[Development] Proposal: Time to decide what security policy the Qt Project will use (not Trolltech/Nokia/Digia)

Thorbjørn Martsum tmartsum at gmail.com
Thu Oct 25 10:07:07 CEST 2012

*I am a citizen/_user_ of this open governance project?*

Please read:

Maybe you are a user, but from what I have read are not 'Evangelizing about
the Project' and you are not 'Providing moral support' (you are telling how
terrible things are). You might have suggestions, but you are not helping
qt-project in any way. You say you have a design for a QtWidgets2, but you
haven't let anyone see it (afaik - you do not have to accept the CLA. Show
the copyrighted code at some other site) And have you submitted any code to

Some persons do consider your posts as funny, but you are seriously wasting
other peoples time int. (Time they could spend on Qt development.) If you
actually did something for the Qt-project beside screaming in here, then
maybe somebody would actually listen to you.... (thought that still doesn't
mean that you can have it your way ...)

On Thu, Oct 25, 2012 at 9:18 AM, d3fault <d3faultdotxbe at gmail.com> wrote:

> Qt has corporate roots. Responsible Disclosure has been in place since
> the Trolltech days. Corporations tend to prefer Responsible Disclosure
> because it pleases their commercial customers. Commercial entities
> like to keep their end users in the dark because vulnerabilities
> reflect poorly on the company and affect their bottom line.
> Qt is no longer backed by a single company. Digia owns the copyright
> and commercial licensing rights, but the Qt Project is where the bulk
> of the work is done. It is a collaborative open governance project run
> by the community. The Qt Project is not a commercial entity, so it has
> no obligations to Digia's commercial customers.
> That being said, Responsible Disclosure is left over cruft from the
> pre-Open-Governance days. The Qt Project has yet to decide on a
> security policy.
> So for the sake of argument, let's say it has none. We should then
> compare the pros and cons of Responsible vs. Full Disclosure [0].
> As of yet, no logically sound arguments (that haven't been re-butted
> by yours truly) have been presented in favor of Responsible
> Disclosure. Lots of opinions have been presented, but opinions have
> very little weight against logic. The only exception to the "no
> arguments" is script kiddies, but script kiddies are nothing compared
> to crackers. Responsible Disclosure both extends the window of
> opportunity for crackers and also increases the vulnerability's
> overall exposure... leading to more crackers finding and exploiting it
> before public disclosure.
> The following row from the above chart ___MUST___ be justified if we
> are to choose Responsible Disclosure:
> http://s15.postimage.org/m97mrynzv/The_Flaw_In_Responsible_Disclosure.png
> [also attached].
> It would be irresponsible for Lars Knoll to rule on the issue without
> first justifying that row in the chart.
> I am a citizen/_user_ of this open governance project. I am (we are)
> the sole justification for the project's existence. "Users are
> community members who have a need for the Project. They are the most
> important members of the community and without them the Project would
> have no purpose" [1].
> The individual is more important than the corporation, because
> "corporations are greedy psychopaths" [2]. If you disagree then there
> might be a political office waiting for you in America (I'm trying
> with all my might to suppress the insults right here).
> Does Lars Knoll have a conflict of interest being an employee at Digia
> and the Chief Maintainer of the Qt Project? Turunen Tuukka, do you
> care to comment? I know you're probably in favor of Responsible
> Disclosure... but is Lars Knoll free to choose what's best for the
> community? Or will he be fired for insubordination? If so, Turunen
> Tuukka is really the Chief Maintainer. He bought his way into the
> position when Digia acquired Qt.
> I really hope we choose Full Disclosure as our security model, as it
> gives the _users_ the best opportunity to protect both themselves and
> their end-users.
> d3fault
> [0] -
> http://lists.qt-project.org/pipermail/development/2012-October/007506.html
> [1] - http://qt-project.org/wiki/The_Qt_Governance_Model
> [2] - http://stallman.org/archives/2011-jan-apr.html
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20121025/0df56c4b/attachment.html>

More information about the Development mailing list