mediagoblin-userops
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Userops] Userops Acid Test v0.1

From: Asheesh Laroia
Subject: Re: [Userops] Userops Acid Test v0.1
Date: Tue, 3 Nov 2015 14:25:10 -0800
On Tue, Nov 3, 2015 at 1:32 PM, Christopher Allan Webber <address@hidden> wrote:
Asheesh Laroia writes:

> Sorry to keep self-replying here.
>
> Another aspect for your "Security" list:
>
> * Automatic updates.
>
> People don't update the free software they self-host. Mozilla doesn't;
> Pirate Party doesn't; La Quadrature du Net doesn't; Wikimedia doesn't;
> Framasoft doesn't; and so on. You can see the evidence for that here:
> http://blog.etherpad.org/2015/03/04/update-your-etherpad/
>
> So we now have the data: if there are no auto-updates, people do not
> update, even with free software. The world has run the study, and the blog
> post at etherpad.org shows the data.
>
> I write the above _intending_ to sound dogmatic; I think this is a lesson
> that the free software world as a whole has not learned, so I am passionate
> about making the point.

I think the auto-update approach has a problem: it means that every
application becomes its own package manager.  I don't think we're going
to reduce the complexity of our systems via this approach.  I already
have too many package managers to handle!  Each of my applications
having one won't make things easier for me, I think.

If a prescriptive approach ("You MUST auto-update to be userops compliant") doesn't work for you, I wonder if you'd prefer an empirical one -- for example, userops researchers should be scanning a random sample of installed systems of Debian's new web app packaging, guix, sandstorm, etc. and finding out if people are vulnerable to security bugs in outdated web apps.

This way, every userops system can handle this however they want, and we can find out empirically if the real practical question -- exposure to security issues in apps that leak user data -- is something that the tool has a good story for.

And I'm not *sure* this is the best approach to finding out empirically if people are vulnerable to app bugs, but IMHO this is a hugely serious issue (as per blog post I linked-to; the bugs defeat all user privacy on these Etherpads) so I think the Userops "Is this system good or not?" would be remiss to not consider app bugs one way or another.

If you wish, I can probably be responsible for writing the scanning tool, though I'd hope someone else would step up to do it instead of me!

Curious what you make of that idea. And taking a month or two to reply is fine, honestly!
reply via email to
[Prev in Thread] Current Thread [Next in Thread]