| *** MrTango has joined #zope | 00:12 | |
| *** MrTango has quit IRC | 00:19 | |
| MatthewWilkes | kseifried: Sorry about the hold-up there. Feel free to send it on to oss-security@, I just sent an email with code links, but the short version is that Zope2 <2.10.10, <2.11.5 and <2.12.2 are the vulnerable ones. | 00:28 |
|---|---|---|
| MatthewWilkes | and it's a 2 line fix if you need to hotfix an older version internally | 00:28 |
| *** Pumukel has joined #zope | 00:32 | |
| *** Jan_Garaj3 has quit IRC | 00:43 | |
| *** fdrake has quit IRC | 01:39 | |
| *** fdrake has joined #zope | 01:54 | |
| *** J1m has quit IRC | 01:56 | |
| kseifried | MatthewWilkes tha nks | 02:05 |
| kseifried | MatthewWilkes we backport all the things. it's awesome =) | 02:05 |
| *** m8 has quit IRC | 02:08 | |
| MatthewWilkes | kseifried: Well, happy to help, but we wouldn't be an upstream vendor if we didn't say that updating to the latest minor version would be preferable from our perspective | 02:11 |
| kseifried | MatthewWilkes that would be awesome except one of red hat's main things is we sell you something and then manage API/ABI compatibility (which means backporting security fixes/etc) | 02:12 |
| kseifried | MatthewWilkes it's good and bad, makes for stability (and less work in many areas) at the cost of more work in other areas like backporting | 02:12 |
| MatthewWilkes | kseifried: Understandable | 02:12 |
| kseifried | but long term... | 02:12 |
| kseifried | yes. we need to figure something better out as an industry | 02:12 |
| MatthewWilkes | kseifried: Unfortunately we don't have enough eyes on the Zope codebase (especially going back 5 years) to know for sure we haven't inadvertently fixed security issues | 02:13 |
| kseifried | because basically everyone wants the latest greatest software, but with the promise of no backwards compatibility issues... | 02:13 |
| kseifried | MatthewWilkes oh you havem for 100% sure =) | 02:13 |
| kseifried | MatthewWilkes but here's the dirty secret. | 02:13 |
| kseifried | if you rely on your code to be bug free to be secure. you're not. | 02:13 |
| kseifried | so whether it's one bug or one million, chances are the code you use has nasty flaws | 02:14 |
| *** KageSenshi has quit IRC | 02:14 | |
| kseifried | so we keep things from being completely insanely terrible, but if you want real security you need to do a lot more | 02:14 |
| MatthewWilkes | kseifried: Sure, but what I'm saying is that we are almost certainly fixing security issues you'd like to back port without it going through messages to oss-security etc | 02:14 |
| kseifried | yup. I agree | 02:14 |
| kseifried | so basically because I saw this, I have to deal with it =) | 02:15 |
| kseifried | it's like being a cop | 02:15 |
| MatthewWilkes | Plone's a lot better about it, as we have more people there so you do get oss-security reports, but even then I'd be surprised if we managed to notify you of everything | 02:15 |
| kseifried | MatthewWilkes no worries, we track our upstreams | 02:15 |
| kseifried | obviously it helps if they label things as security/get CVEs | 02:16 |
| kseifried | MatthewWilkes to be honest stuff like xss barely concerns me | 02:17 |
| kseifried | RCE with no auth is about the only thing that'll get me even mildly interested now. I think I have compassion fatigue =) | 02:18 |
| *** Pumukel has quit IRC | 02:19 | |
| MatthewWilkes | kseifried: We haven't had one of those in a couple of years. I know that feeling though, I hear "meh, it's probably a 5" (CVSSv2) from colleagues a lot | 02:19 |
| kseifried | yeah, it's a funny world now | 02:19 |
| *** Pumukel has joined #zope | 02:19 | |
| MatthewWilkes | I quite enjoy timing issues for web | 02:20 |
| MatthewWilkes | Because it feels like it should be completely impossible to exploit reliably | 02:21 |
| MatthewWilkes | but when you try it some works surprisingly well | 02:21 |
| kseifried | I love when people say "oh to much jitter", but then you use a site hosted in AWS and you have like 1ms connection with 0 jitter =) | 02:22 |
| kseifried | who knew the last 20 years of network security wouldn't be thrown out and now all the things we used to prevent are what we sell now (oh you want root access on a box? sure that's $5 a month) | 02:23 |
