On Tue, 26 Dec 2023 at 02:30, Petr Menšík <pemensik@xxxxxxxxxx> wrote: > > Hello systemd users and developers, > > I have experienced something in issue #25676 [1], which has been closed and I am not allowed to comment there anymore. But the experience I had there were so terrible, I feel a need to comment a little bit. Here's what's really going on: you have found yourself in a position where, as a RH employee, you could abuse the internal CVE process to promote your own projects, and that's exactly what you did: without consulting or notifying anybody who is involved in this project, you went directly to the security team raise a CVE while we all were on holiday, and then promptly went on social media to use the CVE to bash the project and promote your own instead: https://imgur.com/3eqRQcW You even lied about others in RH being aware that a CVE was raised, which is obviously not true - those referenced comments were made months before the CVE was opened. You ignored all processes, went behind the back of all maintainers - upstream and downstream - in order to inflict maximum damage at the worst time possible, and then brag on social media about it. This is a blatant abuse of Redhat's CNA position, and puts the whole company under a bad light, and casts doubts over its trustworthiness as the CNA for the project, all because of your reckless and needless actions. Not content, you even intentionally avoided to mention in the CVE that this feature is off by default everywhere, and thus very few users are actually affected - when CVEs are raised, hardly anybody goes to look for related bug trackers or issues, and the CVE advisory is all that is used to establish impact and decide whether action is needed, and there was no mention anywhere that this requires a local administrator to manually enable it for a machine to be affected. A _lot_ of work for a _lot_ of people kicks off every time a CVE is raised, due to automation, and the correctness of the advisory is fundamental to avoid triggering unneeded work. You made sure it was worded to give the idea that every installation was affected, so that it could cause the maximum amount of panic and damage possible, again so that you could then brag on social media about it, showing a reckless disregard for the wellbeing of your colleagues at Redhat, Redhat's customers and all other downstream users and developers during their holidays. It's of course fine to request the security team to raise CVEs when needed. There are always bugs somewhere, and there will always be. The crucial detail is to involve the relevant teams and not sideline them. Just because someone else opened a bug that you have some strong opinion about, and you feel should have higher priority, doesn't give you the right to bypass every other team that is involved in the maintenance of the projects. Guess what: everybody's got opinions on bugs, yours are not more important or relevant than any other person's. If you feel a bug deserves more attention, the first thing you can do is provide the work to fix it yourself - this is an open source project, and hardly anybody has a right to demand others put their free time toward what they feel is important - this is especially true for somebody like yourself, who has never contributed anything to the project, and is not a maintainer. The second thing you can do is contact your colleagues inside the company who are in charge of maintaining the project and talk to them, and _explicitly_ ask them to raise a CVE. Maybe they will agree with you, maybe they will not - they are the maintainers, so they are in the best position to make such calls, not you. This is not the first CVE raised for this project, and won't be the last, we have processes around this for very good reasons, and they exist whether or not you agree with them. How do we know all of this was done intentionally, and it's not an honest mistake? Because at first of course I assumed good faith, as always, and asked you to take responsibility for your actions and get the advisory fixed - it was a trivial change after all, what could be the issue with doing that, just a one line change in the description. And yet asked 5 times, 5 times you refused and doubled down. Even in your mail here you are still refusing to recognize that it's important to write accurate advisories that correctly assess impact, to avoid damaging our users and Redhat's customers. You also refused to acknowledge that ignoring processes and sidelining your colleagues at RH was the wrong thing to do, and even here you are doubling down yet again on that too. And you went straight to social media to brag about this and promote your projects instead, as shown in the screenshot linked above. The worst part is that it was all eminently avoidable - all you needed to do, after the initial damage was done, was to get the advisory updated as requested to ensure no further damage came from your actions, and that would have been the end of it. I didn't even ask for an apology for disregarding our processes and causing all those troubles for everybody for no good reason, as that's not really what's important. The only thing I cared about was minimizing the damage you had inflicted on Redhat's customers and all other users. But you refused to even do that, and doubled down every time, and your colleague Michal had to do such work instead, while on holiday. These are not the actions of somebody who is acting in good faith - this reckless behavior shows a blatant disregard for your colleagues at Redhat, Redhat's customers and all involved open source users and developers. Your only contributions to the project to date have been negativity, flame wars (as this very email thread further proves), disparaging comments, demands that volunteers spend their time to do work for you for free and other assorted unpleasantness, while promoting your own alternative projects. You have shown, time and time again, that all you cared about all along was causing damage to the project, to your colleagues and customers and to your company, and brag on social media about it. This email from you proves it even further - you are doubling down yet again, refusing to acknowledge any wrongdoing and any remorse for the damage you have done and the huge amount of unnecessary overtime work that you caused for maintainers, Redhat's customers and all other users. Given such a record, the Github org owners (plural) collectively decided that, as the very first and immediate consequence, your membership of the Github project is not compatible with your behaviour, and removed you.
Re: CVE-2023-7008 Christmas drama notes
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: CVE-2023-7008 Christmas drama notes
- From: Luca Boccassi <luca.boccassi@xxxxxxxxx>
- Date: Tue, 26 Dec 2023 11:37:19 +0100
- In-reply-to: <22077309-f5d4-4890-a103-884870eccf97@redhat.com>
- References: <22077309-f5d4-4890-a103-884870eccf97@redhat.com>
- Follow-Ups:
- Re: CVE-2023-7008 Christmas drama notes
- From: Petr Menšík
- Re: CVE-2023-7008 Christmas drama notes
- References:
- CVE-2023-7008 Christmas drama notes
- From: Petr Menšík
- CVE-2023-7008 Christmas drama notes
- Prev by Date: RE: CVE-2023-7008 Christmas drama notes
- Next by Date: Re: CVE-2023-7008 Christmas drama notes
- Previous by thread: RE: CVE-2023-7008 Christmas drama notes
- Next by thread: Re: CVE-2023-7008 Christmas drama notes
- Index(es):
 |