Before I even get to the tone of this bug report, I'd like to ask the guy who made it - are you aware you just put many many users in risk here? Besides making their services unavailable, this might lead to further exploits. There is a way to disclose this sort of stuff. This is not it.
Now, about the tone - be a human first, programmer second. Even though it seems 10gen screwed up big time, everyone makes mistakes. You could inform them of what seems to be a major issue privately and politely, not ridicule them in public. I wouldn't want it done to me and I'm sure neither would you.
As said by Chazal (old timey Jewish scholars):
"Proper behavior precedes the Torah ... and whoever humiliates another, it is as though he killed him"
EDIT:
I'd just like to add that among the companies affected by this disclosure and which are now totally open to attack are Craiglist, Firebase, MTV, SourceForge, Codecademy and others. Here's the full list - http://www.mongodb.org/about/production-deployments/
People building software systems, especially ones that are public-facing or otherwise widely accessible, have a responsibility to not use components that are questionable.
In my opinion, MongoDB is a questionable component.
A few years ago, when it was really hyped beyond belief, I think that anyone with at least some database experience, and who could look at it objectively, was inherently suspicious of MongoDB.
There were, and clearly still are, just too many things that are disconcerting about it. These range from how it rejects much of the proven knowledge and experience gained over the past four decades, right down to the community who embraced it and the people who hyped it the most.
Thankfully, many of us saw this, and we stood against the use of MongoDB and other unsuitable NoSQL "databases" for the projects we work on, or within the organizations we may work for.
While it is unfortunate if others suffer as a result of this bug, I can't help but feel that they should have known better than to use MongoDB in the first place. The unease and skepticism should've been there. Given the numerous other proven and reliable DBs, including free and open source ones, there's really no reason to have used MongoDB, in my mind.
The tone argument is a distraction, but thank you for pointing out the real problem here: this is an irresponsible way to disclose an issue that hurts people whose only mistake was using MongoDB in production.
When you find a bug which amounts to a security vulnerability, you should inform them privately and then make it public after a reasonable amount of time has passed and preferably after it's been fixed. By making it public right from the get-go, anyone who sees this bug report can now attack any system that uses MongoDB. Do you think that's OK?
However, I've written similarly irate messages at 4 or 5am, particularly after spending months working on a product. And this level of coding quality is unacceptable in any product which wants to be large-scale deployed on the internet.
It is beyond unprofessional, it's down right dangerous.
Obviously the guy is not a security researcher so he's probably not aware of proper disclosure protocol but seeing as he's fully aware this bug is exploitable ("Step 8. REALIZE I CAN CRASH 99% OF ALL WEB 3.9 SHIT-TASTIC WEBSCALE MONGO-DEPLOYING SERVICES WITH 16 BYTE POST") doing it this way is really not excusable, no matter how pissed you are.
It's not optimal, but it's certainly allowed/ok, and it's far better than NOT posting that in the bugreport forum.
Proper disclosure takes effort. The product owner can offer bounties to motivate others to make that effort for them. But if you can't/won't spend that effort, then it's still better to publish the bug than not publish it.
I agree proper disclosure take effort but even if he was to send them the very same text privately instead of posting it to the bug tracker it would have been better.
Maybe if it's only about getting some bug fixed as soon as possible. But I'd say communicating the "MongoDB is terrible" part of it to the public is pretty valuable too. Because nice to know and the hype doesn't mention that so much.
I'm sure we can come up with a best way to go about things. I'm not really cool with the "oh Mike" part of it. But I think it's mostly okayish. Certainly a lot more okay than the bug.
There's no place for political correctness when it comes to developing critical software systems.
Databases are such a system. They're expected to attain and maintain an extremely high level of quality and reliability. Those who build them should expect to do everything in their power to avoid flaws, and these people should be more than willing to accept harsh reprisals when issues are found.
When the security and safety of data is at risk, some developer's hurt feelings should be the last thing anyone is concerned about. There are far more pressing problems at hand in such a situation.
In this instance being an asshole required more effort than being "politically correct" (aka acting like you would if you were in front of the person).
You know what, you're right. I shouldn't have used "be a human" there. Haven't thought of it that way.
