Conversation

Notices

Embed this notice
Dookie (dookie@freesoftwareextremist.com)'s status on Thursday, 20-Jul-2023 05:32:30 JST Dookie
in reply to
- Aroop Roelofs :verified:
- alan
who cares if the corp leaves. they dont contribute back to projects 99% of the time

In conversation Thursday, 20-Jul-2023 05:32:30 JST from freesoftwareextremist.com permalink
- Sexy Moon likes this.
- Embed this notice
  Aroop Roelofs :verified: (finlaydag33k@social.linux.pizza)'s status on Thursday, 20-Jul-2023 05:32:31 JST Aroop Roelofs :verified:
  in reply to
  - alan
  @lan No, I meant his attitude towards major corporations.
  I'm not saying corporations shouldn't stop the "leech mentality" but grandinj should also realize that if the corps stop using H2, it'll probably collapse.
  Gran should either deal with this CVE or not be surprised if H2 would basically die within the next year or two.
  
  In conversation Thursday, 20-Jul-2023 05:32:31 JST permalink
- Embed this notice
  alan (lan@mastodon.de)'s status on Thursday, 20-Jul-2023 05:32:41 JST alan
  in reply to
  - Aroop Roelofs :verified:
  @finlaydag33k exactly. Those "professional" corporations should quit it with their leech mentality and start realizing it's actually a two-way street.
  
  In conversation Thursday, 20-Jul-2023 05:32:41 JST permalink
- Embed this notice
  Aroop Roelofs :verified: (finlaydag33k@social.linux.pizza)'s status on Thursday, 20-Jul-2023 05:32:42 JST Aroop Roelofs :verified:
  in reply to
  - alan
  @lan And this is how otherwise good projects die... Because 1 muppet can't keep it professional.
  
  In conversation Thursday, 20-Jul-2023 05:32:42 JST permalink
- Embed this notice
  alan (lan@mastodon.de)'s status on Thursday, 20-Jul-2023 05:32:43 JST alan
  
  lol 😅 https://github.com/h2database/h2database/issues/3686
  In conversation Thursday, 20-Jul-2023 05:32:43 JST permalink
  Attachments
  1. A screenshot of a GitHub issue comment thread that reads: enaiel commented on Feb 28: @grandinj I hope you do realize that if this CVE stays, it would be the end of the use of H2 database by major corporations. We would all need to find alternate solutions and exit H2 within the next 6 months. Please reconsider. MostAwesomeDude reacted with thumbs up emoji yuvipanda, ThatOneCalculator, and nullchilly reacted with hooray emoji awoo-civ, fuomag9, ThatOneCalculator, nullchilly, and siranweb reacted with confused emoji grandinj commented on Feb 28: I struggle to understand why I should feel the slightest shred of sympathy for "major corporations" that are using a volunteer-developed open-source project. Feel free to get your corporation to pay someone to deal with this, or pay for a similar commercial library.
    https://mastodon.de/system/media_attachments/files/110/734/373/555/171/394/original/afb5e1898970742a.jpg
  2. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
    
    CVE-2022-45868: Password exposure in H2 Database (not an issue) · Issue #3686 · h2database/h2database
    
    Dependabot and org.owasp:dependency-check-maven have been reporting CVE-2022-45868 (see GHSA-22wj-vf5f-wrvj) to me. I didn't find this CVE referenced from any issue in the issue tracker here, so I'...
  Tobias Hellgren repeated this.
- Embed this notice
  ? (cereal@shitposter.club)'s status on Thursday, 20-Jul-2023 05:41:07 JST ?
  in reply to
  - alan
  @lan I mean, how about you set your highly paid genius developers toward that target for a moment instead of trying to bully volunteers into doing it?
  
