Let's close this topic. It's not always the one who shouts loudest that wins an
argument.
We have a closed security mailing list, and I want to keep it that way. That
seems to also be in agreement with the majority of the maintainers who have
been dealing with this topic.
The members of the se
On 10/24/12, Samuel Rødal wrote:
>
> As far as I see it all the options have vulnerabilities, so it shouldn't
> be hard to prove that they exist within either approach.
>
Yep. Close one giant security-through-obscurity vulnerability, open
the door for script kiddies. It's a trade off, but at leas
On 10/24/2012 11:30 AM, d3fault wrote:
> On 10/24/12, Samuel Rødal wrote:
>> Lars and Charles both provided good lists of reasons in another part of
>> this thread for going with the policy of Responsible Disclosure. Clearly
>> you disagree on the weighting of the pros and cons, but it doesn't see
Please disregard Zeno's personal attacks towards me and his request that
the subject die and we all move on. His type of email is exactly what I
describe two emails back. Waste (so is this one, except to keep the subject
alive).
"If you can't say something relevant [to the argument], don't say not
On Wed, Oct 24, 2012 at 11:55 AM, d3fault wrote:
> tl;dr:
>
> How is my keeping up the good work earning trust? Do you guys really
> not see the gaping hole in that logic?
>
I do certainly have problem trusting people that show that much interest
in getting access to all vulnerabilities as you d
tl;dr:
> d3fault if you keep up the good work you can join the security team
> the security team is for trustworthy individuals
> d3fault, we don't trust you
How is my keeping up the good work earning trust? Do you guys really
not see the gaping hole in that logic?
d3fault
___
On 10/24/12, Samuel Rødal wrote:
> Lars and Charles both provided good lists of reasons in another part of
> this thread for going with the policy of Responsible Disclosure. Clearly
> you disagree on the weighting of the pros and cons, but it doesn't seem
> like you're able to convince anyone else
On 10/24/2012 01:12 AM, d3fault wrote:
> On 10/23/12, Lincoln Ramsay wrote:
>> We're not renaming things or creating new lists just to match the
>> names you think we should have.
>>
>
> *sigh*, I had a feeling someone would say something like that.
>
> The changes are trivial at a glance, yes
On 10/23/12, Lincoln Ramsay wrote:
> We're not renaming things or creating new lists just to match the
> names you think we should have.
>
*sigh*, I had a feeling someone would say something like that.
The changes are trivial at a glance, yes
...but what the Qt Project officially endorses/re
On 24/10/12 07:01, d3fault wrote:
> If you discover a vulnerability, please report it to
> secur...@qt-project.org and we'll take care of the rest. You can of
> course join in on the discussion and suggest fixes etc, as Qt is a
> COLLABORATIVE PROJECT.
>
> If you think the vulnerability would cause
On 10/23/12, Donald Carr wrote:
> life is clearly not a popularity contest for d3fault.
rofl thank you for that compliment. better than Charley telling me I'm
smart repeatedly -_-
I agree completely!!! It's just that the
recommended/officially-endorsed way of reporting security
vulnerabilities
Harg; like so many things, this can be a meritocratic system. That is
to say, if you discover the vulnerability, or simply learn about it,
there is either a public channel (dev mailing list) or a non-public
mailing list. It is at the discretion of the person reporting this
kind of bug which channel
On 10/23/12, d3fault wrote:
> You're like the priests in the early days hiding information (the
> ability to read and write) and trying to convince us it's for our own
> good. Time will tell who is right. su time; echo "d3fault is right";
> exit;
>
That analogy fits better than I first realized.
> You haven't earned the trust of the people in charge.
>
> The current security team members have earned the trust of the people in
> charge.
>
> No contradictions there.
Why do they need to trust me?
Because the information is dangerous.
By admitting that the information is dangerous, they are
On 23/10/12 15:10, d3fault wrote:
> Also please tell me why I can't join the Qt Security Team without
> contradicting yourselves.
You haven't earned the trust of the people in charge.
The current security team members have earned the trust of the people in
charge.
No contradictions there.
--
May I have a list of the core security team members who I am forced to
entrust the security of my operations unto, so that I may hire private
detectives to do background checks on them (and also sneak into their homes
while they're away to perform a security analysis on their machines)? Thanks
Als
On Oct 21, 2012 8:24 PM, "Joseph Crowell"
wrote:
> You propose that since zero day happens no matter what, we conveniently
make a zero day site ourselves so that the script kiddies don't have to do
it themselves.
>>
did you mean to respond only to me?
Which do you fear more?
-A script kiddie wit
>
> http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
>
Interesting article, but it tells us nothing. They merely talk about
Full vs. Responsible Disclosure, and they admit that it's an ongoing
debate. The overall conclusion after 12 pages in the article: "the
disclosure of
On Fri, Oct 19, 2012 at 11:19:40AM -0700, d3fault wrote:
> Mathematical Truth:
>
> It is better:
> To be vulnerable and know it (so you can shut down your machine or
> unplug dat ethernet cable).
most secure == always off. But that is probably not practical. But then
again security is not a state
On Oct 20, 2012, at 5:18 AM, d3fault wrote:
> On Fri, Oct 19, 2012 at 3:37 PM, Knoll Lars wrote:
>> This is just wrong, and I'm getting tired of your ramblings on this mailing
>> list. Just because you send something to the ML and people get tired of
>> answering you doesn't mean your proposa
Wow. I don't usually "rubber-neck" as I drive by car-crashes, but I
must say, this has been one of the more fascinating email chains.
Not because of content; but rather, because in my introverted
"I'm-so-lonely!" world, observing humans-being-human has recently
become fascinating to me.
I had to
On Fri, Oct 19, 2012 at 3:37 PM, Knoll Lars wrote:
> This is just wrong, and I'm getting tired of your ramblings on this mailing
> list. Just because you send something to the ML and people get tired of
> answering you doesn't mean your proposal is accepted.
>
I was writing that tongue in cheek
On Oct 19, 2012, at 4:59 PM, d3fault wrote:
> I proposed it, therefore if nobody disagrees, I get consensus and the
> decision goes into effect. I'll quote myself in an earlier post to
> actually give this thread some substance:
This is just wrong, and I'm getting tired of your ramblings on thi
Mathematical Truth:
It is better:
To be vulnerable and know it (so you can shut down your machine or
unplug dat ethernet cable).
Than:
To be vulnerable and not know it (especially when there's a growing
number of others that do).
d3fault
___
Developmen
On Fri, Oct 19, 2012 at 9:48 AM, Alexis Menard wrote:
> First you should let more than a day for people to answer.
>
Waited 11 days in the other thread...
> Secondly I disagree with your statement and using the same link
> (Debian) you sent let me quote something else :
>
> "A: Once the security
On 19 October 2012 17:48, Alexis Menard wrote:
>
> Hi,
>
> First you should let more than a day for people to answer.
>
> Secondly I disagree with your statement and using the same link
> (Debian) you sent let me quote something else :
And to add a proper reference other than the FAQ, the Debian
On Fri, Oct 19, 2012 at 11:59 AM, d3fault wrote:
> I proposed it, therefore if nobody disagrees, I get consensus and the
> decision goes into effect. I'll quote myself in an earlier post to
> actually give this thread some substance:
Hi,
First you should let more than a day for people to answer.
I proposed it, therefore if nobody disagrees, I get consensus and the
decision goes into effect. I'll quote myself in an earlier post to
actually give this thread some substance:
On Thu, Oct 18, 2012 at 3:40 PM, d3fault wrote:
> tl;dr:
> Open Project
> Closed Security
>
> The officially endorsed
28 matches
Mail list logo
