It is common practice to notify affected parties privately and then give full details to the public after the threat is largely neutralized. Expecting public disclosure with technical details on how to perform the attack in less than 24 hours goes against established industry norms.
IMO it’s not a good idea to be discussing attack vectors publicly when a number of other instances are unpatched and the exploit has been in the wild for less than a day.
I agree that admins need to work together, but discussing it in public on Lemmy so soon after the attack isn’t the way. There exists a Matrix channel for admins, that’s where this type of thing should go.
Good point. I should definitely be more comfortable introducing my children to a software suite called “crackpipe”.
🙄
Agreed. As an American, cool concept, rough name. There is no way I’m recommending a software called crackpipe at work.
And let’s say I wanted to use it, I’m going to install this and instruct my kids how to use crackpipe? I’m sure that will go over great with little Timmy’s school when he tells his teacher and friends.
I’d strongly consider changing it.
I’d agree with this take with the caveat that IMO the maintainers could have done a better job. Just like OP should have assumed positive intent and tweaked their communication style, the maintainers should have been clearer with their asks and stop hinting about what they want.