Who's that fella anyway? I have a vague recollection that he was at Y!, walking around and whining about everything? Or was it a different Eric? I am getting old and want to forget all the unpleasant episodes in my life.
Anyway, his logic is flawed and lead us to the extreme where we just have to stop using any software out there, because there might be some vulnerability. While we need to strive to make our product better and safer for users, there are also realities and things we do not control. There's quite positive part in this whole discussion: I really like that the other people in the ecosystem look at us as the de-facto focal point of the stack integration. I think the mission is accomplished! But let's not rest here just yet ;) Cos On Sat, Mar 12, 2016 at 08:30PM, Roman Shaposhnik wrote: > Hi! > > our good friend Eric Yang has been at it again: spreading > FUD about Bigtop: https://s.apache.org/KglM > > Nothing new, aside from this quote: > ==================================================== > Bigtop contains /lib/lsb/init-functions which will import redhat-lsb-core > which imports exim. Exim is known for common root escalation > vulnerability. If you value your cluster security, I would recommend to > think twice before using BigTop. > ==================================================== > > Could someone who's dealt with security for real (Olaf -- your > name came to mind immediately) please comment on that > JIRA thread? > > Typically I wouldn't feed Eric 'the troll' Yang, but I think having > this type of allegation in a public record could be pretty bad for > us. > > Thanks, > Roman.
signature.asc
Description: Digital signature