Even so, I still stand by the message even if the wording was wrong - one should be a human first in the sense that one should be empathetic and strive to be good. And yes, I still stand by the quote from Chazal which, even as an atheist, I appreciate as a part of my cultural heritage. All it's saying is that being a good person is more important than anything (even studying the Torah) and that one should not humiliate others. I think those are important and valid messages.
As for me, I'm someone who's a geek and has been around geeks and/or hackers for ages. And you has read and seen most of the hacker folklore, from the dictionary, to Pirates of the Silicon Valley, to blogs to HN.
I also don't like the "all" qualifier you used. That can make any (otherwise totally valid) generalisation appear wrong.
A "stereotype" is not something that necessarily applies to ALL members of a group. It's just something that the statistical majority of some group holds.
(Or course it can also not hold at all. But the hackers I know at least, would agree it holds for hackers, especially the more absorbed and technical ones -- e.g think Torvalds and Wozniak not DHH or some random startup coder who does some front end work and is otherwise a total hipster).
Besides the obvious point of neither you nor the bug poster being Linux Torvalds, his famous excerpts are generally taken out of context after long arguments, and they're still more socially functional than this infantile bug report.
I guess the tone may be disturbing, but I hope that the MongoDB team will do the right thing and thank the user for the detailed bug report, fix the issue, and don't focus too much on the noisy part of the message. After all he tried to use the system, found an issue after debugging for a long time, and contributed the finding back instead of sharing it only with his friends to crash random servers on the internet.
>I guess the tone may be disturbing, but I hope that the MongoDB team will do the right thing and thank the user for the detailed bug report, fix the issue, and don't focus too much on the noisy part of the message.
Actually, just fixing the bugs after public outrage will no do.
They should focus A LOT on the noisy part of the message.
> They should focus A LOT on the noisy part of the message.
> And feel shame. And then do something about it.
No the MongoDB team should not feel ashamed, the author of this bug report should. This kind of aggressive writing is unprofessional, rude and childish.
People make mistakes, even good engineers do. They should not be yelled at like this even if they screw up badly. Writing software is a team effort, and the users of open source software should be a part of that team and take the collective responsibility of finding, reporting and fixing bugs in an effective and civilized manner.
The tone of this bug report does not help fixing this bug faster or better, but it does make the reporter look like an ass.
Resisting the urge to comment, but suffice to say I disagree entirely. The level of fail on display here is indicative of a total lack of understanding of the basic principles of working in C, with the CPython API, or as a company, any regard for quality control – even still 4 years after a trivially machine-detectable bug was introduced.
They don't even need Coverity, there are numerous cheaper and free static analysers that could have caught this before it left 10gen's offices.
Marketing a database server that crashes with such C-101 style bugs due to the shape of the data being stored is simply beyond.
I disagree that publicizing stupidity like this can do harm – the crash is clean enough that any trivial crash restart loop (e.g. just about any production web server) will catch it. In the meantime the company are much more motivated to provide a fix that I need, that I should never have needed in the first place.
For all the "responsible disclosure" idiocy on this thread, in most cases the crash is not remotely exploitable unless some API directly stores JSON objects provided by a user, and even then, amounts to little more than a slow request – a crash triggering a potentially expensive restart of the failed process. Useful for a DDoS perhaps, but not an immediate national security threat.
We happen to want this functionality since its one of the main "it's just JSON" selling points of Mongo to begin with, we want index visibility for the user data, and we think it's ridiculous that we should have to double-serialize the user data (and write our own indexing) in order to avoid obvious bugs.
I agree that the bug itself has "n00b mistake" written all over it. It should have not been made and should have been noticed in code reviews.
But would you go yell like that at a real person in real life when working at the office? If not, why would it be ok to do it in a bug tracker anonymously?
I can't think of any offense I could do that would make it acceptable to yell at me in an irate manner as in the bug report. I'm really glad I don't work with people who consider this kind of behavior acceptable.
No, the author of this bug report should not feel ashamed, you should. This kind of aggressive knee-jerk reaction is unprofessional, rude and childish.
People make mistakes, even good engineers do. They should not be derided like this even if they lose their temper. Writing software is a team effort, and the users of open source software should be a welcomed part of that team and their feedback taken in an effective and civilized manner.
The prudery of your comment does not help fixing this bug faster or better, but it does make it look like your priorities are severely misplaced.
Requoting that is ridiculous. Allow me to list why:
1. There is nothing for the parent poster to feel ashamed about. Nothing he said is shame worthy.
2. He wasn't aggressive. It wasn't a knee-jerk reaction. It wasn't unprofessional, rude or childish.
3. The author of the bug didn't make a mistake. They submitted a bug report designed to be as brutal and belittling as possible. They didn't just lose their temper in the heat of the moment, they decided to setup a new account under a pseudoname, then blasted the author of the software product.
4. Writing software is indeed a team effort, but as with any team if one party abuses the other the team rapidly becomes less effective.
5. Feedback doesn't have to be abusive. It's a bit rich to say on the one hand feedback can be abusive, but on the other hand that abusive feedback must be then taken in a "civilized manner". Do you not see the contradiction?
6. There's nothing "prudish" about remarking that abusive bug reports don't make the bug get fixed faster or better. To be a prude, you must be excessively concerned about propriety, and there's nothing in the parent's comment that is excessive.
7. The parent's comment was a general comment, and wasn't an attempt to fix the bug. There's nothing misplaced about the poster's priorities. He's here to comment on HN, and that is indeed what he's done.
A little history shows anybody can make any mistake.
You should read about the pseudorandom number generators used ubiquitously in the 1970s and 1980s, for example. Or the Patriot missile bug. The second one cost lives and really, it was kind of obvious.
So: no, impoliteness is useless, unhelpful and a waate of time. Humor is difficult (just pouring a list of swear words and admiration marks is not funny).
We all have bad days and Mike is not an exception.
Hence: thanks for the bug report, keep your (meaning the OP's) shit to yourself.
All the noisy part accomplished is to convince me MongoDB's critics are so far off the deep end they should be ignored. I'll be considering MongoDB for my next project.
That is the most contrarian thing I have ever seen anyone post ever. You're going to use a "broken" product just because someone ranted about how broken it is(was)?
That wasn't a rant, it was a childish temper-tantrum.
I may use a product that, like all products in the history of mankind, has flaws, because it has apparently done its job so well that those threatened by its success have been reduced to gibbering idiots.
I think here you appear to be missing the tenor somewhat - I read the post as someone being so astounded by such a trivial and incompetent mistake in a product that touts itself as being anything but that he was reduced to a gibbering wreck.
There are basically two options. Either he's a gibbering idiot, or he's a Reddit troll.
Admittedly, the latter does seem more logical, since he explicitly chose to register under a false name as he clearly knew his report was unacceptable, but I usually choose to assume people are not simply evil, malicious animals.
But if you'd like me to assume he is a Reddit troll, fine. The bug should be closed as presumed invalid and someone who isn't evil should re-file in a manner appropriate to civilized society.
And people hiring should not consider you, and the general public should not take any of your offerings, if you are to base technological decisions to such contrarian and childish ways such as these.
I will join the others saying as me: as someone who has been in the situation of debugging something for hours only to find out the cause is someone's else incompetence, I totally find his tone acceptable.
At the same time, MongoDB is a free, OSS solution. While it's true it's marketed way above reality, you both don't have to pay for it (beyond support) and can contribute to it if something doesn't work as you wish it did.
> I will join the others saying as me: as someone who has been in the situation of debugging something for hours only to find out the cause is someone's else incompetence, I totally find his tone acceptable.
This tone is not acceptable in a formal bug report. It's fine to pour out your frustration in this tone to your coworkers over a pint of beer, but it is not fine to go and yell it at someones face in a formal environment.
Everyone has wasted hours and hours in a frustrating debugging spree, we all know that feeling. Get over it and be a professional, report the bug, fix it and shut up.
