[Development] Proposal: Time to decide what security policy the Qt Project will use (not Trolltech/Nokia/Digia)

João Abecasis joao at abecasis.name
Fri Oct 26 20:01:38 CEST 2012


Dear d3fault,

d3fault wrote:
> Nah. "WILL" is too strong a statement. More like: very very very very likely ;-)

Cras in mi ut mi auctor tincidunt. Vestibulum volutpat lorem eget
ligula egestas vehicula. Mauris in nisi et ligula accumsan accumsan
vitae at erat. Etiam vitae leo risus. Vivamus placerat turpis lectus,
eget gravida neque. Suspendisse id nunc ipsum, vel pellentesque dolor.
Nam in lorem eu sapien tincidunt mollis. Nullam nec massa id risus
commodo blandit.

> The number isn't very relevant because they are crackers instead of
> script kiddies. The number of crackers is also a question mark. You
> simply cannot know how many crackers have gained access to the
> information. It's better to know that everyone knows than to think*
> you and your peers are the only ones who know (and to keep the rest of
> us in the dark). You do not have to fear the script kiddies a single
> bit if you are armed with the same information as them (because you
> shut down).

Pellentesque habitant morbi tristique senectus et netus et malesuada
fames ac turpis egestas. Sed viverra aliquet mauris nec rutrum. Donec
faucibus leo sit amet ligula convallis dignissim. Nam eu mattis metus.
Ut egestas turpis ut dui bibendum convallis. Vivamus sed arcu sem, vel
pretium arcu. Mauris lacinia consectetur lectus. Fusce sit amet
ultricies felis. Lorem ipsum dolor sit amet, consectetur adipiscing
elit. Nam tortor quam, congue ut posuere sed, sagittis sed urna. Nunc
adipiscing, tortor at congue lacinia, felis nunc tincidunt mauris, in
faucibus mauris neque at ligula.

> * = erroneously

Praesent non risus nisi, cursus euismod nibh. Sed vel nisi ut lorem
tristique tristique eget eget velit. Praesent eu neque ut orci
consectetur molestie. Praesent sit amet arcu vel eros gravida
ullamcorper at vel lacus. Duis libero nisi, tempor sit amet accumsan
vel, auctor sed nibh. Cras euismod consectetur mollis. In dignissim
purus eget lacus hendrerit sed suscipit magna egestas. Fusce faucibus
est lobortis dui ullamcorper quis vehicula orci commodo. Vestibulum
ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia
Curae; Suspendisse nibh mauris, condimentum id mattis bibendum, porta
pulvinar tellus. Etiam sem nulla, pretium quis imperdiet tristique,
faucibus sed mauris. Vestibulum ut leo vitae elit vulputate tincidunt.
Etiam pellentesque orci a augue luctus mollis. In eget eros nibh, eget
aliquet mi. Proin augue massa, placerat id elementum a, pretium ac
sapien.

> EXACTLY.
> -A few crackers armed with knowledge you don't have
> -A ton of script kiddies with knowledge you also have

Aenean mauris augue, ornare dignissim tempor quis, fermentum
vestibulum nisl. Nam ipsum augue, hendrerit sed venenatis a,
vestibulum vitae tortor. Duis rhoncus mi ut odio rutrum ullamcorper
fermentum diam tempor. Fusce sed velit purus. Pellentesque eget nisl
mi, sed posuere eros. Maecenas vitae turpis augue. Cum sociis natoque
penatibus et magnis dis parturient montes, nascetur ridiculus mus.
Pellentesque tortor dui, volutpat non tempor eu, mollis sed justo.
Donec facilisis neque ac est dictum id euismod nibh adipiscing. Mauris
suscipit, urna non sodales auctor, diam mauris pulvinar elit, id
condimentum ligula dolor ut nibh. Nullam viverra orci non urna pretium
non porta diam luctus. Pellentesque sem enim, cursus in tempus ut,
varius id est.

> The lesser of two evils is the latter.

Aenean eu metus turpis. Donec rhoncus leo non nibh mattis ut
vestibulum sapien mattis. Fusce quis massa eu enim consequat porttitor
ut vel erat. Vivamus vitae tortor turpis, quis pulvinar ligula. Donec
commodo consectetur lorem quis adipiscing. Pellentesque pellentesque
fringilla mi at egestas. Sed vitae dui a augue tempus gravida. Nam
sapien sem, adipiscing eu placerat at, lacinia ut nibh.

> BECAUSE *copies from above*:
> You do not have to fear the script kiddies a single bit if you are
> armed with the same information as them (because you shut down).

Morbi non semper purus. In turpis leo, lacinia sit amet consequat id,
mattis vel eros. Proin auctor lobortis est, vel elementum dui
convallis id. Cras nec felis lorem. Proin porttitor, mi vitae
tristique laoreet, nisl libero rhoncus mauris, vitae euismod urna mi
sed nunc. Cras fermentum mauris non neque venenatis ut facilisis metus
fermentum. Donec id eros orci. Praesent volutpat sodales faucibus. Sed
commodo rutrum neque, in blandit diam aliquam at. Curabitur ante quam,
malesuada sed gravida eu, lobortis vitae massa. Mauris tempor, nulla
at lobortis lacinia, turpis neque molestie justo, at posuere erat eros
vitae libero.

