A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
Posted May 20, 2020 19:53 UTC (Wed) by jafd (subscriber, #129642)Parent article: A remote code execution vulnerability in qmail
Posted May 20, 2020 20:14 UTC (Wed)
by mattrose (guest, #19610)
[Link] (26 responses)
Posted May 20, 2020 20:51 UTC (Wed)
by jafd (subscriber, #129642)
[Link] (24 responses)
I think there is something about OSS maintainership which attracts people like this.
Posted May 20, 2020 21:13 UTC (Wed)
by warrax (subscriber, #103205)
[Link] (2 responses)
Whoa, whoa, whoa... that's a hell of a leap.
Consider how much FOSS software you're using right now and how many of the maintainers of that software behave like DJB, or the maintainer(s) you're talking about.
Posted May 20, 2020 22:14 UTC (Wed)
by jafd (subscriber, #129642)
[Link]
It's not so much about the quantity. In case of Pango, it's now used almost everywhere a program wants to put some text on the screen.
Remember Ulrich Drepper in his infamous glibc days? glibc is only one piece, one may argue, but it's a kind of piece all other pieces depend on. And so on.
Posted May 21, 2020 0:43 UTC (Thu)
by lkundrak (subscriber, #43452)
[Link]
Posted May 20, 2020 21:19 UTC (Wed)
by Vipketsh (guest, #134480)
[Link] (4 responses)
It would be very good if people realise that everyone in this game of OSS is connected and depending on each other. Doubly so for core libraries, like your Pango example. Even seemingly unrelated components like for example a compiler and text editor at the end of the day depend on each other: the text editor breaks the compiler writers work flow and there may not be a compiler to compile said editor.
Posted May 20, 2020 22:27 UTC (Wed)
by jafd (subscriber, #129642)
[Link] (3 responses)
1. Take a project which many depend on but no one wants to touch with a barge pole (code issues, author died 20 years ago).
No one denies there's a lot of hard work involved, but this doesn't mean you're now ascended to infallibility or that it's always "your way or highway". Break a workflow of enough people, and there will appear bright individuals who not only are talking about replacing your work, but possess the actual capability to do so.
Posted May 21, 2020 2:49 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link] (2 responses)
There is always an impedance mismatch between the users of the software and the developers. There is often a further impedance mismatch between power users and all other users, but let's ignore that for the sake of simplicity. For developers, maintainability is a Big Deal. Avoiding regressions is important, but sometimes, old code can be sufficiently convoluted or messy as to present an actual hazard to the long-term viability of the project. This may be because nobody understands how it works, because it is written in a non-extensible fashion, or because it's a pile of ugly hacks, but whatever the reason, it inevitably becomes a question of time and effort: How difficult will it be to exactly replicate the behavior of this bad code with good code? How strongly do we care about supporting this use case? How do those two concerns balance against each other?
But from the users' perspective, this is all invisible. All they can see is "It used to work, now it doesn't, why did you give me a pony then shoot it?" Of course, the average(!) user does not care that there is an actual answer to that question, because the average(!) user is not in a position to understand said answer anyway. Really, they either want to convince the developers to change their minds, or they just want to vent. The problem is that developer time is not infinitely fungible, especially in an OSS context. If literally no one wants to work on replacing the bad code with good code, then a replacement will not happen. In the meantime, other work is blocked on the bad code's continued existence. So what the user is really asking for is the project's cessation, which the developers obviously regard as unreasonable. In bad cases, developers and users will then proceed to talk past each other and get into huge flame wars on the project's mailing list, accomplishing exactly nothing.
(This is also where the second impedance mismatch comes in: Developers often choose to prioritize the needs of the many over the needs of the few, but in practice, power users are "the few." So they get frustrated when developers kill their prized feature in favor of supporting something more basic: https://xkcd.com/619/)
Instead, I think it's more helpful to focus on the respect with which users and developers treat one another. If the developers take a conciliatory "We're sorry this breaks your workflow, here are our suggested workarounds" attitude, users are likely to be a lot more accepting than if developers say "Your workflow is bad and you should feel bad." A little bit of compassion goes a very long way, even if it makes no difference in the actual software as-shipped.
