Etesync removal (at least tell to user to be wary and check it themselve)

[BirdInFire]

Description

Etesync isn't updated anymore, i tried to ask them but they close the issue as fast as possible and restrict any answer from me, and even listing the number of update they haven't done (with countaine hight to low security issue, only have pushed them to close and tell i mislead user (without any proof of course),

but the fact that their server app and ios app isn't updated for more than a year remain, so you musn't lead user to their fall with an unsecure services.

URL of affected page: https://www.privacyguides.org/software/calendar-contacts/

proof of their intentional lie :
etesync/server@056d685

witch correct what i have reported (there is another security issue but not in the django library) and they haven't corrected it.

and their git page you can see nearly all repo aren't updated for month (year in the worst case) : https://github.com/etesync

[ph00lt0]

Perhaps you didn't read the reply you have gotten: etesync/server#122 (comment)

[BirdInFire]

Perhaps you didn't read the reply you have gotten: etesync/server#122 (comment)

yeah but why tell i misslead user by telling there are vulnérable library who isn't updated, and try to shut me ?

instead of just list them to update them later ?

[BirdInFire]

it's not the fact they do not it imedatly, it the fact they say is not true, update it and block me from report all the security issue i have found out.

Edit because if it's false why have they updated it after my report ?

[ph00lt0]

Sometimes things can be vulnerable but in the way that they are used not have any effect. It's better practice to keep things updated, but from what I am reading the developer gives good arguments.

[BirdInFire]

Sometimes things can be vulnerable but in the way that they are used not have any effect. It's better practice to keep things updated, but from what I am reading the developer gives good arguments.

True but again why tell i lie, and block me (without even checking all their library update just in case ?
Their reaction isn't normal at all.

[BirdInFire]

Sometimes things can be vulnerable but in the way that they are used not have any effect. It's better practice to keep things updated, but from what I am reading the developer gives good arguments.

And for an app who use crypto library who have a shitload of security update every month, a year without update isn't normal, and if they tell that none of their library had update i can safely tell they lie.

[BirdInFire]

@ph00lt0 But at least add a warning to check because: not updated = be carful, their strange reaction to my report (update and block, carful x 2.

I do not say they are breached uninstall it imedatly i just say user must be warned that something is strange.

Edit : I Wanted to install it, and like always i have done an healthy check (updates time and so on) i report this to be sure all it secure before using it and i have the impression you all see my like the bad guy who want to close them....

Is that strange that a concerned future user want them to be secure as much as possible ?

[victor-rds]

@ph00lt0 There are more responses on etesync/server#123

While I do agree the lack of update is concerning, I have reported issues in the past because new versions of python, I also think is valid to report it here, the tone was complete unnecessary, no need to open issues like "Not updated, not secured, nightmare !! update your library !!!!" and " hiding youself behind it's work from decade blabla" in a open- source project Stop using it and report, no need for drama.

[BirdInFire]

@ph00lt0 There are more responses on etesync/server#123

While I do agree the lack of update is concerning, I have reported issues in the past because new versions of python, I also think is valid to report it here, the tone was complete unnecessary, no need to open issues like "Not updated, not secured, nightmare !! update your library !!!!" and " hiding youself behind it's work from decade blabla" in a open- source project Stop using it and report, no need for drama.

its very true and it was my fault for that and i had excused and modified it myself if they wasn't closing and of course blocking me nearly immediately.

Edit : again if i had reported it it was for use it myself, but they just ignored and closed, and when i'm more harsh they silently update it... so yeah will never use it and report it here to at least have a warning (directed to admin who want to self host to check themselve).

Edit 2: now i will stop respond for this matter and will just create a module to my own server software (witch i do not publish and only use for myself on my own network (for transparency since some can tell i wan to take their place) just wanted to host them subscript to release tag ans forget to not recreate the wheel)

[victor-rds]

@BirdInFire I do understand both of you in this case, although the block was too fast for my taste, I do understand that in bad day I too would block out of rage.

Good luck mate!