> If I can convince you then you might be able to convince him. Since,
> you know, he actually respects you and all (brought that upon myself
> xD).

Quisque mollis laoreet malesuada. Mauris magna mauris, adipiscing sed
vehicula eget, lobortis eu ligula. Nam et tortor quis turpis semper
hendrerit. Ut consectetur porttitor purus a fringilla. Curabitur
elementum sodales luctus. Proin bibendum magna nec lacus placerat
fermentum. Maecenas ac ultricies quam. Vestibulum pellentesque sodales
augue, eget suscipit justo sodales id. Curabitur dictum velit sit amet
sapien lacinia dignissim. Proin non bibendum sapien. Aliquam erat
volutpat. Aliquam scelerisque, purus ac ornare luctus, est erat dictum
lectus, et fringilla nulla sapien id magna.

> We should handle it like OpenBSD, erring on the side of caution. If
> it's definitely a buffer overflow, it should be fixed. The QML people
> don't have to pay attention to the Security discussions and can
> continue being oblivious (note: if you are oblivious, you are not
> secure).

Duis tincidunt, massa eu accumsan tempor, metus enim interdum eros, eu
cursus mauris metus eu elit. Donec ac nisi nec felis sagittis
sagittis. Mauris fringilla, ante varius vulputate adipiscing, lorem
ligula euismod leo, sed vulputate eros ligula sed augue. Etiam eget
tempor ligula. Integer vel quam a erat tempus eleifend. Etiam sagittis
auctor ipsum nec porta. Quisque varius ipsum ligula. Etiam consectetur
faucibus eros molestie dignissim. Quisque rutrum imperdiet adipiscing.
Morbi vel libero sed massa suscipit laoreet. Nunc id urna quis lacus
varius sodales non eget tortor. Aenean condimentum sollicitudin
pharetra. Cras laoreet odio ut enim sodales non mattis orci commodo.

> "During our ongoing auditing process we find many bugs, and endeavor
> to fix them even though exploitability is not proven. We fix the bug,
> and we move on to find other bugs to fix. We have fixed many simple
> and obvious careless programming errors in code and only months later
> discovered that the problems were in fact exploitable. (Or, more
> likely someone on BUGTRAQ would report that other operating systems
> were vulnerable to a `newly discovered problem', and then it would be
> discovered that OpenBSD had been fixed in a previous release)" (
> http://openbsd.org/security.html ).

Nullam commodo viverra tortor, sed congue massa egestas a. Integer in
ipsum id elit sollicitudin vulputate. Etiam suscipit placerat diam,
vitae commodo justo scelerisque id. Mauris sit amet diam turpis, a
porta diam. Suspendisse sodales dapibus sem, sed scelerisque turpis
dictum vitae. Aenean ornare lorem a ligula varius non luctus dui
tristique. Vivamus sed ligula dui, tincidunt varius mi. Nullam tortor
arcu, posuere non mattis at, cursus a lorem. Proin euismod, nunc sed
convallis tempus, nunc arcu ultricies mauris, ac euismod odio augue
eleifend nulla. Praesent a felis velit. In et ipsum augue, sed luctus
libero. Vivamus arcu dolor, varius sagittis aliquet sed, rhoncus id
orci. Morbi consectetur faucibus congue. Duis in quam vitae elit
cursus tristique ac in sem. Praesent fringilla, tortor ac consequat
ullamcorper, est dolor vulputate nisi, quis fringilla sapien sem eu
felis. Aliquam arcu ante, elementum nec euismod ornare, vestibulum sit
amet neque.

> I would like Qt to be ahead of the game like OpenBSD is. I'd even like
> to see a minimal/hardened version of Qt where code must first pass
> extensive auditing. I would happily contribute to that process as it
> serves me directly.

Morbi mollis sagittis diam et rutrum. Praesent blandit turpis et
lectus rhoncus euismod. Cras ac lectus mi. Mauris sollicitudin dui
molestie enim blandit id sollicitudin libero consequat. Vestibulum at
felis sodales felis euismod fermentum. Cum sociis natoque penatibus et
magnis dis parturient montes, nascetur ridiculus mus. Sed a elit est.
Sed at consectetur dolor. Vivamus ac lacus urna, vitae feugiat neque.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. In
condimentum, diam ut molestie blandit, massa velit blandit ipsum,
vitae laoreet magna tortor vel tortor. Quisque vitae felis dapibus
massa tempus viverra sit amet vulputate leo. Morbi at arcu eros.
Integer porttitor purus at ipsum sagittis eu ornare dolor suscipit.
Aliquam urna mauris, molestie in lacinia ac, ullamcorper eget lacus.

> Similarly, they could handle "You are vulnerable. You should shut down
> to protect yourself" and "Here's a fix, apply it like this and you
> should be ok to bring yourself back online".

