Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I’ll try to say this as respectfully and as kindly as possible. I’m genuinely trying to be helpful.

Seeing these kinds of stories and interacting with the type of people who have them brings to mind an old saying:

“If everyone you meet is an asshole, you’re the asshole”

Note that I’m not saying that’s the case here or insulting you, that’s just the saying.

This story is filled with what seems like (at best) “personality conflicts” and your very dim view of essentially everyone involved in it with the exception of yourself.

It even ends with you essentially calling yourself Superman.

I’m not sure what the point of this is (vent? warning?) but it doesn’t read like a sympathetic and even remotely balanced telling of events, that’s for sure.

It may be worth reflecting on what you may have contributed to this if your goal is reducing the chance of repeats.



It reads like OP has been holding a grudge for a decade or so, and today decided to shit on a project he contributed way back in the past out of sheer entitlement.

I'm not sure if that's the case, but that what's coming across. Small-minded pettiness.


It depends on whether you have any experience with F/OSS communities. If you don't , then 25 years is irrelevant, so yeah compressing it into 1 paragraph makes it seem petty.


> It depends on whether you have any experience with F/OSS communities.

It really doesn't. Awful behavior regardless.


You go with that cowboy.


It’s both. 2.17 was a fraudulent release, the release manager is now Chair of the PMC.

As I tell everyone else- don’t trust their releases.


As of Valentines Day, what existed in svn‘s apreq/trunk is kosher, because I’ve personally vetted it.

Nothing else is.


As I tell all my longstanding Apache friends, being involved with the foundation was transformational for me.

But at the same time, F/OSS has transformed into a loss leader for FAANGM monopolies, which coincides neatly with the timeline presented.


2.17 was released in Aug 2022. Here's the changes file: https://httpd.apache.org/apreq/docs/libapreq2/apreq_changes....

Here's the bugtraq event about it: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018191

Does any of this make sense to you? Nobody who looks in the changes file has any idea the last three releases involved CVE issues. Not only are they purposefully obscured, the release itself contains undocumented bogus parser changes that were papered over during candidate voting.


What I would have done differently:

1/ report the Google Fuzz Report to the actual development team, to coordinate and collaborate on a solution.

2/ not take three whacks at a security release just to fix the same vulnerability

3/ not attempt to ship whimsical patches in a security release

4/ not patch the test suite to lie to voters about the viability of a release candidate.

5/ ship a hotfix immediately after users report the bugs on 2.17




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: