[Development] Proposal: Time to decide what security policy the Qt Project will use (not Trolltech/Nokia/Digia)

Thu Oct 25 09:18:32 CEST 2012

Qt has corporate roots. Responsible Disclosure has been in place since
the Trolltech days. Corporations tend to prefer Responsible Disclosure
because it pleases their commercial customers. Commercial entities
like to keep their end users in the dark because vulnerabilities
reflect poorly on the company and affect their bottom line.

Qt is no longer backed by a single company. Digia owns the copyright
and commercial licensing rights, but the Qt Project is where the bulk
of the work is done. It is a collaborative open governance project run
by the community. The Qt Project is not a commercial entity, so it has
no obligations to Digia's commercial customers.

That being said, Responsible Disclosure is left over cruft from the
pre-Open-Governance days. The Qt Project has yet to decide on a
security policy.

So for the sake of argument, let's say it has none. We should then
compare the pros and cons of Responsible vs. Full Disclosure [0].

As of yet, no logically sound arguments (that haven't been re-butted
by yours truly) have been presented in favor of Responsible
Disclosure. Lots of opinions have been presented, but opinions have
very little weight against logic. The only exception to the "no
arguments" is script kiddies, but script kiddies are nothing compared
to crackers. Responsible Disclosure both extends the window of
opportunity for crackers and also increases the vulnerability's
overall exposure... leading to more crackers finding and exploiting it
before public disclosure.

The following row from the above chart ___MUST___ be justified if we
are to choose Responsible Disclosure:
http://s15.postimage.org/m97mrynzv/The_Flaw_In_Responsible_Disclosure.png
[also attached].

It would be irresponsible for Lars Knoll to rule on the issue without
first justifying that row in the chart.

I am a citizen/_user_ of this open governance project. I am (we are)
the sole justification for the project's existence. "Users are
community members who have a need for the Project. They are the most
important members of the community and without them the Project would
have no purpose" [1].

The individual is more important than the corporation, because
"corporations are greedy psychopaths" [2]. If you disagree then there
might be a political office waiting for you in America (I'm trying
with all my might to suppress the insults right here).

Does Lars Knoll have a conflict of interest being an employee at Digia
and the Chief Maintainer of the Qt Project? Turunen Tuukka, do you
care to comment? I know you're probably in favor of Responsible
Disclosure... but is Lars Knoll free to choose what's best for the
community? Or will he be fired for insubordination? If so, Turunen
Tuukka is really the Chief Maintainer. He bought his way into the
position when Digia acquired Qt.

I really hope we choose Full Disclosure as our security model, as it
gives the _users_ the best opportunity to protect both themselves and
their end-users.

d3fault

[0] - http://lists.qt-project.org/pipermail/development/2012-October/007506.html
[1] - http://qt-project.org/wiki/The_Qt_Governance_Model
[2] - http://stallman.org/archives/2011-jan-apr.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: The.Flaw.In.Responsible.Disclosure.png
Type: image/png
Size: 9791 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/development/attachments/20121025/4c2abfd9/attachment.png>