Maxim Dounin announces the freenginx project.

As such, starting from today, I will no longer participate in nginx development as run by F5. Instead, I’m starting an alternative project, which is going to be run by developers, and not corporate entities:

  • fmstratEnglish
    644·
    8 months ago8 months ago

    TLDR; F5 owns Nginx. Making corporate over security decisions. New community fork from one of the core devs at http://freenginx.org/. Too new to know if it will be adopted by other mainstream projects that currently leverage/embed nginx.

    Note: If you use nginx and are concerned about security, consider a look at projects such as owasp/modsecurity-crs which include security layers on top of nginx.

    • xinayder
      490·
      8 months ago

      That doesn’t seem to be the case. From what I read on HN, the dev quit because he thought it didn’t make sense to submit CVEs for temporary/wip solutions, and F5 thought otherwise.

      So as I see it, the developer quit because he didn’t agree that a CVE should be opened for a work-in-progress solution that was live on Nginx.

      • exception4289OP
        180·
        8 months ago

        That’s what I read, too.
        It gives a new perspective on the subject.

        Sad to see the workforce being split up, though.

    • MangoPenguinEnglish
      250·
      8 months ago

      Making corporate over security decisions.

      I read the opposite essentially, that F5 is publishing CVEs and the dev did not want them to.

      • towerful
        140·
        8 months ago

        Yeh, seems like the CVEs were against an alpha branch.
        So, perhaps its a good reminder not to use alpha in production But I feel it warranted a bug report instead of a “Common Vulnerabilities and Exploits” notice, normally something used to notify potentially production deployed systems of an issue.

        That would be like Pepsi issuing a product recall to all retail outlers for a product that has only been tested internally (kinda)

        • KushanEnglish
          110·
          8 months ago

          I think it’s more like pepsi issuing a product recall for something that has been accidentally left on the side of the road. You know you should not be drinking it anyway, but you also know someone would try it.

          • Bene7rddso
            30·
            8 months ago

            It was on purpose on the side of the road so people could gice feedback. But the issue wasn’t a health issue (privilege escalation, etc), it just wasn’t tasty (DoS). Something you really don’t want to sell in the store, but in an alpha/beta version it’s no big deal

    • seth
      112·
      8 months ago

      deleted by creator

      • khannieEnglish
        30·
        8 months ago

        I will never understand how they became so massive.