Qt has corporate roots. Responsible Disclosure has been in place since the Trolltech days. Corporations tend to prefer Responsible Disclosure because it pleases their commercial customers. Commercial entities like to keep their end users in the dark because vulnerabilities reflect poorly on the company and affect their bottom line.
Qt is no longer backed by a single company. Digia owns the copyright and commercial licensing rights, but the Qt Project is where the bulk of the work is done. It is a collaborative open governance project run by the community. The Qt Project is not a commercial entity, so it has no obligations to Digia's commercial customers. That being said, Responsible Disclosure is left over cruft from the pre-Open-Governance days. The Qt Project has yet to decide on a security policy. So for the sake of argument, let's say it has none. We should then compare the pros and cons of Responsible vs. Full Disclosure [0]. As of yet, no logically sound arguments (that haven't been re-butted by yours truly) have been presented in favor of Responsible Disclosure. Lots of opinions have been presented, but opinions have very little weight against logic. The only exception to the "no arguments" is script kiddies, but script kiddies are nothing compared to crackers. Responsible Disclosure both extends the window of opportunity for crackers and also increases the vulnerability's overall exposure... leading to more crackers finding and exploiting it before public disclosure. The following row from the above chart ___MUST___ be justified if we are to choose Responsible Disclosure: http://s15.postimage.org/m97mrynzv/The_Flaw_In_Responsible_Disclosure.png [also attached]. It would be irresponsible for Lars Knoll to rule on the issue without first justifying that row in the chart. I am a citizen/_user_ of this open governance project. I am (we are) the sole justification for the project's existence. "Users are community members who have a need for the Project. They are the most important members of the community and without them the Project would have no purpose" [1]. The individual is more important than the corporation, because "corporations are greedy psychopaths" [2]. If you disagree then there might be a political office waiting for you in America (I'm trying with all my might to suppress the insults right here). Does Lars Knoll have a conflict of interest being an employee at Digia and the Chief Maintainer of the Qt Project? Turunen Tuukka, do you care to comment? I know you're probably in favor of Responsible Disclosure... but is Lars Knoll free to choose what's best for the community? Or will he be fired for insubordination? If so, Turunen Tuukka is really the Chief Maintainer. He bought his way into the position when Digia acquired Qt. I really hope we choose Full Disclosure as our security model, as it gives the _users_ the best opportunity to protect both themselves and their end-users. d3fault [0] - http://lists.qt-project.org/pipermail/development/2012-October/007506.html [1] - http://qt-project.org/wiki/The_Qt_Governance_Model [2] - http://stallman.org/archives/2011-jan-apr.html
<<attachment: The.Flaw.In.Responsible.Disclosure.png>>
_______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