Posted May 21, 2020 9:18 UTC (Thu)
by mgedmin (subscriber, #34497)
[Link]
Posted May 22, 2020 2:23 UTC (Fri)
by intelfx (subscriber, #130118)
[Link]
TBH that comic shows a literal inverse of your point.
Posted May 20, 2020 22:16 UTC (Wed)
by Sesse (subscriber, #53779)
[Link] (2 responses)
(Quick summary of the situation as I understand it: When “full hinting” is on, aka interpreting and executing the manual hint bytecode in the TTF file, the font metrics change. HarfBuzz used to depend on unmaintained code to get this right, but eventually found that too hard and not worth it over time, especially given that full hinting is only used by a (vocal!) minority of users and is useless on high-DPI monitors. So if you have it enabled in FreeType, HarfBuzz will believe that your glyph takes up N pixels and FreeType will render it using M pixels, and your text gets misaligned on screen because the next thing to render starts the wrong place.)
Posted May 20, 2020 22:57 UTC (Wed)
by jafd (subscriber, #129642)
[Link] (1 responses)
It would hold if the discussion was about a feature which didn't exist and would need to be implemented. In this case, it pretty much existed for more than a decade, and now suddenly this.
> So if you have it enabled in FreeType, HarfBuzz will believe that your glyph takes up N pixels and FreeType will render it using M pixels, and your text gets misaligned on screen because the next thing to render starts the wrong place.
Then the bug is that configurations that make this situation possible are not processed properly. Make whatever sets those two libraries up cater to the lowest common denominator (full hinting -> medium, or what maximum Harfbuzz can use) so there's never ever a mismatch, and be done with it. Explaining why hinting cannot be cranked up to full anymore is IMO way easier than explaining why the text is suddenly drunken and unreadable.
But why do it, when we can fuel the drama up with arrogant remarks.
> useless on high-DPI monitors
On your typical office PCs, HiDPI monitors, alas, are still a minority. And as people age, they seem to want unreasonable things like more contrast text; I keep wondering, why would they.
Posted May 21, 2020 12:07 UTC (Thu)
by Sesse (subscriber, #53779)
[Link]
And I agree, one should probably just remove the setting for full hinting.
Posted May 20, 2020 22:18 UTC (Wed)
by joib (subscriber, #8541)
[Link] (12 responses)
The Harfbuzz maintainer seems tired of people who disagree about the development priorities, have time for endless hyperbolic discussions about the one true way their favourite font should be rendered on their particular system with their particular (very much non default) config, yet somehow don't have time to contribute in any manner.
Posted May 20, 2020 22:47 UTC (Wed)
by jafd (subscriber, #129642)
[Link] (11 responses)
Telling "we're not going back to the old behaviour because so and so" can at least tell where the decision is coming from. Telling "we're sorry it's going to break some setups which have such and such settings" at least acknowledges that there are problems. Telling to "use something else, it's Free Software" or "go buy yourself a HiDPI monitor" is straight away toxic.
It's also not like the maintainer is volunteering for free.
My personal setup was not affected by that issue. But tell you what, I wouldn't tolerate an individual with such attitude on my team, even if he held two Nobel prizes, four Oscars, and was willing to work for peanuts.
> have time for endless hyperbolic discussions about the one true way their favourite font should be rendered on their particular system with their particular (very much non default) config, yet somehow don't have time to contribute in any manner.
In other words, if you're not a better programmer than the author, you're little people and your feedback is of no consequence. It's almost like telling that you cannot say the restaurant food is foul because you're not a chef yourself and don't work in the same kitchen.
Posted May 21, 2020 7:37 UTC (Thu)
by joib (subscriber, #8541)
[Link] (1 responses)
It's clearly a regression if it's an unintended change. If dropping support for feature X is on the roadmap (for whatever reasons) then, well, not so clear anymore.
> Telling "we're not going back to the old behaviour because so and so" can at least tell where the decision is coming from. Telling "we're sorry it's going to break some setups which have such and such settings" at least acknowledges that there are problems.
Seems that in this case the maintainer(s) have quite clearly communicated what the path forward is, taking into account their priorities and available resources.
Disagreeing on the roadmap is fine, of course. But ultimately it boils down to
1. DIY.
Needless to say, throwing bile at the maintainers is unlikely to be a successful strategy for #3. Of course, maintainers should keep their cool and not be provoked (which, to an extent seems to have failed here), but OTOH maintainers, even ones who are employed by big evil soulless corporations, are humans too.
