Agent2 must die die die
Sadly, the subject is not in jest. I appreciate all the incredible effort put into this sub-project. But it was the wrong direction to go in, it was the wrong architecture, it was the wrong language. While I can assume many of its devs have spent years of their life on this project, and I mourn their wasted efforts, I must stand up and say what has been on my mind for 5 years. Hopefully, I'm not too late with this message.
I fully realize that this message will come across as inflammatory and engender a "who the hell is this guy?" sentiment. The fact that I only come around here every 7 years to pass judgement, speaks ill of me for sure. Please be assured, I have this project's interests at heart: I've been a user and fan since v1.2 (of Zabbix, not agent2).
If you don't understand what my complaint is: consider the timing. What else is happening in OSS communities right now? March/April 2024 may be remembered as the month OSS changed forever.
If you still don't understand what my complaint is, I'll give you the hint I discovered from ZA2v3: the project imports untrusted code from untrusted projects without any hint of certification, code-review, or auditing of the upstream dependencies, many of which have their own dependencies. In ca 2018, I saw at least 2 bugs in upstream code that made the code vulnerable. There are 51 named projects on which ZA2 depends, and many of these may have other dependencies. The fact that hashes are used to lock in these versions only means a tagged version cannot be spoofed. Anyone familiar with the recent developments knows such hashes represent the very minimum of safety.
If you still don't understand what my complaint is: then simply heed my advice: do NOT under ANY circumstances use or rely on zabbix-agent2.
Normally, I would ask "what steps have been taken to mitigate...." such and such. But it's sisyphean task: It doesn't matter. The architecture is simply not suitable. Golang is not suitable. A modularized system built in a static language such as Rust, or an improvement over the original Agent's loadable module system is what is needed to address the core issues. I don't claim to have the definitive answer about the right choice, but I can at least be sure about the wrong one.
Also: I recommend anyone who responds here be circumspect in their wording.
I fully realize that this message will come across as inflammatory and engender a "who the hell is this guy?" sentiment. The fact that I only come around here every 7 years to pass judgement, speaks ill of me for sure. Please be assured, I have this project's interests at heart: I've been a user and fan since v1.2 (of Zabbix, not agent2).
If you don't understand what my complaint is: consider the timing. What else is happening in OSS communities right now? March/April 2024 may be remembered as the month OSS changed forever.
If you still don't understand what my complaint is, I'll give you the hint I discovered from ZA2v3: the project imports untrusted code from untrusted projects without any hint of certification, code-review, or auditing of the upstream dependencies, many of which have their own dependencies. In ca 2018, I saw at least 2 bugs in upstream code that made the code vulnerable. There are 51 named projects on which ZA2 depends, and many of these may have other dependencies. The fact that hashes are used to lock in these versions only means a tagged version cannot be spoofed. Anyone familiar with the recent developments knows such hashes represent the very minimum of safety.
If you still don't understand what my complaint is: then simply heed my advice: do NOT under ANY circumstances use or rely on zabbix-agent2.
Normally, I would ask "what steps have been taken to mitigate...." such and such. But it's sisyphean task: It doesn't matter. The architecture is simply not suitable. Golang is not suitable. A modularized system built in a static language such as Rust, or an improvement over the original Agent's loadable module system is what is needed to address the core issues. I don't claim to have the definitive answer about the right choice, but I can at least be sure about the wrong one.
Also: I recommend anyone who responds here be circumspect in their wording.
Comment