  In conversation Thursday, 20-Jul-2023 05:41:07 JST permalink
- Embed this notice
  Sexy Moon (moon@shitposter.club)'s status on Thursday, 20-Jul-2023 05:41:07 JST Sexy Moon
  in reply to
  - ?
  - alan
  @cereal @lan mixed feelings here. most H2 users aren't vulernable, the issue is that shitty CVE scanners just see H2 in your depdendencies and match it with a CVE and mark it as a critical vulnerability. you're only vulnerable if you use the library in a nonstandard way.
  
  On the other hand why are they so resistant to removing that command line option, the CVE is absolutely correct
  
  it would take little effort if corporations wanted to pay just a little money, to make a downstream fork of H2 that does NOTHING but remove that CLI option and they'll avoid the CVE so they should just DO THAT
  
  In conversation Thursday, 20-Jul-2023 05:41:07 JST permalink
- Embed this notice
  Erik Uden 🍑 (erikuden@mastodon.de)'s status on Thursday, 20-Jul-2023 05:48:48 JST Erik Uden 🍑
  in reply to
  - alan
  @lan Gentle reminder that Apple, once the largest corporation on planet earth, still a TRILLION dollar corporation, only donated $5 to FreeBSD, despite their entire operating systems relying on it
  In conversation Thursday, 20-Jul-2023 05:48:48 JST permalink
  Attachments
  1. A screenshot of Apple Inc. being listed I the $5-$24 category on the freebsdfoundation.com website sponsor page and a meme next to it describing how fucked up that is.
    https://mastodon.de/system/media_attachments/files/110/742/252/421/304/573/original/d936134b8baa254f.png
  Haelwenn /элвэн/ :triskell: likes this.
  
  BowserNoodle ☦️ repeated this.
- Embed this notice
  Sexy Moon (moon@shitposter.club)'s status on Thursday, 20-Jul-2023 05:50:49 JST Sexy Moon
  in reply to
  - ?
  - :blank:
  - alan
  @i @lan @cereal removing the option was the right move because it was a vulnerability, protesting CVE spam by leaving your software vulnerable is a bad idea. I'm not going to continue to harp about it since they did the right thing in the end though. just to be clear though I did call out that CVE scanners are crap.
  
  In conversation Thursday, 20-Jul-2023 05:50:49 JST permalink
  
  Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  :blank: (i@declin.eu)'s status on Thursday, 20-Jul-2023 05:50:51 JST :blank:
  in reply to
  - Sexy Moon
  - ?
  - alan
  @Moon @lan @cereal they did change it, two weeks ago
  https://github.com/h2database/h2database/commit/23ee3d0b973923c135fa01356c8eaed40b895393
  
  cve spam is mostly a meaningless time waste anyways, a protest of them in this manner is well deserved
  In conversation Thursday, 20-Jul-2023 05:50:51 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
    
    Disallow plain webAdminPassword values to force usage of hashes · h2database/h2database@23ee3d0
    
    H2 is an embeddable RDBMS written in Java. Contribute to h2database/h2database development by creating an account on GitHub.
- Embed this notice
  wizzwizz4 (wizzwizz4@fosstodon.org)'s status on Thursday, 20-Jul-2023 05:59:15 JST wizzwizz4
  in reply to
  - Erik Uden 🍑
  - alan
  @ErikUden @lan Gentle reminder that this isn't actually true. Per https://freebsdfoundation.org/our-donors/donors/, Apple Inc. paid:
  2023: $250–$499
  2022: $1000–$4999
  2021: $1000–$4999
  2020: $250–$499
  2019: $1000–$4999
  2018: $1000–$4999
  So that's $4500–$20994 total over the past 5½ years. So aktually, the trillion dollar corporation has paid not even 18 months' *US minimum wage* ($7.25/hr) for one person. Across 5½ years.
  But hey. It's more than $5, so it's totally fair, right?
  In conversation Thursday, 20-Jul-2023 05:59:15 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: freebsdfoundation.org
    
    Donors
    
    from freebsdadmin

Public

Conversation

Notices

Feeds