internetfight2.gif

Notices where this attachment appears

1. pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 18-Sep-2023 01:55:05 JST pistolero :thispersondoesnotexist:
   @w
   
   > This is fucking evil shit.
   
   While you were sending angry DMs and refusing to answer "What the hell did I do that you're so pissed about?" and then stirring up a panic by also refusing to answer simple questions like "What is the impact of this, are all the admin tokens compromised?" I'd very much like not to have some stupid internet fight, so I held off until I saw this. But if you're insisting I'm evil (among other things in this thread), maybe I ought to say something.
   
   The reason for a disclosure timeline is to give people time to apply a mitigation or patch. You give the vendor a chance to patch (that is, you and r, and to a lesser extent, me) and you give people time to apply the patches or do the mitigation. The point is to give notice to people that are affected and to give them a chance to avoid being impacted. It makes no sense to try to gag the stakeholders and panic users, so I just assumed that's not what we were doing. So I see your big announcement, people are asking me whether they need to stop using bloat, I just assume that you wouldn't be panicking people for no reason and I tell them the impact, and you start yelling at me over DMs. If the plan was "Just scare people and tell them to shut it all down because a bug exists and it might be tenuously called a security bug, but don't give them anything useful" then it should be completely understandable if I misread the plan, because no one would expect that plan.
   
   There's already a patch. There's no reason to tell everyone to turn anything off, just send the patch to people that run public instances of bloat, tell them that you'll avoid discussing the bug in public for a couple of days. Unless you explain the impact and communicated the problem to people that were affected and able to do something about the problem, you've done more harm than good. No need for extra pageantry or two days' lead time because it doesn't actually help anyone. Last I heard, you were planning to wait an additional week anyway. If it's actually serious, you don't wait to make some small tweaks to the patch to make it configurable, you send out the patch.
   
   Theatrics don't serve any purpose but to hype a couple of very minor bugs. I don't think I'm "evil" for letting people that use the software know about the impact (because that's what anyone would do) and crying wolf about security bugs is going to get you ignored if you actually find one; I think it's more evil to try to scare people without letting them know what's so scary.
   
   > The issue is being downplayed now to a misleading/factually incorrect degree. DO NOT USE THE CLIENT.
   
   Since I've seen the issue and am right now typing this message on bloat and have not felt the need to apply any patches to bloat, I can say that I am certain that the issue is not being downplayed but rather inflated. Theatrics don't serve any purpose but to hype a couple of very minor bugs. I don't think I'm "evil" for letting people that use the software know about the impact (because that's what anyone would do) and crying wolf about security bugs is going to get you ignored if you actually find one; I think it's more evil to try to scare people without letting them know what's so scary. Here: https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure
   internetfight2.gif