[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Userops] Userops Acid Test v0.1
|
From: |
Christopher Allan Webber |
|
Subject: |
Re: [Userops] Userops Acid Test v0.1 |
|
Date: |
Wed, 04 Nov 2015 10:28:36 -0600 |
Asheesh Laroia writes:
> On Tue, Nov 3, 2015 at 1:32 PM, Christopher Allan Webber <
> address@hidden> wrote:
>
>> Asheesh Laroia writes:
>>
>> > Sorry to keep self-replying here.
>> >
>> > Another aspect for your "Security" list:
>> >
>> > * Automatic updates.
>> >
>> > People don't update the free software they self-host. Mozilla doesn't;
>> > Pirate Party doesn't; La Quadrature du Net doesn't; Wikimedia doesn't;
>> > Framasoft doesn't; and so on. You can see the evidence for that here:
>> > http://blog.etherpad.org/2015/03/04/update-your-etherpad/
>> >
>> > So we now have the data: if there are no auto-updates, people do not
>> > update, even with free software. The world has run the study, and the
>> blog
>> > post at etherpad.org shows the data.
>> >
>> > I write the above _intending_ to sound dogmatic; I think this is a lesson
>> > that the free software world as a whole has not learned, so I am
>> passionate
>> > about making the point.
>>
>> I think the auto-update approach has a problem: it means that every
>> application becomes its own package manager. I don't think we're going
>> to reduce the complexity of our systems via this approach. I already
>> have too many package managers to handle! Each of my applications
>> having one won't make things easier for me, I think.
>>
>
> If a prescriptive approach ("You MUST auto-update to be userops compliant")
> doesn't work for you, I wonder if you'd prefer an empirical one -- for
> example, userops researchers should be scanning a random sample of
> installed systems of Debian's new web app packaging, guix, sandstorm, etc.
> and finding out if people are vulnerable to security bugs in outdated web
> apps.
>
> This way, every userops system can handle this however they want, and we
> can find out empirically if the real practical question -- exposure to
> security issues in apps that leak user data -- is something that the tool
> has a good story for.
>
> And I'm not *sure* this is the best approach to finding out empirically if
> people are vulnerable to app bugs, but IMHO this is a hugely serious issue
> (as per blog post I linked-to; the bugs defeat all user privacy on these
> Etherpads) so I think the Userops "Is this system good or not?" would be
> remiss to not consider app bugs one way or another.
>
> If you wish, I can probably be responsible for writing the scanning tool,
> though I'd hope someone else would step up to do it instead of me!
>
> Curious what you make of that idea. And taking a month or two to reply is
> fine, honestly!
That's a direction I think makes a lot of sense!