On 10/20/2012 2:04 AM, d3fault wrote:
> Are you willing to put the security of your operations in the hands of
> all the wives and children who might have access to their dad's
> computer (he being a member of that trusted network of analysts)?
> Humans can be bought/persuaded/compromised/etc with
Are you willing to put the security of your operations in the hands of
all the wives and children who might have access to their dad's
computer (he being a member of that trusted network of analysts)?
Humans can be bought/persuaded/compromised/etc with ease.
l2security
d3fault
___
On Fri, Oct 19, 2012 at 8:27 AM, Oswald Buddenhagen
wrote:
> google "responsible disclosure"
No need, and that's hardly an argument. What if I said: google "full
disclosure" as my counter-argument?
So anyways I'll bite, even though we've already been over this.
Responsible disclosure is very si
On 19.10.2012, at 16:55, d3fault wrote:
> On Fri, Oct 19, 2012 at 1:08 AM, André Somers wrote:
>> You may not agree with the decision
>> taken, but the grown-up thing to do is to accept that and move on.
>
> Tell that to the Jews who were forced to go to the holocaust.
Now that this thread has
On Fri, Oct 19, 2012 at 07:55:52AM -0700, d3fault wrote:
> Anybody want to respond telling me why they think full disclosure is
> worse than behind closed doors security?
>
google "responsible disclosure"
___
Development mailing list
Development@qt-proje
On Fri, Oct 19, 2012 at 1:08 AM, André Somers wrote:
>You may not agree with the decision
> taken, but the grown-up thing to do is to accept that and move on.
Tell that to the Jews who were forced to go to the holocaust.
>Please focus your energy on more productive ventures.
...so you're saying
Op 19-10-2012 3:50, slfj sfjie schreef:
Also, the guy didn't even disagree with me. He pretty much reiterated
the first post and said absolutely nothing. You disagreed with me for
a little bit (CVE/Mitre), but getting around those problems is trivial
by setting up a security-priv...@qt-proje
>
> tl;dr:
> Open Project
> Closed Security
>
> The officially endorsed method for reporting security issues for Qt is
> to send them to security at qt-project.org , which is a private mailing
> list. I have a problem with that.
>
> "Experience has shown that 'security through obscurity' does not w
Whoops that third one was a typo, should have read "I am" instead of "Am I".
I am clearly not being listened to :-P (and I should have used a
pseudonym to trick your inferior brain(s)). You should not associate
an argument with the person presenting it (even though most do). It is
fallacious.
So c
On quinta-feira, 18 de outubro de 2012 12.11.32, d3fault wrote:
> Bump.
>
> What's going on with this important issue?
>
> -Am I being ignored (in which case, I should have used a pseudonym to
> present my argument)?
More or less. Most of the time, I read your emails, but I do not take your
opi
tl;dr:
Open Project
Closed Security
The officially endorsed method for reporting security issues for Qt is
to send them to secur...@qt-project.org , which is a private mailing
list. I have a problem with that.
"Experience has shown that 'security through obscurity' does not work.
Public disclosur
Bump.
What's going on with this important issue?
-Am I being ignored (in which case, I should have used a pseudonym to
present my argument)?
-Has discussion halted because of a lack of consensus (in which case,
I present to you the following image: http://bayimg.com/eAEhDAaEE )?
-Am I being liste
On quarta-feira, 10 de outubro de 2012 16.06.43, Richard Moore wrote:
> It was discussed with the Gerrit people, there's a response from them
> in the comments where they discuss how they handle the same issue for
> security holes in gerrit itself. Short version is that they have a
> second private
I suggest git-send-email to the security list.
I've used email (git-send-email) based patch review in low traffic projects and
found it to work really really well.
Simon
--
Sendt fra min Nokia N909.10.12 18:59 skrev Richard Moore:
On 9 October 2012 09:21, Marc Mutz wrote:
> Hi Rich,
>
> Thanks
On 10 October 2012 14:02, Konstantin Tokarev wrote:
>
>
> 09.10.2012, 20:59, "Richard Moore" :
>> On 9 October 2012 09:21, Marc Mutz wrote:
>>
>>> Hi Rich,
>>>
>>> Thanks for taking the time to write this up. I have but one question:
>>>
>>> On Monday October 8 2012, Richard Moore wrote:
09.10.2012, 20:59, "Richard Moore" :
> On 9 October 2012 09:21, Marc Mutz wrote:
>
>> Hi Rich,
>>
>> Thanks for taking the time to write this up. I have but one question:
>>
>> On Monday October 8 2012, Richard Moore wrote:
>>> * Where possible packagers should be informed directly of which
On 10 Oct 2012, at 13:25, d3fault wrote:
> On Wed, Oct 10, 2012 at 2:34 AM, Ziller Eike wrote:
>>> -CVE/CERT aka private/exclusive notifications go to some email address
>>> that only core security team has access to:
>>> security-priv...@qt-project.org or something
>>
>> in the proposal that
On Wed, Oct 10, 2012 at 2:34 AM, Ziller Eike wrote:
>> -CVE/CERT aka private/exclusive notifications go to some email address
>> that only core security team has access to:
>> security-priv...@qt-project.org or something
>
> in the proposal that is secur...@qt-project.org
>
Yes, but it is a priva
On 10 Oct 2012, at 11:18, d3fault wrote:
> Oh right this is where I'm supposed to disagree or object or
> something... See:
> http://lists.qt-project.org/pipermail/development/2012-October/006892.html
>
> tl;dr: I object on the grounds that behind closed doors security is
> not only a waste of
Oh right this is where I'm supposed to disagree or object or
something... See:
http://lists.qt-project.org/pipermail/development/2012-October/006892.html
tl;dr: I object on the grounds that behind closed doors security is
not only a waste of time, it also hurts Qt _users_.
Do This:
-CVE/CERT ak
On 9 October 2012 08:58, Ziller Eike wrote:
>
> On 9 Oct 2012, at 01:07, Giuseppe D'Angelo wrote:
>
>> Hi Richard,
>>
>> many thanks for the insightful mail.
>>
>> On 8 October 2012 22:49, Richard Moore wrote:
>>
>> […]
>
>>> == What Happens When an Issue is Reported? ==
>>>
>>> * security@ shou
On 9 October 2012 09:21, Marc Mutz wrote:
> Hi Rich,
>
> Thanks for taking the time to write this up. I have but one question:
>
> On Monday October 8 2012, Richard Moore wrote:
>> * Where possible packagers should be informed directly of which SHA1s they
>>should cherry pick in order to get
On 10/09/2012 01:07 AM, Giuseppe D'Angelo wrote:
> (...)
>> * Security issues should not be reported via the normal
>> bugreports.qt-project.org tracker, but should instead be sent to
>> security at qt-project.org.
>
> This requires advertising such address properly, on the main
> qt-proj
Hi Rich,
Thanks for taking the time to write this up. I have but one question:
On Monday October 8 2012, Richard Moore wrote:
> * Where possible packagers should be informed directly of which SHA1s they
> should cherry pick in order to get a security fix.
What process do you recommend to pre
Hi Rich,
thanks for putting this together. I like the proposal. It's lightweight, but
will IMO cover our needs.
On Oct 9, 2012, at 1:07 AM, Giuseppe D'Angelo wrote:
> Hi Richard,
>
> many thanks for the insightful mail.
>
> On 8 October 2012 22:49, Richard Moore wrote:
>
>> = Proposed Secu
On 9 Oct 2012, at 01:07, Giuseppe D'Angelo wrote:
> Hi Richard,
>
> many thanks for the insightful mail.
>
> On 8 October 2012 22:49, Richard Moore wrote:
>
> […]
>> == What Happens When an Issue is Reported? ==
>>
>> * security@ should be sent to a 'core security' team of developers who n
Hi Richard,
many thanks for the insightful mail.
On 8 October 2012 22:49, Richard Moore wrote:
> = Proposed Security Policy =
>
> == Reporting Security Issues ==
>
> * Security issues should not be reported via the normal
>bugreports.qt-project.org tracker, but should instead be sent to
>
I'm including the text inline since I've had a request for that.
Rich.
= Current State =
== How did we do during the recent CRIME attack? ==
* We provided a fix.
* security at qt-project.org was shown to be non-functional (no reply, no
action).
* We were initially unable to send an ema
Over the last few weeks, I've been working on a proposal for a
security policy for the Qt Project. I've drawn on the Django security
policy, my own experience, previous Qt security announcements and
feedback from the initial reviewers. I think we now have something
that is worth having a wider revi
29 matches
Mail list logo
