This is a weird post to be honest. You've found a whole bunch of serious security issues, filed...

jorams • today at 12:12 AM • 3 replies • view on HN

This is a weird post to be honest. You've found a whole bunch of serious security issues, filed two PRs, one of which is adding some quotes because

> Those aren't exploitable XSS, but it doesn't hurt to have a second layer of defense.

The other suggests breaking clients that aren't using the more secure version of an OAuth method because

> I can't think of any OAuth client that would like to [use it]

That second one is a good idea, but the maintainer is also right to ask for some discussion before introducing a breaking change.

But crucially: neither of these are the kind of significant security issues you've found. Maybe lead with an actual bug?

Replies

bogwog • today at 1:36 AM

And attempting to publicly shame them into accepting a PR. Kinda reminds me of https://en.wikipedia.org/wiki/XZ_Utils_backdoor

PunchyHamster • today at 12:49 AM

> That second one is a good idea, but the maintainer is also right to ask for some discussion before introducing a breaking change.

The discussion seems to be already happening https://codeberg.org/forgejo/forgejo/issues/8634, author of the blog just did drive-by PR rather than looking at issue tracker

It's very much "I know better, do what I told you despise not thinking a second about any second order effects the change might cause" attitude that is so common with security people

➕ show 2 replies

arcfour • today at 12:32 AM

Closing the PR without providing feedback beyond "needs further discussion" does not engender said further discussion.

➕ show 2 replies

alt Hacker News

Replies