Hello Luca,
I did not expect normal and honest apology from you right from the start, but I did at least expect *some* reflection. I see none in that long text.
You seem to have very minimal insight into how our internal vulnerability process works, but that does not prevent you judge my guiltiness.
I will leave more discussions after I return to the office. It
seems face to face discussion would bring less emotions. I want
opinion of people who knew how it happened. Not people who think
they know, but have no direct way to know it.
On Tue, 26 Dec 2023 at 02:30, Petr Menšík <pemensik@xxxxxxxxxx> wrote:Here's what's really going on: you have found yourself in a position where, as a RH employee, you could abuse the internal CVE process to promote your own projects, and that's exactly what you did: without consulting or notifying anybody who is involved in this project, you went directly to the security team raise a CVE while we all were on holiday, and then promptly went on social media to use the CVE to bash the project and promote your own instead: https://imgur.com/3eqRQcW You even lied about others in RH being aware that a CVE was raised, which is obviously not true - those referenced comments were made months before the CVE was opened. You ignored all processes, went behind the back of all maintainers - upstream and downstream - in order to inflict maximum damage at the worst time possible, and then brag on social media about it. This is a blatant abuse of Redhat's CNA position, and puts the whole company under a bad light, and casts doubts over its trustworthiness as the CNA for the project, all because of your reckless and needless actions. Not content, you even intentionally avoided to mention in the CVE that this feature is off by default everywhere, and thus very few users are actually affected - when CVEs are raised, hardly anybody goes to look for related bug trackers or issues, and the CVE advisory is all that is used to establish impact and decide whether action is needed, and there was no mention anywhere that this requires a local administrator to manually enable it for a machine to be affected. A _lot_ of work for a _lot_ of people kicks off every time a CVE is raised, due to automation, and the correctness of the advisory is fundamental to avoid triggering unneeded work. You made sure it was worded to give the idea that every installation was affected, so that it could cause the maximum amount of panic and damage possible, again so that you could then brag on social media about it, showing a reckless disregard for the wellbeing of your colleagues at Redhat, Redhat's customers and all other downstream users and developers during their holidays. ...
I will ask my manager to read that issue and tell me if I did anything wrong or harmed anyone. I will ask Lukáš for his opinion as well. I do not care about your opinion about me, as I doubt you know me, what or how I do anything.
Given such a record, the Github org owners (plural) collectively decided that, as the very first and immediate consequence, your membership of the Github project is not compatible with your behaviour, and removed you.
Thank you for this part, I did not have to leave it myself. I have had enough and I think I have been very patient. I would like to know which people voted for my membership termination and who against.
Best Regards, Petr
-- Petr Menšík Software Engineer, RHEL Red Hat, https://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
Attachment:
OpenPGP_0x4931CA5B6C9FC5CB.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