> In other words, if you're not a better programmer than the author, you're little people and your feedback is of no consequence.
Of course not. I'm sure all projects warmly welcome respectful feedback. Throwing tantrums and harassing maintainers is, OTOH, not likely to be a productive approach to getting what you want.
> It's almost like telling that you cannot say the restaurant food is foul because you're not a chef yourself and don't work in the same kitchen.
This case seems more to be like the customer going to the restaurant kitchen yelling that before the current owner took over and remodeled the place to be this posh restaurant, this used to be Old Joe's Biker Bar and they served proper food. And then they just continue yelling and won't leave until the owner threatens to call the police.
Posted May 21, 2020 20:43 UTC (Thu)
by gerdesj (subscriber, #5446)
[Link]
A few years ago *cough*, I wanted 802.1Q VLAN support in Linux but it seemed to be taking a while for some bloke called Ben to get it all sorted out. I sent an email asking what help I could provide. Testing was the reply with patches attached. The first effort failed to compile and a short to and fro got it up and running enough for mainline.
My test Compaq box got its 10 VLANs on one NIC. I wrote a script to create 10 x 15 smb.conf files to create the master browser from hell! 15 workgroup names ...
Posted May 22, 2020 0:06 UTC (Fri)
by HelloWorld (guest, #56129)
[Link] (8 responses)
> It's almost like telling that you cannot say the restaurant food is foul because you're not a chef yourself and don't work in the same kitchen.
Posted May 22, 2020 1:45 UTC (Fri)
by pizza (subscriber, #46)
[Link]
The term for that sort of person is a "choosing beggar", made popular by the /r/ChoosingBeggars sub-reddit.
Posted May 22, 2020 12:06 UTC (Fri)
by Vipketsh (guest, #134480)
[Link] (2 responses)
It also needs to be understood somewhere that replacing core components and then maintaining that replacement just for yourself is a HUGE amount of work, if possibly by yourself only. Thus being told by some maintainer of a core piece "go replace it yourself" is little more than being given the middle finger and being told "junk yard dogs not welcome here".
Posted May 22, 2020 12:35 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
The problem, all too often, is that you need a piece of functionailty, and the maintainer has no time/interest in doing it. Plus the maintainer also needs to eat ...
If I were a maintainer, I'd have no qualms about saying "you want it, you pay for it". You just need mutual respect - the user needs the functionality, the maintainer needs food etc, how do we work out something that's beneficial to both ... ?
Cheers,
Posted May 22, 2020 21:36 UTC (Fri)
by HelloWorld (guest, #56129)
[Link]
> It also needs to be understood somewhere that replacing core components and then maintaining that replacement just for yourself is a HUGE amount of work, if possibly by yourself only.
Posted May 26, 2020 3:28 UTC (Tue)
by ssmith32 (subscriber, #72404)
[Link] (3 responses)
If you've accepted the work they put into bug reports, and leveraged the work they put into marketing your software for your own benefit, and then turned around and made a comment like this, you may be making a rational comment, but you may also be an ungrateful jerk & a bad maintainer. But if you say *why you don't want to do it a certain way (in a clear and technical way, devoid of figurative language) and suggest alternatives, then you may not be a jerk. Context & empathy matter. Even if the reason is "this feature is too much work to maintain" - that's fine.
> more appropriate comparison would be a beggar who is given some free food and who then complains because it's just a slice of pizza rather than caviar and champagne.
And if the homeless person had started sweeping your sidewalk, and greeting your customers in a charming & friendly fashion, and you decide to give them a rotten pickle from the trash, instead of pizza one day, you'd be a jerk then too. If you gave them a turkey sandwich, and they throw it at you, not so much.
In short, in many open source projects, the line between "user" and "contributor" is not clear cut.
And if you think of your users like beggars, you shouldn't be a maintainer. Open Source would be better off without your software - leave space for someone else who actually wants to create something useful for other people, and cares about their users.
Even Linus, at the peak of his infatuation with metaphorical (vs dry, technical) descriptions of issues, always valued the end user. Harsh on other maintainers, yes, but genuinely worked to solve user's issues ( no user space regressions! ).
