[Interest] Qt free software policy

Roland Hughes roland at logikalsolutions.com
Mon Aug 19 14:29:08 CEST 2019


On 8/19/19 5:00 AM, Thiago Macieira wrote:
>>>> To start with, there is no version of OpenSSL which is secure. Whoever
>>>> is using Qt just because it makes using SSL easy(ier) shouldn't be using
>>>> Qt anyway because they are releasing an insecure app they incorrectly
>>>> feel is secure.
>>> That's very disingenuous.
>> Honestly, it is a_completely_  accurate statement. Hopefully you had
>> time to watch the "60 Minutes" report on "Pegasus" tonight.
>>
>> https://www.cbsnews.com/video/ceo-of-israeli-spyware-maker-nso-on-fighting-t
>> error-khashoggi-murder-and-saudi-arabia-60-minutes/
> You're going from disingenuous to actively counterproductive.
No, I'm being highly productive. I'm sorry if it is an inconvenient 
truth, but SSL is not secure. Too many in here are buying the BS in the 
name "Secure Socket Layer" and knee-jerk using it then claiming their 
application is "secure." The truth is they haven't even attempted security.
>
> We know OpenSSL has problems. My point is that all problems are fixed as soon
> as they are known. We can't prove mathematically that there are no problems,
> so the best we can do is fix as soon as possible and upgrade.
It has an architectural flaw which cannot be fixed. Flaws in OpenSource 
have a history of going multiple decades before being outed to the 
general public (ala the Bash bug which allowed anyone with access to a 
Guest account to become root user on the machine.)
>
> And there's no better option.

There are many better options. None of them are one and done unless you 
purchase a security package of some sort, be it a private VPN or a 
library which allows your app to create its own private VPN.

For the no-license-no-money you have to roll your own rotating book code 
and recipe servers. No two packets in any transmission use the same key. 
No consecutive packets use the same encryption. Taking it to the 
extreme, none of the data is sent complete or logically grouped. At the 
end of each book is the server and creds to obtain the next book. Please 
don't confuse "book" with there being a requirement for using an actual 
published book.

>
> I never claimed that using OpenSSL will make your software magically secure.

No you haven't and thank you for that. Others, two in particular who 
know less than nothing about most things, especially security, have made 
such a claim to someone who actually asked the question. Others will 
find that thread, read it, and release an insecure system.


> The crypto itself has never been broken.

That would be an incorrect statement.


> Quick note: before reading any patents, consult your lawyer.
Actually, I have the lawyer read the patents. <Grin>
> I somehow think that 25 years of knowledge of the segment and close
> relationship with very big consulting companies like KDAB and ICS would have
> told them if it was enough.
>
> So I think you're wrong. You're probably underestimating how much money they
> could make off consulting alone.

No. I'm thinking your definition of "very big" needs to be upgraded. 
Assuming

https://www.kdab.com/

https://www.owler.com/company/kdab

Estimated Annual Revenue
$ < 1M

I consider the one I like to deal with "small"

https://www.tripleco.com/

https://www.owler.com/company/tripleco

Estimated Annual Revenue
$16.2M

Having said that, I can say that the "consulting" services provided to 
one of my clients before I joined the project (at no small fee) 
attempted to use a state machine (because it was brand new) to solve a 
problem which was so completely inappropriate for a state machine even a 
first year IT student wouldn't have tried to use it. The code, if 
printed on Charmin, still wouldn't have served a purpose.

The reason I bring that up is that yes, if that is the level of 
"consulting" the "new" owners of Qt are still providing they won't earn 
a plug nickle and rightly so.


> PS: Electron, containing Chromium, has FAR MORE licenses inside than Qt.
> Including a copy of FFMPEG, which contains multimedia codecs that may be
> patented.

Yeah, but the Script Kiddies creating idiot phone apps never bother 
reading them. They just hack something out and hurl it up on the Google 
App store, firmly believing that Google, the largest copyright infringer 
and book pirate in the known universe (google books) won't press the 
issue. If they do then it is possible that __finally__ Google execs and 
board of directors will go to prison where they should very well be.

PS. The Internet Archive is now attempting to take the copyright 
infringement and piracy crown from Google.

http://www.interestingauthors.com/blog/publishing/controlled-digital-lending-book-piracys-new-name/


-- 
Roland Hughes, President
Logikal Solutions
(630)-205-1593  (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com



More information about the Interest mailing list