I don't think Eris' words were meant to say that Hestia or MyVesta are bulletproof - there can be security holes, bugs or other problems everywhere.
It was probably more about the fact that Vesta - in the current version including the many exploits should simply no longer be available. Or if, then at least with a thick information banner. No matter how you want to look at it, the project is dead: Last code change in December respectively October 2020, several, partly critical security holes which some of them were still patched by dpeca, but never released in a new version - although I asked imperio several times for it (
https://github.com/serghey-rodin/vesta/issues/2006), the only one who can release new releases (Serghey) seems to have no interest in the project anymore, and so on...
Also, the biggest incidents with Vesta were not even caused by the code, but by hacked infrastructure.
skurudo wrote: ↑Fri Jul 16, 2021 6:23 am
As for security, I can't help but notice that problems can somehow overtake other projects. You also need to be prepared for this too. You can't make steel or bulletproof secure panel too - there will always be someone or some vulnerability that will break something.
The mentioned problems have all been patched in MyVesta as well as Hestia, so you can also get over a statement that Hestia and MyVesta are definitely more secure than Vesta. And as written at the beginning, we also will have exploits and potential security issues - that's for sure and we are not afraid of, but we try to patch them immediately and also providing a clean communication about it.
Maybe it would be really nice if you could either create the mentioned big banner, patch the current exploits respectively provide new packages or pull the plug on the project. You can also find various other vulnerabilities in the history of both forks, which were patched this year, but not transferred by dpeca - just in case you want to secure the remaining vesta installations.
skurudo wrote: ↑Fri Jul 16, 2021 6:23 am
However, it is also not worth shouting about it at every corner.
Due to the fact, that vesta is insecure and have that amount of exploits, it should be worth to protect everyone using it.
From my side, I have now invested enough time in a dying project. I really liked Vesta, that's also the reason why Hestia exists. The whole Hestia team is grateful to Serghey and all the developers, but now it's time to look forward.
@skurudo Thanks for the discussion!