If you're not in it to help your users, get out. But sometimes, you do have to set boundaries & clear expectations. Again, context & empathy matter.
>As a user, you simply don't get to decide how a project is developed, that's simply the way it works.
And they'll fork your software, rename it, and have no obligation to give you credit, outside of brief mentions in particular license text. If you're gonna be a condescending jerk, expect the world to return the favor. That's simply the way it works.
Posted May 26, 2020 23:40 UTC (Tue)
by HelloWorld (guest, #56129)
[Link] (2 responses)
So in your opinion somebody who has poured hundreds or thousands of hours into an open source project is supposed to be eternally grateful because somebody came along and took half an hour to write a bug report, and who probably didn't do so out of the kindness of their heart but because they just wanted it fixed? Give me a break. It's exactly the other way around: when somebody gets free bugfixes, they're the ones who should be grateful. The simple fact is that most open source projects are built by a tiny number of contributors who do the vast majority of the work. And it couldn't possibly be any other way, for the simple reason that developing software requires a software stack much bigger than any single developer could hope to develop in a lifetime.
> And if the homeless person had started sweeping your sidewalk, and greeting your customers in a charming & friendly fashion, and you decide to give them a rotten pickle from the trash, instead of pizza one day, you'd be a jerk then too.
> And if you think of your users like beggars, you shouldn't be a maintainer.
> If you're not in it to help your users, get out.
> And they'll fork your software, rename it, and have no obligation to give you credit,
Posted May 27, 2020 1:17 UTC (Wed)
by pizza (subscriber, #46)
[Link]
30 minutes is two order of magnitude more effort than goes into the typical bug report.
Posted May 27, 2020 4:15 UTC (Wed)
by flussence (guest, #85566)
[Link]
When you reduce the worth someone's presence adds to something as black-and-white as the dollar/labour value they contribute to a thing, I can see why you'd make that mistake.
Apache OpenOffice feels they're important because they have millions of users. Perhaps you can go convince them they're wrong.
Posted May 20, 2020 21:09 UTC (Wed)
by warrax (subscriber, #103205)
[Link]
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
2. Claim maintainership, do a lot of hard work on it no one would question was long overdue.
3. Claim you're now the saviour of Linux on desktop or somesuch like that (X for humans?), because no one wanted to maintain it and you stepped in.
4. Make sure there's enough marketing so alternatives just die out.
5. For the best results, collect paycheck from Red Hat/IBM or Microsoft.
6. Tell any people who had regressions because of your decisions to GTFO because you're the martyr doing the thankless job, and they are little people.
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
2. Pay someone else to do it.
3. Convince the maintainers to do it.
4. Get used to the new way of doing things and move on.
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
Yes, exactly. As a user, you simply don't get to decide how a project is developed, that's simply the way it works. Telling people to use something else if they don't like it is a perfectly reasonable thing to say.
You do realize that you pay for the food in a restaurant, right? A more appropriate comparison would be a beggar who is given some free food and who then complains because it's just a slice of pizza rather than caviar and champagne.
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
Wol
A remote code execution vulnerability in qmail
When something is open source, you get to use it whether or not you've previously contributed to it, or to any other open source project. Calling that a “barter” is just a misuse of the word.
If you want a project to implement some feature, and you can't do it yourself or pay somebody to do it, well, tough cookies. You're simply not entitled to getting software development work done for free. As an open source user, you don't have any rights other than those that the license grants you, period. It really is that simple.
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
If I ran a business and wanted somebody to sweep the sidewalk or greet my customers, I'd hire somebody to do it. The last thing I'd want is homeless people loitering in front of my business.
The simple fact of the matter is that most users are *not* contributors. They're using the software and they never wrote a single line of code for it. Receiving something for nothing, how is that different from being a beggar?
I've contributed many bug fixes and enhancements to various open source projects, and you know what? I couldn't care less if that helped anybody else. I did it because I'm using those projects, and contributing fixes upstream is the easiest way to get somebody else to maintain that code in the future.
You do realize that that is exactly what an open source license allows them to do, right? If a maintainer has a problem with that, then why the f*ck would they place their code under an open source license in the first place? You're just not making any sense.
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail
A remote code execution vulnerability in qmail