On Wed, Jul 19, 2017 at 08:55:09AM +0200, Florian Tham wrote:
> Same problem here. It seems 51degrees close-sourced the trie
> algorithm, see
> https://github.com/51Degrees/Device-Detection/blob/master/data/TRIE.txt:
>
> "The 51Degrees 'trie' algorithm is not open source and is only made
> available through a proprietary license.".
>
> The github repo history has been rewritten. There are now only 2
> commits in master, "Initial commit" dating from 2017-06-27.
Pffff... Guys, you broke all the stable series *AGAIN* ? So let me check,
that also means that branch 3.2.5 documented as being necessary to build
1.6 was removed as well! Good! I prefer to imagine it's a mistake, but
anyway it is totally unprofessional and simply shows how much you care
about your users.
So in the end, haproxy 1.6 and 1.7 users who are relying on your lib
simply cannot upgrade to latest haproxy security fixes simply because
you unilateraly broke your library again, preventing them from building
an updated version!
> Building haproxy with the pattern algorithm still works. I wonder how long :(
I agree, we cannot trust such an external component at all with such a
track record, it's the second time it happens :-(
I just found a fork of the github repo here which I think could possibly
work, it even contains the v3.2.5 branch :
https://github.com/aerendil/device-detection-nginx-fix
It would be a good idea to clone it before it disappears.
Now if there is no sign of a quick fix for this situation which puts our
users at risk again, I think the only option will be to definitely remove
and blacklist this code from haproxy. It will still piss off all of its
users but they were already betrayed twice. However it will limit the
risk of making new victims.
I can't believe it....
Willy
