|
Message-ID: <L14GKS6NenAaizYfAL1_wfSb0GYF9nnxQCUc5bB29pkHaIKrtWCn4qtCAXr8sxuo1GOtG2yiH2zsHOV7iSizWFi8yaEt6O0mGfTh02j2xU4=@proton.me> Date: Sat, 24 Jun 2023 11:23:18 +0000 From: cbf0001@...ton.me To: oss-security@...ts.openwall.com Subject: Re: Opinion: Governments don't want IT security, they want to have cyber weapons I agree with Solar and David, please stop lowering the bar with content that is not relevant to the distro subscribers. Warm regards, Cbf Primmo On Fri, Jun 23, 2023 at 21:37, David A. Wheeler <[dwheeler@...eeler.com](mailto:On Fri, Jun 23, 2023 at 21:37, David A. Wheeler <<a href=)> wrote: >> On Jun 23, 2023, at 6:28 AM, Solar Designer <solar@...nwall.com> wrote: >> I actually think we should be rejecting postings like this. I accepted >> this one as an example. By "postings like this" I mean rants without >> proposed solutions, not helpful for this community (and where replies >> are unlikely to be helpful either), and/or lacking focus on Open Source. >> I think in this case it's all 3 of these. > > I agree with you. I'd prefer if this (and ALL mailing lists) tried to stay on-topic. Currently that's > "Discussion of security flaws, concepts, and practices in the Open Source community". > >> I think the recent thread >> "The AI chatgpt writes insecure code" was of similarly questionable >> value for this list's subscribers. > > I think the *first* post that "AI systems (including LLMs) > often generate insecure code" was plausibly on-topic. > Now that it's happened, we don't need any more such posts. > > If someone has a solution, with evidence that it *works* and can be used in OSS, > that would be relevant (and possibly interesting). > > Regarding your comment: > >> I think most governments do want IT security. Some also want "cyber >> weapons", which is partially contradictory, but that's how it is: >> https://en.wikipedia.org/wiki/NOBUS > > Since we're on this topic, my understanding of US policy (at least at one time) was that > it's considered a trade-off, so what will be done is decided on a case-by-case basis by the "VEP process": > "The Vulnerabilities Equities Process (VEP) balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence." > https://trumpwhitehouse.archives.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF > That's a little old, and I don't know if the policy has been changed, but that's an official page from the US archives. > > I have opinions about this policy, generally negative, but I think that discussion is outside the scope of this mailing list so I'l stop there. > > So having discussed this, I look forward to more messages focused on the topics of this mailing list :-). > > --- David A. Wheeler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.