On Sat, Apr 14, 2018 at 8:58 AM Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> > writes: > > >It's like a fire drill where the mayor "pretends" that an old school > building > >is on fire, and the firemen then proceed to evacuate the building and > douse > >it in enough water to put out a real fire. > > Well, not quite: It's like a fire drill where the mayor "pretends" that an > old > school building is on fire, and the firemen then look at the burning > building > and say "that's all burning according to the baseline requirements, > everything > appears to be in order" and leave again. In the meantime the building > burns > to the ground. Well, not quite. It’s like when someone complains when a hammer makes a lousy screwdriver, acting aghast that a hardware shop would threaten their bottom line by selling hammers, despite being told repeatedly that hammers are lousy screwdrivers and would not be useful for screwing screws in. Then a passerby comes along talking about how hammers are broken by design, because they can’t be used to screw in screws, blissfully ignoring how much can be built with nails, and how effective hammers are for that. In the meantime, people who understand hammers are for nails are happily building structures that everyone can use, while random passerby’s continue to insist from the sidelines that hammers work better as screwdrivers, but don’t actually pitch in to help out (and to realize what lousy screwdrivers they make). Admittedly, it doesn’t help that some hammer manufacturers have tried to promote themselves as the world’s best screwdriver, or suggesting that you can’t screw something in without also having a hammer, but those sorts of selfishly ignorant manufacturers should be rightfully derided, not heralded as visionaries by the “hammers-are-screwdrivers” crowd. Hopefully we can agree anecdotes and metaphors aren’t productive techniques now :-) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy