Wow. I don't usually "rubber-neck" as I drive by car-crashes, but I must say, this has been one of the more fascinating email chains.
Not because of content; but rather, because in my introverted "I'm-so-lonely!" world, observing humans-being-human has recently become fascinating to me. I had to LMAO when "Godwin's law" got invoked so fast. Must be a record. My summary (for those that don't want to read further): You're a smart guy, but you're hurting those you're trying to help. Your message is lost because it is so loud, that no one can hear it. I personally would be sorry to see you go, but I understand that such a departure can be a positive healing experience for both you and the Qt community. Since your email announces your departure, I'm responding. I'm not trying to feed-a-troll, and you must admit that you qualify. However, I have specific observations related to the discussion: technical, governance-oriented, and psycho-social. The casual reader will want to stop reading now. On Fri, Oct 19, 2012 at 9:18 PM, d3fault <[email protected]> wrote: > On Fri, Oct 19, 2012 at 3:37 PM, Knoll Lars <[email protected]> wrote: >> This is just wrong, and I'm getting tired of your ramblings on this mailing >> list. Just because you send something to the ML and people get tired of >> answering you doesn't mean your proposal is accepted. >> > I was writing that tongue in cheek and mocking Thiago. Sarcasm > You. Ouch. There you're just being mean, as the relational expression does not expand upon your defense/justification. It's really hard to discuss (an implication of an ideas-exchange-back-and-forth) if the sides do not respect each other (there's no point to discussion in that case). That's where we are now. You're frustrated, trying to reverse a lack-of-good-faith (as perceived by at least one side) with further evidence of lack-of-good-faith. My impression of you: You're really smart with significant Qt use-history. I've watched you in many threads on this list, and it's clear you know a lot, and you've made helpful comments/responses on questions including quite technical aspects of Qt internals. I don't agree with you on some "project-direction-issues" like QWidget/QML, but see the chance for common-ground with some reasonable concessions (e.g., an eventual all-C++-API). However, my summary report would have to be: 15% -- Devil's advocate arguing 30% -- Constructive answers/discussions-to-technical-questions 55% -- Bomb-throwing >> We have a fully worked out proposal by Rich on the table that many people >> agreed with, and we'll stick with it for now. >> > His proposal is alright, with the exception of handling incoming > vulnerabilities. He didn't even discuss the subject, so what do you > even mean sticking with it? Lars, in his role of Chief Maintainer, is trying to conclude a topic after extensive discussion. His job is significant only in those cases where consensus cannot be reached, but a decision is required. This topic appears to warrant that intervention, so Lars is legitimately exercising his duty. Your concession is interesting: "His proposal is alright, with the exception of handling incoming vulnerabilities." That was not previously clear to me in the discussion (I may have missed that, there was lots of exciting talk to obscure the point), but this statement is quite clear and constructive. We can focus on the single topic of disagreement (incoming vulnerabilities). ISSUE: Identified vulnerabilities could go to a "public-security-list" or "closed-security-list". PRECEDENT: Significant (large) community (open-governance) projects have done either; examples in this thread include Linux Distros using "closed-security-lists", as was tentatively-agreed as the direction within the Qt-community (so that decision can't be crazy-stupid with such precedent). TRADE-OFF: (a) a "public-security-list" invites "script-kiddies" to cause mischief without working hard, as exploits are publicly-announced/available before fixes (b) a "closed-security-list" is a "layer" requiring mischief-makers to work-a-little-harder to get into the list, and maintain a presence; the benefit is that they may have strategic access to exploits between the announcement-on-the-closed-list and public-disclosure (at which point there would be a "fix"). COMMUNITY CONCERNS: There's a lot in this section, and this is your main argument. However, I'll put forth a few. (a1) Interruptions/noise is higher with "public" (v. "closed"): As an administrator/user, announcement of a security issue without a fix is likely not-actionable, or the "shut-my-stuff-down" action is a costly "over-response". I must await a second announcement, and the first announcement is "noise" to which I cannot respond, but against which I am now liable (e.g., you've added to my noise, and to my liability, without a benefit). (a2) Risk/exploits are higher with "public" (v. "closed"): The script kiddies are invited to cause mischief