[Interest] Qt free software policy

Roland Hughes roland at logikalsolutions.com
Mon Aug 19 02:16:17 CEST 2019 

On 8/18/19 5:00 AM, Thiago Macieira wrote:
>>> No, don't. That is not receiving security fixes.
>> That's exactly what is happening in many places and it should be done. A
>> number of shops have their own forks of 4.8, some have shared forks.
> And that's great, that's their right under open source licences and I'm glad
> they're exercising it. But the most important fact in your entire email is
> "they have shared forks". That means there is active development between some
> companies, who fix the issues that are important to them, including any
> security ones that can exist.
In many/most cases they are shared across products under the same 
mega-parent corporation or were until some units got spun-out or sold off.
>
>> To start with, there is no version of OpenSSL which is secure. Whoever
>> is using Qt just because it makes using SSL easy(ier) shouldn't be using
>> Qt anyway because they are releasing an insecure app they incorrectly
>> feel is secure.
> That's very disingenuous.

Honestly, it is a _completely_ accurate statement. Hopefully you had 
time to watch the "60 Minutes" report on "Pegasus" tonight.

https://www.cbsnews.com/video/ceo-of-israeli-spyware-maker-nso-on-fighting-terror-khashoggi-murder-and-saudi-arabia-60-minutes/

This is one of many, but is the most widely known. It doesn't need super 
computers, just a cheap-ass PC running as a server on the Internet. It 
can pull and decrypt _all_ of the data on any current idiot phone.

Admittedly this one typically requires a "link." Please pay close 
attention when watching the "60 Minutes" piece. Most of you have 
probably received those "DHL You have a package" emails.

There are others out there which cut through SSL like a hot knife 
through warm butter.

It is in the best interest of those using the penetration software to 
appear on every medium possible and tout the "security" of Secure Socket 
Layer. When one repeats a lie often enough even otherwise intelligent 
people will start to believe it.

>
> There's very little software that can be proven by mathematical means that it
> is secure beyond a doubt. Complex software like Qt, OpenSSL, Linux kernel, and
> 99.999% of all the software can't. Instead, security is practiced --among
> other things-- by quickly fixing what is known, when it is known, Under those
> guidelines, the last version of OpenSSL is secure*as far as we know it*.
>
> More importantly, any past version is*known*  to be have security issues.
> Whether those issues affect your product or not, only you can determine. So,
> yes, removing networking capabilities mitigates quite a lot.

Actually there is quite a bit of software which is "proven" by the "Holy 
Trinity" to be completely unhackable. I don't remember the names of the 
3 companies but it's the same 3 companies using both mathematical and 
black hat physical attempts both with and without viewing source. You 
have to be blessed by all 3. This is the type of software securing the 
U.S. Passport system and at least one personal VPN.

It is not OpenSource, it is patented. At least all of the ones I've been 
exposed to are. Getting a blessing from the "Holy Trinity" is a long way 
from cheap. Lots of companies pay money and get shredded.

You can create your own without an ocean of effort. I've explained _how_ 
to do it several times in this group. JUST BE SURE TO READ THE PATENTS 
BEFORE YOU RELEASE ANYTHING.

>
>> Pretty much everyone should be falling back to Qt 4.8 and staying there
>> until this ex-wife alimony licensing mentality gives Qt yet another new
>> owner. 99.9999999% of all companies refuse to pay royalties. No,
>> negotiating an up-front buy out for a license isn't paying royalties.
>> That's what my last customer did, but it was touch and go. They were
>> ready to kick Qt to the curb despite all of the proof of concept work
>> done with it.
> You may want to cut back on your exaggeration. You're off reality by a few
> orders of magnitude.
>
> [99.9999999% = 1 in one billion, my 99.999% is only 1 in ten thousand]

Before either of us can claim any high ground there we need to define 
"companies." I'm including every 12 year old Script Kiddie who hurls a 
completely insecure idiot phone app up to any app store which will let 
them. They are using Electron, Flutter and a rash of other non-royalty 
based tools. Okay, I probably should have left the last 9 off the end so 
it was one in every hundred million.

>> While we are on the royalty topic I'm fielding an increasing number of
>> contacts from companies looking for Qt consultants willing to port
>> projects OFF Qt because of the licensing.
> That's a shame.
>
> For me, I can only hope that the Qt Company knows what it is doing. I don't
> doubt you're right that there are a lot of companies that don't want to pay
> according to the Qt Company's fee schedule. There are two questions that they
> need to answer:
>   1) does this fee schedule allow for growth of their business, engineering
>      team and ecosystem?
>   2) is there a better, viable alternative?
>
> During Nokia days, there was a better alternative because the income wasn't
> tied to licensing. I don't think the only other source of income (consulting)
> is sufficient to make it an option.

It could/would/should be but from what I've seen Qt Company has no idea 
how to do it. There are thousands of consulting companies scanning job 
boards and slapping Qt consultants like me into very profitable 
projects. I've been working with one (mostly) for close to a decade now. 
They keep opening new offices in new cities. Gotta pay that rent somehow.

They have to follow that model, not just "hope" someone calls with a 
project for them.

It's far too late for them to follow the Synergex model.

https://www.synergex.com/

Want to know what the basis of the Synergy tool set is? DIBOL. DIgital 
Business Oriented Language created by Digital Equipment Corporation some 
time before the late 1970s.

I do DIBOL work once in a blue moon. Honest to God I love the language, 
at least when it is running on OpenVMS using real (not the ones 
available in Linux repos) VT-100 emulators. If you are using indexed 
files it is fantabulous.

The vast majority were (as of about 2 years ago) all running systems 
written with DIBOL. There are a lot of other places as well using DIBOL 
and the graphical version Synergex now has. Why don't I do more DIBOL 
projects? Because Synergex has managed to lock up the consulting market. 
Most/many/possibly everyone but me when it comes to DIBOL consultants is 
under some form of contract to them. I don't know the specifics and 
don't care enough about it to learn them. It all boils down to only the 
companies with a pure DIBOL/VMS system have the ability to get honked 
off at Synergex and toss a contract over to a regular pimp to find some 
old guy like me. Everybody else on every other platform has little 
choice. I don't know of any Synergex certified consultants which are 
operating freelance, at least openly. There might be a few here and 
there, but that cannot explain the continued development of Synergy and 
the growth of Synergex.

Synergex has some really big customers too. CVS has/had one or more 
critical systems written with it. Whichever high end hotel chain has 
their headquarters (or at least all software development) located in 
Florida has there entire reservation and I believe chain management 
written in it. I want to say it is Hyatt or Windham, but don't quote that.

They need to quit chasing the Script Kiddie market with QML and purchase 
one of the handful of pimps specializing in embedded systems work, 
anoint them as the only place to get consultants blessed by Qt, pointing 
all customers there, then just take the skim off the top. Today, for the 
firms which don't engage in visa fraud and exploit illegals, that is a 
10-25% margin. Back in the 1980s it used to be 100-150% (I kid you not).

Getting back the actual topic of this particular thread though, besides 
the relentless ex-wife grubbing for alimony commercial licensing 
situation, the mish-mash of OpenSource licensing is really killing Qt as 
an option at companies who don't have an in-house legal department. Most 
who talk to me about it take one look at the pages which have been 
linked in this thread and say "that's it, we'll use Electron or 
insert-competitor-here."

Most everybody wants one single license to read. At 2 they start tuning 
out, at 3 they quit.


-- 
Roland Hughes, President
Logikal Solutions
(630)-205-1593  (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com

More information about the Interest mailing list