Swoole project exposed by whistleblower as potentially untrustworthy

[compwright]

Yesterday, one of the main Swoole devs blew the whistle on a gaping security flaw that was planned for Swoole v4.8.0. After his concerns were initially unaddressed, he forked the project (Openswoole). In response, the core Swoole team immediately removed the flaw and then booted the whistleblower from the project.

Given that Swoole is controlled by a team of devs based in the PRC, who are demonstrably operating either with at least bad judgement and poor accountability, or at most nefarious intent, I'm asking that you consider taking one of the following actions:

• Add a warning label to the documentation for mezzio/mezzio-swoole, with a link to Swoole's admin interface hot-loads code from a third-party server ? swoole/swoole-src#4434, or
• Abandon and archive mezzio/mezzo-swoole.

Read the discussion above for yourself, and decide whether you are comfortable trusting upstream Swoole, or the Openswoole fork in the foreseeable future.

[Ocramius]

IMO:

• report affected upstream versions as affected (a CVE or an issue on PR to https://github.com/FriendsOfPHP/security-advisories ), so they can be excluded downstream by people using https://github.com/Roave/SecurityAdvisories or https://github.com/fabpot/local-php-security-checker
• change

  mezzio-swoole/composer.json

  Line 31 in 9246537

  "ext-swoole": "^4.5.5",

  to refer to the fork, should it have a different name

From this side, it's not possible to understand if ext-swoole is declared by one or the other extension.

[Ocramius]

Closing here:

• issue is isolated to certain releases (patches to add them to a blocklist welcome, if required)
• it's not fixable here, other than blocking installation, and a forked alternative with equivalent name exists

[cmb69]

issue is isolated to certain releases

That code has never been released. It was only in 4.7.2-dev.

[that-guy-iain]

I think this issue is kinda racist. It literally raises the point that people are Chinese as a factor of why they shouldn't be trusted. While appearing to misrepresent the facts.

In the thread linked there are no disputes over what has been stated. The main maintainer says he proposed to remove the code before the next release. Another maintainer hurled abuse at the main maintainer after he had tried to escalate his privileges without permission or discussion. He was removed from the project while being welcomed back if he wants to go back. This is different from what is originally stated where they refused and booted the maintainer after he publically announced the potential security flaw.

[ipranjal]

I think this issue is kinda racist. It literally raises the point that people are Chinese as a factor of why they shouldn't be trusted. While appearing to misrepresent the facts.

In the thread linked there are no disputes over what has been stated. The main maintainer says he proposed to remove the code before the next release. Another maintainer hurled abuse at the main maintainer after he had tried to escalate his privileges without permission or discussion. He was removed from the project while being welcomed back if he wants to go back. This is different from what is originally stated where they refused and booted the maintainer after he publically announced the potential security flaw.

Who would trust a project that added remote code execution in a commit with 1000's off diff so that It goes unnoticed ? Then kick the person who publicly in a "public commit" took lead role to take down vulnerable version, I would never support Swoole for this behaviour Chinese or not