Readers will have noticed that two maintenance releases of pkgconf were cut over the weekend, 1.9.4 and 1.8.1 respectively, to address CVE-2023-24056, a pkg-config specific variation of the now-classic “billion laughs attack”. While fixing software defects is important, a lot went wrong with how this CVE was reported and the motivations behind its disclosure, and for my own catharsis, I want to talk about this.
To hopefully explain why I am so bothered by all of this, let’s first understand the history of pkgconf: a project I began noodling on in March 2011.
2011 was a particularly rough year for me. In January, my father was diagnosed with pancreatic cancer, and declined to disclose this to anyone. When I came back to Oklahoma to visit my parents in early March, I walked into my dad’s house and found him jaundiced. I drove him to the emergency room, and was informed that he only had a few months to live due to the pancreatic cancer he allowed to progress to stage 4. This was shocking to me, especially considering I was 23 at the time. The stress of it led to me breaking up with my boyfriend at the time.
I did the only thing I could do given the situation: spent as much time with him as possible. The hospital had installed Wi-Fi earlier that year, so I was able to take my computer and work on my projects while I spent time with him. This worked out well, because it gave us a common ground of subjects to talk about: my dad was the person who originally pushed me into getting involved with software engineering as a profession in the first place. While he himself never worked as a software engineer, he developed a number of small utilities and demo programs for MS-DOS. Later, he became heavily interested in BSD, and then Slackware.