From my understanding, the impetus was that F5 submitted a CVE for a vulnerability, for an optional, “beta” feature that can be enabled. Dounin did not think a CVE should be submitted, since he did not considered it to be “production” feature.

That said, the vulnerability is in shipping code, regardless of whether it is optional or not, so per industry coding practices, it should either be patched or removed entirely in order to resolve the issue.

This conflict is positive. Many other reverse proxy software wouldn’t be as “transparent” and the safety would then be false pretend.

They should have called IT mginx…