with publicly-announced exploits without available fixes. (a3) Developer/Technical response is "harder/riskier" with "public" (v. "closed"): Technical discussion about partial-fixes, fix-options, and issues-with-proposed fixes are harder to make in a public forum, as all information would provide the mischief-makers with more ammunition to cause more mischief. (a4) Noise is higher on "public" (v. "closed") lists, decreasing efficiency and effectiveness. The qualified contributors must spend time responding-to and defending-against questions, comments, concerns (etc.) from people that do not fully understand the topic, because no "vetting" process exists. As security exploits are time-sensitive, efficient-and-effective response should be a priority. (Security experts tend to "know" each other, so any experts not-on-the-list could be quickly involved directly, or through off-list-channels.) I concede there is a similar list of "positive-considerations" in support of the "public" (v. "closed"). However, these are merely to illustrate the tentative decision to follow precedent of (some) of the Linux Distros for a "closed-security-list" is not bat-sh*t-stupid, unfair, against the principles of open-governance, etc. > >> Lars > > I'd expect more from you, being the Chief Maintainer of the project > and all. What a worthless post. You didn't even attempt to tackle my > argument. 55% => 56% > Speaking of which, if ANYBODY can defeat it, I'll shut up here and now. My four points above are defensible. However, I concede that the issue is whether-or-not my four points are pragmatically "compelling" in contrast with your-four-points (i.e., your discrete lists of benefits for "open v. closed"). That will, by its nature, be somewhat subjective. > Ok noobs, you leave me no choice. Just like when someone doesn't > believe a specific vulnerability is legit, I guess I have to prove it > with an actual exploit. So I'll be ditching this alias and creating a > new one. Unlike the provingapoint12345 puppet, it will appear entirely > real (hurr I can use tor etc you morons (TAILs means any 5 year old > can)). I will stop being mean to people, and I'll even contribute > random bug fixes or other small contributions just to earn merit. > Thiago has already indicated that it's pretty easy for someone to join > Qt's security team. So after I get in, I'll be secretly publishing all > the reports to cracker circles around the globe. > > Guess your only counter is to never let anybody else join the security > team. Good security policy you got there. Sholy Hit I'm surrounded by > retards. > > Anonymous > > ...rejoice that I am leaving, but know that I am here in the shadows > watching you [mas7urba7e] from a distance... I see you asserting that you are, "not-being-heard", and you will now stomp-your-feet-and-leave. Further, because the Community did not go with your-imperfect-approach, you will now exploit the Community's-imperfect-approach. Do I think you can do this? Yes. Do I care? No. Why? (1) If you want to mug-people-in-alleys, then I don't control your actions. Your actions are a reflection of you. I might be sad, but it's not my call. (2) The imperfect-approach tentatively established by the Community is to handle exploits, which are created/exploited by many exploit-creators with many motivations. That you would join that world merely means (big_number++). The Community response is merely a process, the best the Community thinks it can do, so it's going to follow-its-process whether you join The League Of Shadows or not. When you get your exploit, it will be another decision-point for you-to-be-a-reflection-of-you. For example, your newly-created exploit announced to the "closed-security-list" would probably immediately qualify you for a respected place of consultation on that list. CLOSING Again, I think you're a really smart guy. You have a lot of experience, and know a lot. Your ability to assert-and-defend is to be respected and commended, and in the proper expression, makes the Community (much) stronger. And, your Ego is Great. It is part of us, so that's fine. Great egos never bothered me much, because IMHO it's fine if you have an ego-as-big-as-the-Great-Outdoors, as long as it fits inside your abilities. That works for people like Mozart. However, IMHO, most big-egos aren't excused by their abilities, at which point I merely conclude "costs-outweigh-benefits" of working with that ego. As it relates to you, I haven't decided on the "cost/benefit". However, others state that they *are* deciding, on-and-off-list, and it's something for you to consider. Fundamentally, if you shout too loud, then you are shouting-to-yourself in the middle of the field. No one else notices nor cares. I expect that you someday will realize that other-than as a great "exercise-regimen" for your personal fitness, it becomes rather pointless. --charley _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
