CVE-2023-7008 Christmas drama notes

Luca Boccassi luca.boccassi at gmail.com
Tue Dec 26 10:37:19 UTC 2023


On Tue, 26 Dec 2023 at 02:30, Petr Menšík <pemensik at redhat.com> wrote:
>
> Hello systemd users and developers,
>
> I have experienced something in issue #25676 [1], which has been closed and I am not allowed to comment there anymore. But the experience I had there were so terrible, I feel a need to comment a little bit.

Here's what's really going on: you have found yourself in a position
where, as a RH employee, you could abuse the internal CVE process to
promote your own projects, and that's exactly what you did: without
consulting or notifying anybody who is involved in this project, you
went directly to the security team raise a CVE while we all were on
holiday, and then promptly went on social media to use the CVE to bash
the project and promote your own instead: https://imgur.com/3eqRQcW
You even lied about others in RH being aware that a CVE was raised,
which is obviously not true - those referenced comments were made
months before the CVE was opened. You ignored all processes, went
behind the back of all maintainers - upstream and downstream - in
order to inflict maximum damage at the worst time possible, and then
brag on social media about it. This is a blatant abuse of Redhat's CNA
position, and puts the whole company under a bad light, and casts
doubts over its trustworthiness as the CNA for the project, all
because of your reckless and needless actions. Not content, you even
intentionally avoided to mention in the CVE that this feature is off
by default everywhere, and thus very few users are actually affected -
when CVEs are raised, hardly anybody goes to look for related bug
trackers or issues, and the CVE advisory is all that is used to
establish impact and decide whether action is needed, and there was no
mention anywhere that this requires a local administrator to manually
enable it for a machine to be affected. A _lot_ of work for a _lot_ of
people kicks off every time a CVE is raised, due to automation, and
the correctness of the advisory is fundamental to avoid triggering
unneeded work. You made sure it was worded to give the idea that every
installation was affected, so that it could cause the maximum amount
of panic and damage possible, again so that you could then brag on
social media about it, showing a reckless disregard for the wellbeing
of your colleagues at Redhat, Redhat's customers and all other
downstream users and developers during their holidays.

It's of course fine to request the security team to raise CVEs when
needed. There are always bugs somewhere, and there will always be. The
crucial detail is to involve the relevant teams and not sideline them.
Just because someone else opened a bug that you have some strong
opinion about, and you feel should have higher priority, doesn't give
you the right to bypass every other team that is involved in the
maintenance of the projects. Guess what: everybody's got opinions on
bugs, yours are not more important or relevant than any other
person's. If you feel a bug deserves more attention, the first thing
you can do is provide the work to fix it yourself - this is an open
source project, and hardly anybody has a right to demand others put
their free time toward what they feel is important - this is
especially true for somebody like yourself, who has never contributed
anything to the project, and is not a maintainer. The second thing you
can do is contact your colleagues inside the company who are in charge
of maintaining the project and talk to them, and _explicitly_ ask them
to raise a CVE. Maybe they will agree with you, maybe they will not -
they are the maintainers, so they are in the best position to make
such calls, not you. This is not the first CVE raised for this
project, and won't be the last, we have processes around this for very
good reasons, and they exist whether or not you agree with them.

How do we know all of this was done intentionally, and it's not an
honest mistake? Because at first of course I assumed good faith, as
always, and asked you to take responsibility for your actions and get
the advisory fixed - it was a trivial change after all, what could be
the issue with doing that, just a one line change in the description.
And yet asked 5 times, 5 times you refused and doubled down. Even in
your mail here you are still refusing to recognize that it's important
to write accurate advisories that correctly assess impact, to avoid
damaging our users and Redhat's customers. You also refused to
acknowledge that ignoring processes and sidelining your colleagues at
RH was the wrong thing to do, and even here you are doubling down yet
again on that too. And you went straight to social media to brag about
this and promote your projects instead, as shown in the screenshot
linked above.

The worst part is that it was all eminently avoidable - all you needed
to do, after the initial damage was done, was to get the advisory
updated as requested to ensure no further damage came from your
actions, and that would have been the end of it. I didn't even ask for
an apology for disregarding our processes and causing all those
troubles for everybody for no good reason, as that's not really what's
important. The only thing I cared about was minimizing the damage you
had inflicted on Redhat's customers and all other users. But you
refused to even do that, and doubled down every time, and your
colleague Michal had to do such work instead, while on holiday. These
are not the actions of somebody who is acting in good faith - this
reckless behavior shows a blatant disregard for your colleagues at
Redhat, Redhat's customers and all involved open source users and
developers. Your only contributions to the project to date have been
negativity, flame wars (as this very email thread further proves),
disparaging comments, demands that volunteers spend their time to do
work for you for free and other assorted unpleasantness, while
promoting your own alternative projects. You have shown, time and time
again, that all you cared about all along was causing damage to the
project, to your colleagues and customers and to your company, and
brag on social media about it. This email from you proves it even
further - you are doubling down yet again, refusing to acknowledge any
wrongdoing and any remorse for the damage you have done and the huge
amount of unnecessary overtime work that you caused for maintainers,
Redhat's customers and all other users.

Given such a record, the Github org owners (plural) collectively
decided that, as the very first and immediate consequence, your
membership of the Github project is not compatible with your
behaviour, and removed you.


More information about the systemd-devel mailing list