Date: Sun, 30 Mar 2014 22:32:11 +0400 From: Solar Designer <solar@...nwall.com> To: Georgi Guninski <guninski@...inski.com> Cc: oss-security@...ts.openwall.com Subject: Re: [OT] FD mailing list died. Time for new one Georgi, I reluctantly approved your posting for distribution to oss-security (so far, 100% of your postings made it to the list), although I find it of very little value for the reasons given below. If you post another one that is about as useless, we will likely reject it. However, if you finally do explain things clearly, this might be worth another message. Maybe make a blog post and announce that. Try to write it really well. On Sun, Mar 30, 2014 at 07:41:22PM +0300, Georgi Guninski wrote: > Just for the record of the old FD, > i posted there anonymously and > even killed at least one bug in > widely used open source warez in > un-orthodoxal way. > > The CVE servants got the bug > significantly later after the > announcement :) What's the purpose of posting this? Like with much other stuff you posted, you're failing to make it clear just what message you're trying to get across. Do you want someone to be doing something differently? If so, who, and what exactly? I think you do have a message, but it's all obfuscated by the hints, sarcasm, you pretending to be humble ("OT", "don't care" - then why post, as someone told you). Maybe try to write _one_ essay where you'd explain your point of view and the rationale behind it in a way that would be clear to most readers. Right now, your anti-CVE stance looks plain ridiculous to most people, and it'd stay that way unless you explain it very clearly, with rationale given. "Oh, those guys support responsible disclosure, so I'll boycott CVEs even for vulns to be disclosed publicly right away" does not sound reasonable to most readers, regardless of whether they'd possibly agree with your opinion (if you did give the rationale) or not. If you do have a good rationale for what you're doing or advocating that others to do(*), then do explain it clearly! (*) It is unclear what you're advocating people to do, even. One thing you did mention is you want a fully unmoderated full-disclosure list - and you were told (by Fyodor, I think) that you're welcome to set one up if you like. I don't think anything else may be done in that respect. For CVEs, it is _totally_ unclear what you'd like people to be doing or not doing. Did you ever explain that? > maybe solardiz is using the > mainstream patch i suspect. I have no idea what you're referring to. Chances are most folks on oss-security don't know either. I'd appreciate it if you tried to make your postings actually useful to at least someone. No brief/partial responses to the above, please. Let's not continue this thread one tiny bit at a time. If you feel like responding, and I hope so, please respond in the form of an essay, covering all of the issues you find important - without sarcasm, without hints (but with clear references instead), without pretending to be humble. And in case you are in fact that humble and you actually "don't care" (I doubt it), then please don't waste your and anyone else's time. Thanks, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