I personally don't fault the author too much for his tone, because I understand his situation (been there, done that). Something like this is on the verge (and probably over) of being unacceptable. In inherited a project with MongoDB as well and even though I haven't run in to many problems except for MongoDB 2.0.x (debian wheezy) removing the journal file somewhere during a shutdown but only removing the lock file later, which can and does lead to a race condition and a database that refuses to start up unless removing the lockfile manually)... I sincerely hold my heart I don't run into things like this. Luckily Mongo is only used for some kind of persistent object storage for a PHP webapp. (the db is all of 10MB...).
The l33sp3@k as well as the [attempt] at humor at 10gen's expense is fine.
Anyone who thinks that publicly attacking an individual at this level is in any way acceptable should work hard at being more empathic. No long hours of working justify this.
>As to the hypocrisy, I consider myself an adult, and did not appreciate you speaking for all of us, so it was meant as a correction, not ridicule.
Well, as an adult you probably have heard of "figures of speech" and "generalisations".
I know some people have a difficulty with the mechanics of casual conversation, but a phrase like "ridiculing others has been fun for adults for several millennia" does not mean it necessarily applies to ALL adults.
They are profiting out of mongodb, they are getting people to invest lots of time, trust, and money in their product.
The author has a strong point that quality of the development process for mongodb must not be good if a bug like this one gets into production, when it could be avoided using automated tools. This won't be such a fault for a random open source project, but if you are making a business out of it, and you are encouraging others to base use it as a key part of their business it do is a great problem.
Agreed. This is one of the unintended results of giving out free stuff in general; no good deed goes unpunished. There are enough bugs in commercial APIs and products that hitting one in something you got for free should be no surprise at all.
I always describe programming as incredibly easy, except for the part when things don't work as they're supposed to work. Very often you eventually find this is outside of your control. You have to be more calm and patient than the bug.
He's not going to win any friends or help acting like a pompous ass who's never made a mistake in his life. Maybe he hasn't because this is his first real project.
Could someone explain what's actually so critical here? The way I understand it is that if you can inject custom json contents into the mongodb data, you can cause the pymongo library to crash. This should not be allowed to begin with though - why would you allow anyone to store custom object without any checks? I would compare it to a null reference on a badly formatted SQL query - sure, it's a bug, but why did you allow the user to submit unescaped string to begin with.
As other comments pointed out, it's not that critical per se. It crashes, restarts and then that's it.
Beyond that, it's an undefined pointer dereference - who knows what this could be use for in certain combinations and systems. Use a "not so critical" bug in that subsystem, a "not so critical" mistake over there, another "somewhat severe" error over there and you got a root shell going. It's simply disconcerning and annoying if you consider that static checkers could have caught it.
It's a NULL pointer dereference, not undefined pointer from what I can see. Unless someone was able to mmap that memory, it should simply cause an instant crash. PyDict_GetItemString() is guaranteed to return NULL for missing fields.
Let's just shame IF his list of non-pristine commits are marketed to high heavens, deployed worldwide, still exist in a 3+ year old codebase AND are as basic as those.
Before getting religiously high and mighty it might be instructive to run a security scan on the whole of the Internet and see how many SQL injection vulnerabilities exist on the websites of major US companies and small time startups.
The fact that MongoDB has in itself a vulnerability to unchecked input is not great. But consider that if you are dealing with client side browser or server side software, the entire stack is rife with security vulnerabilities because the components themselves right down to TCP/IP are inherently insecure.
Be careful out there, and write nicer bug reports. Use the process. If you were on the other end of that bug report, you would feel differently.
Before getting religiously high and mighty it might be instructive to run a security scan on the whole of the Internet and see how many SQL injection vulnerabilities exist on the websites of major US companies and small time startups.
Doing that will almost certainly get you thrown behind bars.
Now, about the tone - be a human first, programmer second. Even though it seems 10gen screwed up big time, everyone makes mistakes. You could inform them of what seems to be a major issue privately and politely, not ridicule them in public. I wouldn't want it done to me and I'm sure neither would you.
As said by Chazal (old timey Jewish scholars): "Proper behavior precedes the Torah ... and whoever humiliates another, it is as though he killed him"
EDIT: I'd just like to add that among the companies affected by this disclosure and which are now totally open to attack are Craiglist, Firebase, MTV, SourceForge, Codecademy and others. Here's the full list - http://www.mongodb.org/about/production-deployments/