[Development] Proposal: Change Qt's Security Policy to Full Disclosure

[Knoll Lars]

On Oct 20, 2012, at 5:18 AM, d3fault <d3faultdotxbe at gmail.com> wrote:

> On Fri, Oct 19, 2012 at 3:37 PM, Knoll Lars <Lars.Knoll at digia.com> wrote:
>> This is just wrong, and I'm getting tired of your ramblings on this mailing list. Just because you send something to the ML and people get tired of answering you doesn't mean your proposal is accepted.
>> 
> 
> I was writing that tongue in cheek and mocking Thiago. Sarcasm > You.

The way you write is quite often rather offensive, and makes people (including myself) ignore any other argument. It's about time you understand that this behaviour is not accepted here and that you will not get anywhere with it.

>> We have a fully worked out proposal by Rich on the table that many people agreed with, and we'll stick with it for now.
>> 
> 
> His proposal is alright, with the exception of handling incoming
> vulnerabilities. He didn't even discuss the subject, so what do you
> even mean sticking with it?
> 
>> Lars
> 
> I'd expect more from you, being the Chief Maintainer of the project
> and all. What a worthless post. 

Start with yourself before criticising others. You've had more than your share of worthless (or worse harmful) posts on this list.

> You didn't even attempt to tackle my argument.

No, because I was reacting to your statement about how decisions are being made in this project and the tone of your emails.

> Speaking of which, if ANYBODY can defeat it, I'll shut up here and now.

This is not a mathematical algorithm you can prove right or wrong. Security involves humans and interacting with other people. So there are always arguments speaking for and against certain policies. 

Read Charley's arguments, he has listed quite a few of the arguments against a public list. For the sake of it here's my summary:

Qt is being used in literally millions of places. Most end users do not even know that the product they are using is Qt based. The companies or projects who have developed the software can't really control these usages. Often you can't even easily reach all your customers/users because the only mechanism you have (if there's any at all) is a built-in update mechanism.

In many cases it's unreasonable to ask people to shut down the services because it's simply too expensive. Think about a mobile phone like the N9. Do you really expect people to turn their phone off for an unknown amount of time because there's an exploit? Do you think end users can even judge the criticality of the exploit and what kind of measures they could take to avoid it? They can't. Often even we, the main developers behind Qt, can't know what kind of measures and end user needs to use to protect himself, because we don't know how exactly Qt is being used in the product.

Of course one needs to publish fixes for security issues and do updates and disclose the problem. But if the issue is not widely known already, we have a chance to already provide a fix when we disclose it. The best way I can see is to keep these private (for a limited period of time) and work with the experts in the area where the issue is to get it fixed as fast as possible. Create the patch and ideally an updated release of the product. Then inform your main customers/users and the rest of the world.

Most open source projects use a closed security list for exactly the reasons above. Even Debian who you cite as a reference has it, and they are coordinating disclosure dates with other vendors. Read http://www.debian.org/security/ once again, and don't only cite one sentence in there out of context. So we will be in good company here, following a process very similar to most other OSS projects, including most Linux distributions, WebKit, Apache and many others.

And to make it clear: The Qt project will do full disclosure of the issues. The variant we'll be using is in wikipedia called 'Responsible Disclosure'. See http://en.wikipedia.org/wiki/Full_disclosure and http://en.wikipedia.org/wiki/Responsible_disclosure

> Ok noobs, you leave me no choice. Just like when someone doesn't
> believe a specific vulnerability is legit, I guess I have to prove it
[… deleted pointless rant, threats and insults…]

This just makes you sound like a small spoiled child that didn't get his way. And you wonder why people ignore you?

Lars