No, I didn’t comment on that at all.
Generally, I am wondering if how a vulnerability effects the threat model can be better understood, documented. Thereby was attempting here to classify this issue.
Generally, the approach some vulnerability -> stay away from that application would be a falacy. But I think that is the take away message that many users would take from this.
For example,
- sha-2 is vulnerable to length extension attack but at time of writing I couldn’t find any hash collision. For example Bitcoin uses sha-2 but I haven’t found any claims that it gets any less secure because of any sha-2 length extension attack, that because of that anyone could generate any Bitcoin without mining them as intended.
- sha-2 has some vulnerability → Bitcoin uses sha-2 → therefore Bitcoin is also vulnerable would be a wrong conclusion.
- this flatpak security discussion: FlatPak as a Software Source / flathub as a source of software - #23 by Patrick