53
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 08 Sep 2025
53 points (100.0% liked)
Technology
547 readers
281 users here now
Share interesting Technology news and links.
Rules:
- No paywalled sites at all.
- News articles has to be recent, not older than 2 weeks (14 days).
- No external video links, only native(.mp4,...etc) links under 5 mins.
- Post only direct links.
To encourage more original sources and keep this space commercial free as much as I could, the following websites are Blacklisted:
- Al Jazeera;
- NBC;
- CNBC;
- Substack;
- Tom's Hardware;
- ZDNet;
- TechSpot;
- Ars Technica;
- Vox Media outlets, with exception for Axios;
- Engadget;
- TechCrunch;
- Gizmodo;
- Futurism;
- PCWorld;
- ComputerWorld;
- Mashable;
- Hackaday;
- WCCFTECH;
- Neowin.
More sites will be added to the blacklist as needed.
Encouraged:
- Archive links in the body of the post.
- Linking to the direct source, instead of linking to an article talking about the source.
Misc:
Relevant Communities:
- Beehaw Technology- Technology Related Discussions.
- lemmy.zip Technology- Hard Tech news.
founded 4 months ago
MODERATORS
It's bogus security concern and seems like a smear campaign because the dev did not respond "properly".
Anybody who has set up a webserver on debian or redhat will tell you that apache versions mean nothing. They backport fixes and security patches to seemingly ancient versions of Apache, and then every security scanner will tell you they are vulnerable while actually they are not and have been fixed for years.
I had to fight the security team at my old job because of this very same thing. Just check the redhat/debian release logs for apache and you'll see the CVE have been fixed.
Doing a whole blog post to shit on the project, then make a bogus security claim while giving them a way too short notice (1.5h is insane) to fix before going public is in extremely bad taste. I totally understand the dev blocking the guy as he contributed nothing here.
Edit: From the blog:
Tell me you don't know anything about security without saying it. Anybody worth their salt will know backporting exists.
This is just trying to smear the dev while looking like a fool. Anybody capable of opening the dev tools and checking the header would see the same thing. Guess what? Lots of bots do that already and automatically try known CVEs.
Second edit: not trying to rub people the wrong way, but commenters here should really stop giving their opinions on stuff they don't understand. Yes security is important, but no, an older apache version in the header is not an issue.
Two things can be right at the same time:
Idk anything about the author, but besides the apache version thing, he did bring up some very valid criticisms. The previous article they wrote is worth a read, or at the very least, it's worth watching the snippets of that HOPE interview. It's obvious the developer is a hardcore bullshitter, which is the most charitable interpretation giving him the benefit of the doubt (without speculation about malicious intent)