You should not trust, but verify.
https://www.darkreading.com/vulnerabilities-threats/rutkowska-trust-makes-us-vulnerable
All the rest is a more or less nicely worded return to medieval pillory methods.
3 Likes
I agree with the idea of discussing problems with contributor behavior openly in many cases, and that it can point to wider problems if this can’t happen at all. However, the mods have now asked us not to do this in general. I think you now need to have this conversation first in private with the mods - see if you can undo some of the damage - and/or in a different forum.
2 Likes
Personal attacks that spread FUD based on unfounded accusations and beliefs that are not shared by the community tear at the social fabric and should not be tolerated by the mods, nor by the rest of us.
3 Likes
Even if it would be true, I don’t get it how that would gain trust in Qubes OS then? It would be exactly the opposite - either contributor wasn’t assessed well by the rest of the team, or the whole team is an asset defending such a contributor.
So, anyway you break it down, it comes to if you trust Qubes OS or not.
Or you’re an asset trying to undermine trust in Qubes OS.
1 Like
So you expect all users to learn all the source code for qubes os and become a cyber sec professional to check for vulnerabilities?
I have to disagree with everything you said. In the OP i said “reasons” and you translate that to personal attacks and fud and unfounded accusations? Are you a politician? It is possible some users will make an unfounded accusation by mistake or intentionally but that doesn’t mean you try to forbid all users from making talking about valid reasons. That’s the approach state actors typically take, making something controlled or illegal just because 0.01% of the population do something bad. Then you say those “reasons” which haven’t been shared yet, are not beliefs shared by the community, as if you can see into the future, and as if you can read everyones mind and therefore can speak for everyone. And then you command the mods and everyone else what they should tolerate and not tolerate.
You can also turn that around and say that those who want to undermine qubes os, don’t want to have attention. They would prefer staying in shadows and forbidding everyone to raise concerns about them.
Which government would you have more trust in?
Gov 1: Censorship, forbids criticizing the gov, no free speech, state actors are above the law.
Gov 2: free speech, transparency, openly handles any criticism.
I would trust qubes os more if it acted like gov 2 in the above example. Gov 1 would clearly be afraid of leaks and honest/true/real news.
I also have to add that if qubes team is afraid that qubes os will “fall apart” or something if people are allowed to share trust concerns (similar to how authoritarian states are afraid of free speech), then qubes os wasn’t really that reliable in the first place. Are you really going to trust qubes os with your security and privacy if you think a few words on a forum will make it “fall apart”? I don’t think qubes os will “fall apart” but even in the worst case it somehow happens, then I think it will come back again stronger than it was before. What I expect to happen if people can speak about reasons for not trusting a specific contributor, is that the trust in qubes os will grow stronger.
OK, let’s talk with the facts: point me to a spot someone forbid you to challenge trust in anyone?
Try not to whitewash it, just point to the spot, share a link. No essays, no spin-offs and similar please.
nokke already linked to a qubes team member telling everyone to only talk in private about these things.
Wait, you were asked, not ordered (did you note the word “please”?) And the post by deeplow was about spamming and trolling, not about “uncovering the truth”. You brought “your case” to so many topics and posts and yet you still can not leave it. Are you aware at all of reaching the point of spamming and trolling?
And, don’t forget that I was probably the first one to call unman an asset…
So is it ok for me to make a few different topics in the general discussions, i would like to start with one about ephile. Where am I supposed to post?
I think having a mega thread would be a good way to handle it.
And what case did I bring to many topics? I can’t remember anything like that. What is it that I can’t leave? I have no idea what you are talking about. I think you are trying to derail this topic with unfounded accusations.
Reminder that you post these messages on a private forum, rather than in a governed state.
Quoting @adw,
The fact that you couldn’t stick to discussing the post you quoted and I replied to, is the proof I knew what will happen when asking not to spin-off, write essays, etc. So, yes, you are spamming and trolling with each new post.
We all know you position on unman. When you repeat it more than 3 times, let’s say, then you either insult others’ IQ, or you are actually dumb, or malicious. There’s no fourth option.
So, look at me. I will leave it here, and you will slam yourself by insisting further.
Examples of unacceptable behavior by participants include:
Trolling, insulting/derogatory comments, and personal or political attacks
No, I don’t expect that. But I do expect them to understand enough about security that they are simply willing to read the documentation and examine the code for themselves where they require trustworthiness or calculated risks. The code is freely available. In all parts.
Anything else would be judging on the basis of blind faith or some kind of Dunning-Kruger effect (I’m just talking about myself, if anyone has any doubts).
Why the one would exclude nuanced judging? For example: QWT was proved to be “compromisable”. The devs immediately stopped to provide support for it, and we are so tortured, for so long by them to get the new. proper version of it. SO, I can judge by that, that I can trust the devs because that looks like they care about (our) security, since otherwise if they’re compromised, the things would happen much more “smother” for us.
You’re evading my questions. But I think you are spreading propaganda and not interested in honest debate. You keep making unfounded accusations and throwing unnecessary personal insults.
Regarding unman, he is the one who kept telling me to make accusations when I repeatedly told him that I don’t want to accuse anyone. He kept pushing and pushing. Don’t take my word for it, just start reading, it’s all there in chronological order as proof. And I still held back in the end, he welcomed me to make a topic all about him, I have his permission to do that right now if I want to, but I haven’t done that. But you know this already and ignoring it. You are not here for honest debate, just propaganda.
You are right. But it’s pragmatic faith in a social construct. You still have to trust and you can’t be sure.
If it were my economic livelihood or my personal freedom, or worse, my life, I wouldn’t “trust”. I would want to be absolutely sure. As sure as possible. And I couldn’t delegate that to other specialists. I wouldn’t even be able to judge their actions. That would only shift the level of the problem: “Who is watching the watchmen?”
That’s why I think in those cases where security is strictly required, you have to be(come) a specialist yourself (at least to some extent).
That’s why I wrote “if you require trustworthiness or calculated risks” etc. Sorry if that wasn’t made sufficiently clear. (And just in case anyone had any doubts: No, I don’t study medicine before I go to the doctor. I live with the risk and leave the rest to the principle of “social probation”.)
I understood your points, and in general I agree with them: to be as sure as possible. And I agree that people tend to delegate responsibility for their own well-being to others. I just wanted to point out that there are people in the middle finding a balance.
Comparing this with the real life ("No, I don’t study medicine before I go to the doctor. " - I actually do “study”) directly depends on each one self’s threat model. I do “study” before (and after) going to a doctor, because that threat model is much more impactful on my life.
OK. If it’s a surgical procedure or something similar I’d do the same. But not for routine stuff.
In any case, I think it’s important to distinguish between trusted and trustworthy: A trusted system or component is one whose failure can violate the security policy, while a trustworthy system or component is one that won’t fail on you. That’s why trust is necessarily bad; no Delphi method, certificate, or other pixie dust add-on could change that. But that’s just what the topic opener suggested: “trust is important”.
1 Like
As I see it. AI will help us more to check the code. For that, of course, we’d have to trust AI, hahaha