undefined | Better HN

0 pointsaaronbwebber2y ago0 comments

if it's not compiled in by default, then you aren't shipping the code! Somebody is downloading it and compiling it themselves!

0 comments

anon-sre-srm2y ago

Incorrect. Features available to users still require a minimum, standard level of support. This is like the deceptive misnomer of staging and test environments provided to internal users used no differently than production in all but name.

GoblinSlayer2y ago

Nobody does it like that though, what vendor declares unsupported is unsupported.

mort962y ago

That .. is the definition of shipping the code, the code is being shipped to the people downloading and compiling it for themselves

kelnos2y ago

If the feature is in the code that's downloaded, regardless of whether or not the build process enables it by default, the code is definitely being shipped.

ramses02y ago

BRB, filing CVE's against literally any project with example code in their documentation...

MZMegaZone2y ago

That's actually supported by the CVE program rules. Have at it if you find examples with security vulns.

spicykraken2y ago

I've actually seen CVEs like that before, I agree that's bonkers but I have seen it...

1 more reply

anon-sre-srm2y ago

Yes. It's no different from any optional feature. Actual beta features should only be shipped in beta software .

Twirrim2y ago

You and I have very different notions of "shipped". It's open source code, it's being made publicly available. That's shipped, as I see it.

aaronbwebberOP2y ago

This is an insane standard and attempting to adhere to it would mean that the CVE database, which is already mostly full of useless, irrelevant garbage, is now just the bug tracker for _every single open source project in the world_.

TedDoesntTalk2y ago

This. CVE has become garbage because "security researchers" are incentivized to file anything and everything so they can put it on their resume.

xcrunner5292y ago

Why is it insane? The CVE goal was to track vulnerabilities that customers could be exposed to. It is used…in public, released versions. Why wouldn’t it be tracked?

2 more replies

j / k navigate · click thread line to collapse

0 comments

anon-sre-srm2y ago

GoblinSlayer2y ago

Nobody does it like that though, what vendor declares unsupported is unsupported.

mort962y ago

That .. is the definition of shipping the code, the code is being shipped to the people downloading and compiling it for themselves

kelnos2y ago

If the feature is in the code that's downloaded, regardless of whether or not the build process enables it by default, the code is definitely being shipped.

ramses02y ago

BRB, filing CVE's against literally any project with example code in their documentation...

MZMegaZone2y ago

That's actually supported by the CVE program rules. Have at it if you find examples with security vulns.

spicykraken2y ago

I've actually seen CVEs like that before, I agree that's bonkers but I have seen it...

1 more reply

anon-sre-srm2y ago

Yes. It's no different from any optional feature. Actual beta features should only be shipped in beta software .

Twirrim2y ago

You and I have very different notions of "shipped". It's open source code, it's being made publicly available. That's shipped, as I see it.

aaronbwebberOP2y ago

TedDoesntTalk2y ago

This. CVE has become garbage because "security researchers" are incentivized to file anything and everything so they can put it on their resume.

xcrunner5292y ago

Why is it insane? The CVE goal was to track vulnerabilities that customers could be exposed to. It is used…in public, released versions. Why wouldn’t it be tracked?

2 more replies

j / k navigate · click thread line to collapse