| kseifried | would be rather | 02:23 |
| MatthewWilkes | heh, yeah | 02:24 |
| MatthewWilkes | Went in to do some work for a client the other week, they couldn't access any of their production servers. Their last sysadmin had left the company and taken his ssh private key with him. Every server was set up to have root access only | 02:25 |
| MatthewWilkes | shudder. | 02:25 |
| MatthewWilkes | note, also, the use of the singular for 'ssh key'. | 02:26 |
| kseifried | nice | 02:27 |
| kseifried | in fiarness I know people like that | 02:27 |
| kseifried | but they have a 15+ year relationship with the sysadmin | 02:27 |
| kseifried | MatthewWilkes long term I suspect everyone has to embrace devops/service and essentially be able to handle rolling releases, which is great because it'll only work if you have all the source code =) | 02:35 |
| MatthewWilkes | kseifried: Sorry, I don't follow? | 02:36 |
| kseifried | MatthewWilkes with respect to software integration | 02:36 |
| kseifried | backporting works but holy heck it's non trivial, and yeah, stuff gets missed | 02:37 |
| MatthewWilkes | Oh, right | 02:37 |
| kseifried | so ideally we'd have rolling releases, keep everything up to date, and have a huge integration testing system to make sure nothing breaks horribly | 02:37 |
| kseifried | it's a lot like tcp-ip and the web... | 02:37 |
| MatthewWilkes | There'll always be a need for backwards incompatible changes though | 02:37 |
| kseifried | the companies that embraced those techs, it wasn't easy, but they clobbered the firms that did not embrace them | 02:37 |
| MatthewWilkes | So you'll still end up with people on dead-ends once a change becomes enough work they don't do it | 02:38 |
| kseifried | MatthewWilkes exactly, that's where having all the source code and a huge test suite comes in, you catch those and fix the other bits | 02:38 |
| kseifried | MatthewWilkes the people that embrace this will end up with a huge competitive advantage | 02:38 |
| kseifried | like netflix... | 02:38 |
| kseifried | even if the studios were willing to release their stuff, they can't build IT like netflix can | 02:39 |
| kseifried | like my cable providers video on demand service, you know what the main advertising thing is? | 02:39 |
| kseifried | "we curate the content, people who love to watch tv decide what we show" | 02:39 |
| kseifried | they have no reccomendation system/etc | 02:39 |
| kseifried | just a blob of random content you can sort of split up by category | 02:40 |
| MatthewWilkes | I guess I'm a bit disillusioned. There are so many web dev agencies out there whose business model is "quote an impractically low price, get the contract, then charge change fees and half-arse everything once the client's locked in" | 02:40 |
| kseifried | uhm | 02:40 |
| kseifried | that's normal for business | 02:40 |
| kseifried | exploit the sunk cost fallacy =) | 02:40 |
| kseifried | and dumb people will keep falling for it | 02:40 |
| MatthewWilkes | You only get the competitive advantage for having good infrastructure if your business model relies on you being able to do things better than your competitors | 02:41 |
| kseifried | MatthewWilkes look at it this way: nigerian 419 scams still work | 02:41 |
| kseifried | like... how is that even possible now? | 02:41 |
| kseifried | MatthewWilkes or you create a new category and dominate it, like netflix did | 02:41 |
| MatthewWilkes | Yeah, and godaddy exists, and people sell SSL certs, etc | 02:41 |
| kseifried | MatthewWilkes and Qray bracelets | 02:41 |
| MatthewWilkes | I guess the point is that having a solid base for your software only helps the companies that take such things seriously | 02:42 |
| MatthewWilkes | a bunch of people are going to want cheap and nasty | 02:42 |
| kseifried | yup | 02:43 |
| kseifried | and firms like netflix or amazon will clobber them | 02:43 |
| kseifried | like locally we have the whole uber/taxi firm thing going on | 02:43 |
| kseifried | and general concensus seems to be "taxis suck, uber is sort of evil, but at least they aren't rude to customers" | 02:44 |
| *** menesis has quit IRC | 02:50 | |
