[Development] Proposal: Change Qt's Security Policy to Full Disclosure

[Charley Bay]

Wow.  I don't usually "rubber-neck" as I drive by car-crashes, but I
must say, this has been one of the more fascinating email chains.

Not because of content; but rather, because in my introverted
"I'm-so-lonely!" world, observing humans-being-human has recently
become fascinating to me.

I had to LMAO when "Godwin's law" got invoked so fast.  Must be a record.

My summary (for those that don't want to read further):  You're a
smart guy, but you're hurting those you're trying to help.  Your
message is lost because it is so loud, that no one can hear it.  I
personally would be sorry to see you go, but I understand that such a
departure can be a positive healing experience for both you and the Qt
community.

Since your email announces your departure, I'm responding.  I'm not
trying to feed-a-troll, and you must admit that you qualify.  However,
I have specific observations related to the discussion: technical,
governance-oriented, and psycho-social.

The casual reader will want to stop reading now.

On Fri, Oct 19, 2012 at 9:18 PM, d3fault <d3faultdotxbe at gmail.com> wrote:
> On Fri, Oct 19, 2012 at 3:37 PM, Knoll Lars <Lars.Knoll at digia.com> wrote:
>> This is just wrong, and I'm getting tired of your ramblings on this mailing list. Just because you send something to the ML and people get tired of answering you doesn't mean your proposal is accepted.
>>
> I was writing that tongue in cheek and mocking Thiago. Sarcasm > You.

Ouch.  There you're just being mean, as the relational expression does
not expand upon your defense/justification.

It's really hard to discuss (an implication of an
ideas-exchange-back-and-forth) if the sides do not respect each other
(there's no point to discussion in that case).  That's where we are
now.  You're frustrated, trying to reverse a lack-of-good-faith (as
perceived by at least one side) with further evidence of
lack-of-good-faith.

My impression of you:  You're really smart with significant Qt
use-history.  I've watched you in many threads on this list, and it's
clear you know a lot, and you've made helpful comments/responses on
questions including quite technical aspects of Qt internals.  I don't
agree with you on some "project-direction-issues" like QWidget/QML,
but see the chance for common-ground with some reasonable concessions
(e.g., an eventual all-C++-API).

However, my summary report would have to be:

  15% -- Devil's advocate arguing
  30% -- Constructive answers/discussions-to-technical-questions
  55% -- Bomb-throwing

>> We have a fully worked out proposal by Rich on the table that many people agreed with, and we'll stick with it for now.
>>
> His proposal is alright, with the exception of handling incoming
> vulnerabilities. He didn't even discuss the subject, so what do you
> even mean sticking with it?

Lars, in his role of Chief Maintainer, is trying to conclude a topic
after extensive discussion.  His job is significant only in those
cases where consensus cannot be reached, but a decision is required.
This topic appears to warrant that intervention, so Lars is
legitimately exercising his duty.

Your concession is interesting:  "His proposal is alright, with the
exception of handling incoming vulnerabilities."

That was not previously clear to me in the discussion (I may have
missed that, there was lots of exciting talk to obscure the point),
but this statement is quite clear and constructive.  We can focus on
the single topic of disagreement (incoming vulnerabilities).

ISSUE:

Identified vulnerabilities could go to a "public-security-list" or
"closed-security-list".

PRECEDENT:

Significant (large) community (open-governance) projects have done
either; examples in this thread include Linux Distros using
"closed-security-lists", as was tentatively-agreed as the direction
within the Qt-community (so that decision can't be crazy-stupid with
such precedent).

TRADE-OFF:

  (a) a "public-security-list" invites "script-kiddies" to cause
mischief without working hard, as exploits are
publicly-announced/available before fixes

  (b) a "closed-security-list" is a "layer" requiring mischief-makers
to work-a-little-harder to get into the list, and maintain a presence;
the benefit is that they may have strategic access to exploits between
the announcement-on-the-closed-list and public-disclosure (at which
point there would be a "fix").

COMMUNITY CONCERNS:

There's a lot in this section, and this is your main argument.
However, I'll put forth a few.

 (a1) Interruptions/noise is higher with "public" (v. "closed"):  As
an administrator/user, announcement of a security issue without a fix
is likely not-actionable, or the "shut-my-stuff-down" action is a
costly "over-response".  I must await a second announcement, and the
first announcement is "noise" to which I cannot respond, but against
which I am now liable (e.g., you've added to my noise, and to my
liability, without a benefit).

