[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Outstanding critical issue for KDE 2.2
From:       George Staikos <staikos () kde ! org>
Date:       2001-08-02 2:07:41
[Download RAW message or body]

On Wednesday 01 August 2001 21:28, George Staikos wrote:
> On Wednesday 01 August 2001 21:24, Neil Stevens wrote:
> > On Wednesday August 01, 2001 06:09, George Staikos wrote:
> > >    We have a contract to the user that his data is entirely encrypted
> > > except for in RAM when that lock icon appears.  If it is not being
> > > encrypted, we are liable.  It is 100% our fault in that case.
> >
> > Is that documented?  I've never seen that mentioned before.
>
>    If it isn't, it is now.  That's the presumption that I've always worked
> on when developing the SSL features of Konqueror.

   To clarify this, I don't mean we are liably in a contractual sense and it 
looks like I wrote.  I mean that we are STUPID for knowingly shipping 
functionally broken code and that users should never have used such broken 
code to begin with.  The user expects that the lock icon does exactly what I 
outlined, and if it doesn't, then our code has a bug.  The code is of course 
provided without warranty (as says the licence we ship with).  However, I 
don't want it on my conscience that this has caused anyone any problems.  I 
also don't want my name and reputation associated with it.  Finally, I don't 
want the bug reports for this being emailed to me. (as I've had happen so 
many times already for related things -- How many of you have had a CERT 
advisory against your code?  Tell me after if you would consider such a 
scenario so lightly.)

    This is a security hole.  I have already had some values written to my 
disk that should not be there under any circumstance.  Netscape doesn't write 
it there.  KDE shouldn't either.

-- 

George Staikos

[prev in list] [next in list] [prev in thread] [next in thread]