Calling the reporter malicious is not constructive and does not help Nix (even if you are right). From all I can tell, there was no request to extend the deadline or proactively coordinating disclosure when the reporter pushed for it. That would have been preferred and could have avoided this situation. I would hope for a later postmortem incorporating the lesson of more proactive communication with reporters.

That the Nix team didn’t cooperate is a trivially disprovable excuse being pushed by people surrounding the fork.

https://matrix.to/#/!VRULIdgoKmKPzJZzjj:nixos.org/$tJgEBGqKs...

Can we please stop this polarizing drama, from both sides? I never said that anyone wasn't cooperating. Quoting your link:

> > is there any update on the root escalation vulnerability in 2.24?

> Eelco is working on it, there's a patch on the GitHub advisory, we plan to get it out on Monday, but no promises yet if everything will get done by then

This is what I mean is not sufficient in terms of disclosure coordination... Doesn't seem like anyone was necessarily acting in bad faith, just mutual frustration and room for improvement on professionalism on all sides. Though I'd hold NixOS maintainers to a higher expectation of professionalism than random independent security researchers. The important thing is that people draw the right lessons. "The X people suck" isn't a valuable lesson for any value of X. And if you're seeing bad intent on the reporter and them trying to prove a point; well yeah, maybe, and point proven? Processes should cover for these eventualities.

The thing is, the reporter is not a random independent security researcher. She's a core team member of Lix, the fork, and is no stranger to the Nix community. This incident directly relates to the wider conflict between the two projects. That's why people are upset.

So you're saying out loud that the person reporting the issue matters. It shouldn't matter who tells you that you have a security issue.

Nobody ever said it isn't okay to report security issues. This is about dumping 0 days on social media when you know fully well that the other side is cooperating and working on a fix. The who in this case matters because the reporter knew how the Nix community works, knew it was hostile thing to do, and did it anyways.

Again,

https://matrix.to/#/!VRULIdgoKmKPzJZzjj:nixos.org/$tJgEBGqKs...

What I meant is crystal clear if you read what I was replying to. Please don't take it out of context to spin a story. You did it in your original comment, and you did it again right here.

No, I'm really not trying to take things out of context, but what you wrote really makes it seem like the person who reports it matters.

Ignoring that, I agree that it's a dick move, but it's like our famous "well, technically" memes - the delivery might matter, but in the case of security issues, it really doesn't matter as much as the actual content.

"You have an issue, and I'm going to be a dick and release it in a week."

Yes, that would be a dick move, but someone acting like a dick doesn't mean that the Nix team shouldn't address the issue within that week, even if it does feel like extortion.

Also, those matrix links say nothing. I'm not sure what we're supposed to do with them, but I'm not downloading software to see whatever it is you want to share.

That's not a patch. It's just downgrades the nix version to 23 in nixpkgs.

It doesn't help people who are already using the vulnerable version and also new users cuz installers install latest versions