 (a2) Risk/exploits are higher with "public" (v. "closed"):  The
script kiddies are invited to cause mischief with publicly-announced
exploits without available fixes.

 (a3) Developer/Technical response is "harder/riskier" with "public"
(v. "closed"):  Technical discussion about partial-fixes, fix-options,
and issues-with-proposed fixes are harder to make in a public forum,
as all information would provide the mischief-makers with more
ammunition to cause more mischief.

 (a4) Noise is higher on "public" (v. "closed") lists, decreasing
efficiency and effectiveness.  The qualified contributors must spend
time responding-to and defending-against questions, comments, concerns
(etc.) from people that do not fully understand the topic, because no
"vetting" process exists.  As security exploits are time-sensitive,
efficient-and-effective response should be a priority.  (Security
experts tend to "know" each other, so any experts not-on-the-list
could be quickly involved directly, or through off-list-channels.)

I concede there is a similar list of "positive-considerations" in
support of the "public" (v. "closed").  However, these are merely to
illustrate the tentative decision to follow precedent of (some) of the
Linux Distros for a "closed-security-list" is not bat-sh*t-stupid,
unfair, against the principles of open-governance, etc.

>
>> Lars
>
> I'd expect more from you, being the Chief Maintainer of the project
> and all. What a worthless post. You didn't even attempt to tackle my
> argument.

55% => 56%

> Speaking of which, if ANYBODY can defeat it, I'll shut up here and now.

My four points above are defensible.

However, I concede that the issue is whether-or-not my four points are
pragmatically "compelling" in contrast with your-four-points (i.e.,
your discrete lists of benefits for "open v. closed").

That will, by its nature, be somewhat subjective.

> Ok noobs, you leave me no choice. Just like when someone doesn't
> believe a specific vulnerability is legit, I guess I have to prove it
> with an actual exploit. So I'll be ditching this alias and creating a
> new one. Unlike the provingapoint12345 puppet, it will appear entirely
> real (hurr I can use tor etc you morons (TAILs means any 5 year old
> can)). I will stop being mean to people, and I'll even contribute
> random bug fixes or other small contributions just to earn merit.
> Thiago has already indicated that it's pretty easy for someone to join
> Qt's security team. So after I get in, I'll be secretly publishing all
> the reports to cracker circles around the globe.
>
> Guess your only counter is to never let anybody else join the security
> team. Good security policy you got there. Sholy Hit I'm surrounded by
> retards.
>
> Anonymous
>
> ...rejoice that I am leaving, but know that I am here in the shadows
> watching you [mas7urba7e] from a distance...

I see you asserting that you are, "not-being-heard", and you will now
stomp-your-feet-and-leave.

Further, because the Community did not go with
your-imperfect-approach, you will now exploit the
Community's-imperfect-approach.

Do I think you can do this?  Yes.

Do I care?  No.

Why?

(1) If you want to mug-people-in-alleys, then I don't control your
actions.  Your actions are a reflection of you.  I might be sad, but
it's not my call.

(2) The imperfect-approach tentatively established by the Community is
to handle exploits, which are created/exploited by many
exploit-creators with many motivations.  That you would join that
world merely means (big_number++).  The Community response is merely a
process, the best the Community thinks it can do, so it's going to
follow-its-process whether you join The League Of Shadows or not.

When you get your exploit, it will be another decision-point for
you-to-be-a-reflection-of-you.  For example, your newly-created
exploit announced to the "closed-security-list" would probably
immediately qualify you for a respected place of consultation on that
list.

CLOSING

Again, I think you're a really smart guy.  You have a lot of
experience, and know a lot.  Your ability to assert-and-defend is to
be respected and commended, and in the proper expression, makes the
Community (much) stronger.

And, your Ego is Great.  It is part of us, so that's fine.  Great egos
never bothered me much, because IMHO it's fine if you have an
ego-as-big-as-the-Great-Outdoors, as long as it fits inside your
abilities.  That works for people like Mozart.  However, IMHO, most
big-egos aren't excused by their abilities, at which point I merely
conclude "costs-outweigh-benefits" of working with that ego.

As it relates to you, I haven't decided on the "cost/benefit".
However, others state that they *are* deciding, on-and-off-list, and
it's something for you to consider.

Fundamentally, if you shout too loud, then you are
shouting-to-yourself in the middle of the field.  No one else notices
nor cares.  I expect that you someday will realize that other-than as
a great "exercise-regimen" for your personal fitness, it becomes
rather pointless.

--charley