CVE-2023-7008 Christmas drama notes

Petr Menšík pemensik at redhat.com
Tue Dec 26 18:09:05 UTC 2023 

Hello Luca,

I did not expect normal and honest apology from you right from the 
start, but I did at least expect *some* reflection. I see none in that 
long text.

You seem to have very minimal insight into how our internal 
vulnerability process works, but that does not prevent you judge my 
guiltiness.

I will leave more discussions after I return to the office. It seems 
face to face discussion would bring less emotions. I want opinion of 
people who knew how it happened. Not people who think they know, but 
have no direct way to know it.

On 12/26/23 11:37, Luca Boccassi wrote:
> On Tue, 26 Dec 2023 at 02:30, Petr Menšík<pemensik at redhat.com>  wrote:
> Here's what's really going on: you have found yourself in a position
> where, as a RH employee, you could abuse the internal CVE process to
> promote your own projects, and that's exactly what you did: without
> consulting or notifying anybody who is involved in this project, you
> went directly to the security team raise a CVE while we all were on
> holiday, and then promptly went on social media to use the CVE to bash
> the project and promote your own instead:https://imgur.com/3eqRQcW
> You even lied about others in RH being aware that a CVE was raised,
> which is obviously not true - those referenced comments were made
> months before the CVE was opened. You ignored all processes, went
> behind the back of all maintainers - upstream and downstream - in
> order to inflict maximum damage at the worst time possible, and then
> brag on social media about it. This is a blatant abuse of Redhat's CNA
> position, and puts the whole company under a bad light, and casts
> doubts over its trustworthiness as the CNA for the project, all
> because of your reckless and needless actions. Not content, you even
> intentionally avoided to mention in the CVE that this feature is off
> by default everywhere, and thus very few users are actually affected -
> when CVEs are raised, hardly anybody goes to look for related bug
> trackers or issues, and the CVE advisory is all that is used to
> establish impact and decide whether action is needed, and there was no
> mention anywhere that this requires a local administrator to manually
> enable it for a machine to be affected. A _lot_ of work for a _lot_ of
> people kicks off every time a CVE is raised, due to automation, and
> the correctness of the advisory is fundamental to avoid triggering
> unneeded work. You made sure it was worded to give the idea that every
> installation was affected, so that it could cause the maximum amount
> of panic and damage possible, again so that you could then brag on
> social media about it, showing a reckless disregard for the wellbeing
> of your colleagues at Redhat, Redhat's customers and all other
> downstream users and developers during their holidays.
>
> ...

I will ask my manager to read that issue and tell me if I did anything 
wrong or harmed anyone. I will ask Lukáš for his opinion as well. I do 
not care about your opinion about me, as I doubt you know me, what or 
how I do anything.

> Given such a record, the Github org owners (plural) collectively
> decided that, as the very first and immediate consequence, your
> membership of the Github project is not compatible with your
> behaviour, and removed you.

Thank you for this part, I did not have to leave it myself. I have had 
enough and I think I have been very patient. I would like to know which 
people voted for my membership termination and who against.

Best Regards, Petr

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20231226/766b3f83/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB.asc
Type: application/pgp-keys
Size: 9098 bytes
Desc: OpenPGP public key
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20231226/766b3f83/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20231226/766b3f83/attachment.sig>

More information about the systemd-devel mailing list