[Development] Proposal: Change Qt's Security Policy to Full Disclosure
Samuel Rødal
samuel.rodal at digia.com
Wed Oct 24 17:39:48 CEST 2012
On 10/24/2012 11:30 AM, d3fault wrote:
> On 10/24/12, Samuel Rødal <samuel.rodal at digia.com> wrote:
>> Lars and Charles both provided good lists of reasons in another part of
>> this thread for going with the policy of Responsible Disclosure. Clearly
>> you disagree on the weighting of the pros and cons, but it doesn't seem
>> like you're able to convince anyone else about the superiority of your
>> position. At what point will you accept that?
>>
>
> dubtef' you're right, I completely missed Lars' response somehow :-/.
>
> I think I've logically proven a vulnerability exists within the Qt
> Security Policy. I think what I'm proposing is reasonable. It
> accommodates both responsible and full disclosure. Yes I can be an
> arsehole at times (triggered especially when I'm talked down to: "let
> us make important decisions for you" ... and basically this whole "you
> have to trust us with your security" mentality), but skipping over the
> argument completely and focusing only on my bad behavior is even worse
> than the bad behavior itself.
As far as I see it all the options have vulnerabilities, so it shouldn't
be hard to prove that they exist within either approach.
If I get you correctly, you're saying that you want two security mailing
lists, one open and one closed. Others have countered this by saying
that the existing development mailing list will in practice act as the
open one. In what way do you perceive these two options as being
radically different?
--
Samuel
More information about the Development
mailing list