[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#765512: general: distrust old crypto algos and protocols perdefault

On Thu, Oct 16, 2014 at 05:42:23AM +0200, Christoph Anton Mitterer wrote:
> On Wed, 2014-10-15 at 18:31 -0700, Russ Allbery wrote: 
> > It feels to me like you're spending lots of time telling other people
> > they're wrong and telling other people what they should be spending time
> > on, and then arguing with anyone who tells you that how you're going about
> > this isn't effective.
> Well isn't that somehow the point of discussion and defending one's
> opinions? Don't you just do the same?

There's no point having an argument unless you are prepared to have *your*
opinion changed.

I work for a University Computing Science department which has a research group
dedicated to Security research. They have a fair amount of success and there
are some very bright people in the group. My former boss, the Head of School,
originally set up the security group. We discuss these issues from time to
time.  He told me that one of the biggest problems they have with new
researchers is getting them to understand that security in the real world is a
matter of compromise. A lot of researchers come in with an attitude quite like
yours: absolutist. This is either insecure and must not be used in any
circumstances ever, or it's secure. The problem is this simply doesn't work,
for many reasons including the ones that Russ has done an excellent job of
explaining. The clients of the research group, including some large companies
and government departments with acronyms for names, know this. The good science
that comes out recognises this.

>From one of your other posts you make it quite clear that you appreciate the
practical difficulties of trying to get any distro-wide change made in Debian:
buy-in. If you want to see security in Debian improved; that's where your
efforts need to go, towards seeking buy-in. Read and carefully consider the
advice people have given you here regarding your approach, using things like
release goals, gaining consensus, altering your argument style, etc., if you
want any hope of achieving your ultimate goals.
Reply to: