Ben Reser wrote: > On Tue, Feb 11, 2003 at 12:06:13PM +0200, Buchan Milne wrote: > >>It may also be that they are not totally able to be totally open and >>forthright. I would request that you consider carefully before damaging >>your relationship with the people here in favour of attempting to force >>Mandrakesoft to release information they need not disclose to the public. > > > Mandrakesoft as a publicly traded company owes it's shareholders the > truth. As an open source company it owes it's contributors the truth, > even if it isn't required to give it.
Surely it's up to the shareholders to decide what information needs to be *publicly* (by which I mean accessible to people who are not shareholders) accessible. Publishing such information could artificially deflate stock prices, which is not in the shareholders interest. >>That works both ways. Please make absolutely clear (on your site) that >>you don't represent other non-Mandrakesoft contributors (which many >>people, possibly including the Debain folk who posted here, may have >>assumed) unless you do, and list those who feel you represent them. > > > I never ever said I spoke for anyone else. Though from the emails I > receive I happen to know there are other people who agree with me. But > it's not my place to speak for them. They are free to speak for > themselves. Posting a rant to my personal website couldn't be more > clear that it's just my opinion. I really can't control what > assumptions people make outside what I say. > You can, by preventing them. How would people say something like "the Mandrake community led by Ben Reser is considering forking the Mandrake" if you stated on your page that you don't claim to represent anyone but yourself. Sure, you don't have to do this, but in light of what your current rant has done, it would be responsible. > >>BTW, you may want to update your rant, since some of your statements are >>no longer true: > > In progress. But I'm not going to be editing the previous one. As long as you try and ensure that anyone who had read it would not continue to be misinformed (such as post a link to "corrections" or ensure it is addressed in your next rant. > Which begs the question... why are they still offering to sell security > updates at $5/month if you can download them for free? > http://www.mandrakesoft.com/products/mnf/pricing Maybe because they think people are willing to pay? Why does Sun sell StarOffice, when there are almost no differences between it and OpenOffice.org? > > My understanding from my conversation with Vincent is that you can't > update via the web interface in MNF unless you pay the $5. So far I > haven't even bothered to burn the ISO for MNF. Partly because Mandrake > hasn't responded to the potential issues I raised questions about. > > So for most people as far as they know the updates aren't available for > free. For *most* people you could say Mandrake isn't free at all, they have to either buy it, or (horror!!!) search for it on ftp mirrors and such. Just like the updates ... Really, you can't then compare Mandrake to ISC as you did in your rant. > > >>Also, on the matter of signing ISOs, you don't provide any suggestions >>as to how to accomplish this easily enough that users (that currently >>have trouble verifying the md5sums) would be able to verify. > > > Easy? How hard is it to type: > md5sum -c whatever.md5 > or > gpg --verify whatever.asc ftp://mandrake.redbox.cz/Mandrake-iso/i586/md5sums.9.1beta3.asc But you list issues with possible compromising md5sums, and provide no solution. Also, what key are we checking the sig with? The one from the ISO? If you got it with gpg, what's to say the gpg package on the trojaned ISO wasn't trojaned to not import Mandrake keys but a compiled-in key? I think the current signed md5sums are fine, but you claim problems with it, and fail to provide any solutions. > > Simply provide a readme with the ISOs that explains how to burn them and > also how to verify that they are legit. > Sure. Mail a patch to Warly (as others have done on other issues). > However, I've already had this battle about the ISOs off this list. The > powers that be felt that signing the md5sum's was the proper thing to > do. > You have a better solution? > >>It would of course probably be more contructive to post each of your >>issues on this list rather than publish your rants on your webpage. > > > Everything in that rant had been broached either on this list or to > other employees directly who were responsible for the item. > > E.G. (Also note that while you can't see this Jacques and Gael were > both CC'ed on that post, which has had *ZERO* response from employees) > http://marc.theaimsgroup.com/?l=mandrake-cooker&m=104019331408412&w=2 > > The issues with my stock had been emailed back and forth with Jacques... > basically I got the run around on that until shortly after the article > was published. > > I took the issues of singing the ISOs up with Vincent Danen, who > agreeded but other people disagreed and did something different. > > So basically, things that I thought were appropriate for this list have > already been brought up here. If not they were brought up with the > appropriate employees. > > I'd much rather have things handled than have to post a "rant" about > them. > But we know that getting some things acomplished here requires persistence. Like getting an account with rights to upload to contrib. Like getting a patch in. I don't see why the issues had to be made public (except the stock issue, which is not a development or security issue), when they belong on the lists IMHO. Buchan -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