Mauris mi ligula, condimentum id condimentum a, sollicitudin ac diam.
Nulla nec dolor eu est molestie viverra. Morbi eleifend ante non quam
bibendum vulputate. Suspendisse sit amet lacus ac urna sagittis
imperdiet. Praesent nisi sapien, ullamcorper et dictum in,
sollicitudin a dui. Nunc tincidunt pellentesque lacinia. Etiam vel
nisi est, sit amet eleifend lacus. Phasellus cursus tristique
vehicula. Praesent consectetur imperdiet tortor, a tempor elit
hendrerit ac. Maecenas nec velit vitae erat feugiat pharetra. Nullam
enim turpis, auctor eleifend imperdiet non, pretium eu mauris. Cras ut
nunc vel eros varius tristique porta vel dolor. In hac habitasse
platea dictumst. In vulputate nisi lectus, id mattis eros. Curabitur
ac mollis risus. Proin at arcu orci.

> Yes, but we should not simultaneously force those who are competent to suffer.

Cras lorem urna, lacinia semper rutrum adipiscing, congue nec nisi.
Fusce ullamcorper viverra diam. Maecenas nibh tellus, lobortis at
condimentum sit amet, fringilla dictum orci. Maecenas pretium, lorem
vel convallis vehicula, nulla urna posuere ipsum, ut suscipit sapien
sapien eu ligula. Etiam mattis sapien quis quam luctus ullamcorper.
Quisque tempus nisi ac massa tristique bibendum. Pellentesque pretium
auctor quam, ultrices ultrices nibh pharetra at. Fusce vulputate nunc
eu turpis rutrum vel pulvinar magna egestas. Quisque a ipsum vel
lectus gravida accumsan. Duis facilisis accumsan lacinia. Praesent id
tempor magna. Praesent adipiscing nisl ut neque aliquet vel accumsan
nulla rhoncus. Pellentesque habitant morbi tristique senectus et netus
et malesuada fames ac turpis egestas. Quisque cursus tincidunt dictum.
Nullam scelerisque felis quis orci dictum ac lobortis elit dapibus.

> They wouldn't have to hack their way in if you gave them access.
> You've already shown that it's relatively easy for someone to join the
> security team.

Fusce vehicula semper vulputate. Ut ultricies, metus in lobortis
gravida, velit urna scelerisque dolor, eget auctor ligula arcu ac
nunc. Vivamus tortor leo, vulputate id accumsan sed, accumsan interdum
libero. Integer nunc orci, vestibulum in dictum ac, elementum nec
magna. Nunc et porttitor neque. Nam porttitor hendrerit eros,
sollicitudin porta felis interdum vestibulum. Vestibulum vitae turpis
vitae sapien suscipit aliquam. Cras pretium ullamcorper turpis vel
tincidunt. Aenean lacinia dapibus lectus eu congue. Nam facilisis
magna a turpis congue sed gravida massa aliquet.

> lol. We cannot attain perfection, but we should still strive for it.
> Yes having your systems online is a risk... and so is going outside.
> But if you ***KNOW*** there's a man with a gun standing outside your
> door, you aren't going to go outside. The same is true for knowing of
> a vulnerability's existence: don't go online until you know it's been
> dealt with.

Praesent consequat, nisl quis aliquet ultricies, velit dolor interdum
arcu, at accumsan lorem eros ac leo. Duis et ipsum nisl, sed dictum
nunc. Quisque laoreet nibh ac felis consequat quis aliquam velit
consectetur. Nullam a elit et diam vulputate tempor. Proin congue,
arcu vitae pulvinar pharetra, orci turpis commodo nibh, at tristique
ligula massa faucibus turpis. Etiam molestie, magna porttitor sagittis
iaculis, nisi ante pharetra metus, sed hendrerit dolor sem in dolor.
Aliquam molestie lectus vitae lorem placerat consequat. Ut egestas
tincidunt eros ac pretium. Donec convallis posuere tellus id posuere.

> See above about a hardened Qt. Moving to Full Disclosure would be a
> first step towards that.

Cum sociis natoque penatibus et magnis dis parturient montes, nascetur
ridiculus mus. Nam faucibus mi eget arcu aliquet tristique. Morbi sem
purus, volutpat sit amet pretium ac, suscipit nec odio. Suspendisse
rhoncus mattis neque, sed accumsan magna luctus non. Ut quam magna,
ornare ut porttitor vel, scelerisque nec augue. Nullam eleifend, odio
et facilisis varius, mi lacus pretium libero, vel pharetra est augue
at leo. Sed congue augue sed tortor scelerisque vel tincidunt dui
varius. Ut eget ligula elit. Pellentesque iaculis sagittis ligula
facilisis bibendum. Praesent et lobortis nulla. Suspendisse nec orci
diam. Ut ac lorem sapien. Mauris ligula orci, rutrum in vulputate ut,
gravida eget sem. Sed non tortor sit amet nibh dictum viverra.

> Leftover corporate policy and a bunch of opinions and other
> non-arguments. Honestly, this discussion we're having right now has
> been the only productive one.

I think the above pretty much invalidates all your arguments.

Now, to put it politely, fuck off.


João



More information about the Development mailing list