could seriously jeopardize your entire setup, ESPECIALLY running it in production environment. Instead, Clients turning to experimental features/branches should run quietly and report back any bugs and/or problemsolving procedures back to development. IF – otoh – you as a client is NOT aware of the potential risks of running experimental software in a production environment, you are deeply incompetent! AND for that reason alone, the organization making the experimental feature available, should state a very clear warning and explicit policy on what to expect running said experimental software!
  And, to me, this is what this is really about: Did you as the publishing organization made SURE, your customers was aware of the risks, before using experimental features? If not, the organization is deeply incompetent, and must rectify this situation.

• NixOS video WHEN>????? WHEN!!!!

• I don't buy angle that assigning cve is bad because "if customers see cve, they seethe and go away".
  Max is a volunteer. He doesn't deal with the clients. That's f5 job. So from information given I side with f5.
  Max did mention that f5 broke some agreements but I don't see what he means.
  There also was interview on Russian habr, but it doesn't provide further details

• As far as CVE's go. This one it rated 7.5, yet is awaiting analysis, and the only fault they could find so far, is a worker process would terminate unexpectedly (not the entire server, just a worker process). I don't see a reason this needed a CVE, let alone a rating this high (7.5) for an experimental module that people have to explicitly opt into and already have an apt disclaimer for in the config/documentation. Which makes sense, because when they filed, they had no idea how to mark their metrics, and left EVERYTHING undefined. Good grief. If there had been a breach of data, or even a proof of concept, I'd change my mind, sure. But this is pre-emptive and did not require such disclosures, and they DID NOT score this properly. This behavior explicitly goes against the CVSS/NIST standards. Whoever they have on the team that suggest this should be done like this, should have to go through FIRST/NIST remedial coursework & CVSS standards. This is NOT how this is supposed to be done.

• If F5 is so dedicated to providing highly secure software as per their statement then surely the CVE should be, instead of blurring this line of disclosure for corporate policy. Isn't this why you should have stable and dev versions of software… if new options are still in development then they can't be in stable yet until completed/tested.

• managers btfo

• NGINX has a few pretty simple features just missing from anything but the paid version, one I recently dealt with being brotli compression. It’s possible to compile in through third party modules, but distros and F5 themselves don’t distribute it like that unless you pay. If this project supported the paid NGINX features it would save me much time!

• Ngin+

• Idk man ( didn't understand a single thing). Still Rice is superior.

• This CVE vs no CVE issue is, probably, just a reason good enough to present to the public. Or maybe a "last straw". The man was working for free on a project that the corporation was profiting from. The corporation probably didn't want/didn't have the resources to relocate their core developer to… let's put it politely… a less controversial country. Or the developer didn't want or couldn't move (there can be multiple reasons why). The result was the same – the developer, while living in one of the most expensive cities in the world, was working for free or almost for free for a project, where others were getting money and making decisions, and he probably became sick and tired of it.

• Good luck to any western company trying to sue a Russian citizen in Russia.

• I'm drunk, may the goddess bless y'all.

• You can tell who is a developer and who is the management defending themselves. Getting to think and defend yourself is a luxury for the internet responses not when your boss is shitting on you in the office.

• CVE for experimental code is…. mental.

• I can only ever read IANAL as I ANAL and it makes it very hard to take serious posts seriously.

• So this is one of those numerous cases where:

  Corporation: We're using open source to extract work from people for free.

  Developers: We're forking out. We won't deal with your $hï7 for free. Get us on the payroll or get it done yourself.

  Corporation: * Surprised Pikachu face *

  Entitled capitalists are doing way too much harm to FOSS, anyways. Let's shake the parasites off.

• I didn't know F5 owned it.

• Someone calling it FreeNginx from Nginx makes the project feel…cheap

  Same energy as Gitea and..Forgejo

  Also, im tired of doing migrations from my nginx reverse proxy servers just because of open source technicalities, there's 1 every other day

• It's all speculation. We don't know. We know we don't know. And… we know that.

• I see a lot of quic / http/3 commits from him, he better have gotten it working by now, been waiting several years for that.

  Agreed with you to change the name now. He should name it "Engine-X" LMAO

• so he wants to make a fork that doesn't report as many security vulnerabilities? lol…
  Guy was just salty about something else and he forked it out fo spite.

• Day 3 of asking for a video showing how to fixing battery life on linux.

  more issues (less significant): YT videos and slow personal hotspot internet.

• >one of the core developers finally snapped
  "some of you guys are alright, don't ssh into the webserver tomorrow"

• Off topic but will you make a video on KeyTrap (CVE-2023-50387)? It's quite interesting.

• As soon as code is in a binary feature flaged disabled or in any other way not working but is in release version its CVE time sorry

• I think creating a CVE for a work-in-progress experimental feature is jusr polluting CVE lists and causing unnecessary panic, if a customer is using experimental features in production that's just a skill issue. I think someone at F5 just wanted to pad a security researcher's CV with a frivilous CVE honestly.

• I take when we have things that have specific words with specific meanings and those get ignored.

  Case in point, having EXPERIMENTAL code. What more do you need to be told to not use this in production, and if you do, do it at your own risk ? Experimental code is so you know what's coming, to be able to work with it and test it, not ship it to production.

  To the folks saying that "well, they shipped it, so it's their responsability", I disagree, at least on this particular case. Nginx is opensource and you can compile nginx without http3 (omit –with-http_v3_module), so you can have it without experimental code at all. You can have it removed (not just disabled) at a binary level. So you can be VERY EASILY shielded from "oh, someone just flipped a flag, by mistake or intent". Also, F5's point was that they know people/projects/companies that USE it, not that they simply might have it in the binary.

  I understand F5's position here, and I can't really blame them that much, but I do think it's just bad practice and it incentivises bad practice in general, and should be avoided. So I'd be happier if they didn't go the CVE route, but using other means of communication.

Comments are closed.