On 10/20/2012 2:04 AM, d3fault wrote:
Are you willing to put the security of your operations in the hands of
all the wives and children who might have access to their dad's
computer (he being a member of that trusted network of analysts)?
Humans can be bought/persuaded/compromised/etc with
Op 19-10-2012 3:50, slfj sfjie schreef:
Also, the guy didn't even disagree with me. He pretty much reiterated
the first post and said absolutely nothing. You disagreed with me for
a little bit (CVE/Mitre), but getting around those problems is trivial
by setting up a
On Fri, Oct 19, 2012 at 1:08 AM, André Somers an...@familiesomers.nl wrote:
You may not agree with the decision
taken, but the grown-up thing to do is to accept that and move on.
Tell that to the Jews who were forced to go to the holocaust.
Please focus your energy on more productive ventures.
On Fri, Oct 19, 2012 at 07:55:52AM -0700, d3fault wrote:
Anybody want to respond telling me why they think full disclosure is
worse than behind closed doors security?
google responsible disclosure
___
Development mailing list
On 19.10.2012, at 16:55, d3fault wrote:
On Fri, Oct 19, 2012 at 1:08 AM, André Somers an...@familiesomers.nl wrote:
You may not agree with the decision
taken, but the grown-up thing to do is to accept that and move on.
Tell that to the Jews who were forced to go to the holocaust.
Now that
On Fri, Oct 19, 2012 at 8:27 AM, Oswald Buddenhagen
oswald.buddenha...@digia.com wrote:
google responsible disclosure
No need, and that's hardly an argument. What if I said: google full
disclosure as my counter-argument?
So anyways I'll bite, even though we've already been over this.
Are you willing to put the security of your operations in the hands of
all the wives and children who might have access to their dad's
computer (he being a member of that trusted network of analysts)?
Humans can be bought/persuaded/compromised/etc with ease.
l2security
d3fault
Bump.
What's going on with this important issue?
-Am I being ignored (in which case, I should have used a pseudonym to
present my argument)?
-Has discussion halted because of a lack of consensus (in which case,
I present to you the following image: http://bayimg.com/eAEhDAaEE )?
-Am I being
Whoops that third one was a typo, should have read I am instead of Am I.
I am clearly not being listened to :-P (and I should have used a
pseudonym to trick your inferior brain(s)). You should not associate
an argument with the person presenting it (even though most do). It is
fallacious.
So can
tl;dr:
Open Project
Closed Security
The officially endorsed method for reporting security issues for Qt is
to send them to security at qt-project.org , which is a private mailing
list. I have a problem with that.
Experience has shown that 'security through obscurity' does not work.
Oh right this is where I'm supposed to disagree or object or
something... See:
http://lists.qt-project.org/pipermail/development/2012-October/006892.html
tl;dr: I object on the grounds that behind closed doors security is
not only a waste of time, it also hurts Qt _users_.
Do This:
-CVE/CERT
On 10 Oct 2012, at 11:18, d3fault d3faultdot...@gmail.com wrote:
Oh right this is where I'm supposed to disagree or object or
something... See:
http://lists.qt-project.org/pipermail/development/2012-October/006892.html
tl;dr: I object on the grounds that behind closed doors security is
On Wed, Oct 10, 2012 at 2:34 AM, Ziller Eike eike.zil...@digia.com wrote:
-CVE/CERT aka private/exclusive notifications go to some email address
that only core security team has access to:
security-priv...@qt-project.org or something
in the proposal that is secur...@qt-project.org
Yes, but
On 10 Oct 2012, at 13:25, d3fault d3faultdot...@gmail.com wrote:
On Wed, Oct 10, 2012 at 2:34 AM, Ziller Eike eike.zil...@digia.com wrote:
-CVE/CERT aka private/exclusive notifications go to some email address
that only core security team has access to:
security-priv...@qt-project.org or
09.10.2012, 20:59, Richard Moore r...@kde.org:
On 9 October 2012 09:21, Marc Mutz marc.m...@kdab.com wrote:
Hi Rich,
Thanks for taking the time to write this up. I have but one question:
On Monday October 8 2012, Richard Moore wrote:
* Where possible packagers should be informed
On 10 October 2012 14:02, Konstantin Tokarev annu...@yandex.ru wrote:
09.10.2012, 20:59, Richard Moore r...@kde.org:
On 9 October 2012 09:21, Marc Mutz marc.m...@kdab.com wrote:
Hi Rich,
Thanks for taking the time to write this up. I have but one question:
On Monday October 8 2012,
I suggest git-send-email to the security list.
I've used email (git-send-email) based patch review in low traffic projects and
found it to work really really well.
Simon
--
Sendt fra min Nokia N909.10.12 18:59 skrev Richard Moore:
On 9 October 2012 09:21, Marc Mutz marc.m...@kdab.com wrote:
On quarta-feira, 10 de outubro de 2012 16.06.43, Richard Moore wrote:
It was discussed with the Gerrit people, there's a response from them
in the comments where they discuss how they handle the same issue for
security holes in gerrit itself. Short version is that they have a
second private
On 9 Oct 2012, at 01:07, Giuseppe D'Angelo dange...@gmail.com wrote:
Hi Richard,
many thanks for the insightful mail.
On 8 October 2012 22:49, Richard Moore r...@kde.org wrote:
[…]
== What Happens When an Issue is Reported? ==
* security@ should be sent to a 'core security' team
Hi Rich,
thanks for putting this together. I like the proposal. It's lightweight, but
will IMO cover our needs.
On Oct 9, 2012, at 1:07 AM, Giuseppe D'Angelo dange...@gmail.com wrote:
Hi Richard,
many thanks for the insightful mail.
On 8 October 2012 22:49, Richard Moore r...@kde.org
Hi Rich,
Thanks for taking the time to write this up. I have but one question:
On Monday October 8 2012, Richard Moore wrote:
* Where possible packagers should be informed directly of which SHA1s they
should cherry pick in order to get a security fix.
What process do you recommend to
On 10/09/2012 01:07 AM, Giuseppe D'Angelo wrote:
(...)
* Security issues should not be reported via the normal
bugreports.qt-project.org tracker, but should instead be sent to
security at qt-project.org.
This requires advertising such address properly, on the main
qt-project
On 9 October 2012 09:21, Marc Mutz marc.m...@kdab.com wrote:
Hi Rich,
Thanks for taking the time to write this up. I have but one question:
On Monday October 8 2012, Richard Moore wrote:
* Where possible packagers should be informed directly of which SHA1s they
should cherry pick in
On 9 October 2012 08:58, Ziller Eike eike.zil...@digia.com wrote:
On 9 Oct 2012, at 01:07, Giuseppe D'Angelo dange...@gmail.com wrote:
Hi Richard,
many thanks for the insightful mail.
On 8 October 2012 22:49, Richard Moore r...@kde.org wrote:
[…]
== What Happens When an Issue is
Over the last few weeks, I've been working on a proposal for a
security policy for the Qt Project. I've drawn on the Django security
policy, my own experience, previous Qt security announcements and
feedback from the initial reviewers. I think we now have something
that is worth having a wider
I'm including the text inline since I've had a request for that.
Rich.
= Current State =
== How did we do during the recent CRIME attack? ==
* We provided a fix.
* security at qt-project.org was shown to be non-functional (no reply, no
action).
* We were initially unable to send an
Hi Richard,
many thanks for the insightful mail.
On 8 October 2012 22:49, Richard Moore r...@kde.org wrote:
= Proposed Security Policy =
== Reporting Security Issues ==
* Security issues should not be reported via the normal
bugreports.qt-project.org tracker, but should instead be
27 matches
Mail list logo