| *** menesis1 has joined #zope | 02:50 | |
| *** KageSenshi has joined #zope | 03:06 | |
| *** menesis1 has quit IRC | 03:41 | |
| *** yvl has quit IRC | 03:52 | |
| *** do3cc has quit IRC | 04:09 | |
| *** do3cc has joined #zope | 04:50 | |
| *** KageSenshi has quit IRC | 05:30 | |
| *** Jan_Garaj3 has joined #zope | 07:52 | |
| *** MrTango has joined #zope | 07:53 | |
| *** Jan_Garaj3 has quit IRC | 08:00 | |
| *** Jan_Garaj3 has joined #zope | 08:16 | |
| *** MrTango has quit IRC | 08:23 | |
| *** alecm has quit IRC | 08:24 | |
| *** alecm has joined #zope | 08:24 | |
| *** alecm has joined #zope | 08:24 | |
| *** __mac__ has joined #zope | 08:32 | |
| *** bosim has joined #zope | 08:48 | |
| *** alecm has quit IRC | 08:50 | |
| *** kseifried has quit IRC | 08:50 | |
| *** alecm has joined #zope | 08:51 | |
| *** alecm has joined #zope | 08:51 | |
| *** __mac__ has left #zope | 09:06 | |
| *** KageSenshi has joined #zope | 09:16 | |
| *** Jan_Garaj3 has quit IRC | 09:18 | |
| *** MrTango has joined #zope | 09:18 | |
| *** bosim has quit IRC | 09:23 | |
| *** bosim has joined #zope | 09:24 | |
| *** bosim has quit IRC | 09:28 | |
| *** bosim_ has joined #zope | 09:28 | |
| *** bosim_ has quit IRC | 09:30 | |
| *** bosim has joined #zope | 09:31 | |
| *** alecm has quit IRC | 09:33 | |
| *** giacomos has joined #zope | 09:33 | |
| *** alecm has joined #zope | 09:35 | |
| *** alecm has quit IRC | 09:38 | |
| *** alecm has joined #zope | 09:39 | |
| *** tisto has joined #zope | 09:42 | |
| *** alecm has quit IRC | 09:48 | |
| *** alecm has joined #zope | 09:49 | |
| *** PeterZ1 has joined #zope | 10:01 | |
| *** PeterZ1 has left #zope | 10:02 | |
| *** bosim has quit IRC | 10:47 | |
| *** bosim has joined #zope | 11:10 | |
| *** bosim has joined #zope | 11:11 | |
| *** maurits has joined #zope | 11:17 | |
| *** projekt01 has joined #zope | 11:27 | |
| *** MrTango has quit IRC | 11:30 | |
| *** MrTango has joined #zope | 11:34 | |
| *** m8 has joined #zope | 11:45 | |
| *** KageSenshi has quit IRC | 11:49 | |
| *** menesis has joined #zope | 11:56 | |
| *** bosim has quit IRC | 12:14 | |
| *** bosim has joined #zope | 12:23 | |
| *** tisto is now known as tisto|afk | 12:44 | |
| *** bosim has quit IRC | 13:45 | |
| *** bosim has joined #zope | 14:00 | |
| *** menesis has quit IRC | 14:03 | |
| *** stereo_ has joined #zope | 14:12 | |
| *** J1m has joined #zope | 14:37 | |
| *** menesis has joined #zope | 15:12 | |
| *** m8 has quit IRC | 15:22 | |
| *** tisto|afk is now known as tisto | 15:35 | |
| *** bosim has quit IRC | 15:52 | |
| *** bosim has joined #zope | 16:00 | |
| *** yvl has joined #zope | 16:15 | |
| *** RiverRat has quit IRC | 16:29 | |
| *** RiverRat has joined #zope | 16:30 | |
| *** bosim has quit IRC | 16:50 | |
| *** bosim has joined #zope | 16:51 | |
| *** bosim has quit IRC | 16:56 | |
| *** giacomos has quit IRC | 16:58 | |
| *** tiwula has joined #zope | 17:05 | |
| *** Jan_Garaj3 has joined #zope | 17:08 | |
| *** Jan_Garaj3 has quit IRC | 17:27 | |
| *** Jan_Garaj3 has joined #zope | 17:30 | |
| *** KageSenshi has joined #zope | 17:33 | |
| *** KageSenshi has joined #zope | 17:33 | |
| *** stereo_ has quit IRC | 17:34 | |
| *** J1m has quit IRC | 17:51 | |
| *** J1m has joined #zope | 17:55 | |
| *** fRiSi has joined #zope | 18:35 | |
| *** tisto has quit IRC | 18:44 | |
| *** fRiSi has quit IRC | 18:48 | |
| *** maurits has quit IRC | 18:54 | |
| *** projekt01 has quit IRC | 19:22 | |
| *** avoinea has quit IRC | 19:31 | |
| *** avoinea has joined #zope | 19:31 | |
| *** Jan_Garaj3 has joined #zope | 20:25 | |
| *** Jan_Garaj3 has quit IRC | 20:32 | |
| *** Jan_Garaj3 has joined #zope | 20:53 | |
| *** Jan_Garaj3_ has joined #zope | 21:30 | |
| *** Jan_Garaj3 has quit IRC | 21:30 | |
| *** menesis has quit IRC | 21:32 | |
| *** __mac__ has joined #zope | 21:37 | |
| *** __mac__ has joined #zope | 21:38 | |
| *** menesis has joined #zope | 22:21 | |
| *** yvl has quit IRC | 22:27 | |
| *** yvl has joined #zope | 22:28 | |
| *** __mac__ has quit IRC | 23:03 | |
| *** stereo_ has joined #zope | 23:29 | |
| *** grasbauer has joined #zope | 23:39 | |
| *** grasbauer has left #zope | 23:40 | |
Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!