lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 12 Apr 2011 15:15:45 -0400
From: Steve Pinkham <steve.pinkham@...il.com>
To: phil <jabea@...ea.net>, full-disclosure@...ts.grok.org.uk
Subject: Re: Announcement posts and the charter (was Re:
 INSECT Pro 2.5.1 released)

On 04/12/2011 09:04 AM, phil wrote:
> Just keep that simple, the post hit the non acceptable content.
> 
> "Gratuitous advertisement, product placement, or self-promotion is
> forbidden."
> 
> 
> 
> My opinion, but if the product could be free, like it was, then I don't
> mind seeing those kind of post, but for anything commercial FD is not
> there for that.
> 

I agree, but think that intuition should be inscribed in more precise
language.

That whole sentence starts out with "Gratuitous", which to me seems to
be unclear to both native and non-native speakers alike. IMHO It's just
too easy to justify to yourself that what you are doing is does not
violate wording of the charter, and therefore I think the charter should
be more explicit.

When would it be OK(non-gratuitous) to mention a tool? When it comes
with a new vulnerability class? When it was used to find a particular
flaw?  When it shows a novel way of finding flaws of a particular class?
 When the tool is Open Source, such that the tool is an embodiment of
knowledge being shared?

This whole issue with INSECT Pro show a lack of consensus on what
advertisement means, and what kicked it off was a disagreement about
what the definition of a "free" product is.

I'm coming around to the idea that the rules should be based on
knowledge transfer.  My intuition is that only projects with OSI
approves licenses should be allowed(as Tim argued), unless you are
releasing a tool of any sort along with a new class of vulnerability.
Also, announcements of more then 1 per six months should be forbidden
for any project.  This would serve as a sort of default deny rule to
keep the most annoying types of announcements at bay.

Any other thoughts?

The other posibility is the current wording sufficient as a simple
"Don't be a dick" kind of rule, and more specific rules would be lost on
those who have no problem with being a dick. I would argue that more
guidance in the charter on this issue might be worthwile for the
majority of people who do not in fact want to break Wheaton's law.


> 
> -phil
> 
-- 
 | Steven Pinkham, Security Consultant    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |


Download attachment "smime.p7s" of type "application/pkcs7-signature" (6034 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