From Oracle's Chief Security Officer: one of the finest marketing posts for free software I've seen in 2015

Alessandro Rubini rubini at
Tue Aug 11 19:41:19 UTC 2015

> Hmm, you're the only person so far I know of who hasn't reacted in shock.

Then you are lucky, because your aquaintance is smart and competence.

> * The attitude of security by obscurity, as if telling your customers
> "don't look!" stops the black hats for a second.

This I noted. Do you think normal people will? As I said, security
experts can lough at their incompetence. But this is perfectly normal
for normal users.  I agree this is not a good advertisement for them
(unlike the "we'll send people to learn" I referred to), but it's not
hitting back either.  Who knows better is already not an Oracle fan.

> * Don't look for security holes in Oracle, it's a violation of your license.
> * If you find security holes, don't tell us, it's a violation of your
> license to have looked and we will send a legal notice telling you to
> throw away the information.

These I didn't notice (too long a post to read carefully). Thanks for noting.

> * It is true that someone found a pile of actual security holes, but
> we were totally going to fix them, honest! Some time or other.

I noticed. It's like above.

> * The tone of contempt for the customer, daring to look and ascertain
> their own security risk.

Again, my fault I didn't notice.

> This is precisely why we need software freedom.

Yes. But these arguments are hard to make, and hard to convey to the

> Reactions on Hacker News:

Hacker chats. I can't show these pages around and make
people consider my point about software freedom.

So this is a good blog post to keep referencing when we talk to
technical people, although even there I fear it will only convert the
converted.  We may make a press release (I know somebody who might),
but it risks acting as an advertisement for them.

I fear we need stronger arguments to escape the oracle trap.

thank you, david, I appreciate your quote and explanation, but my
feeling is always like "we have all the arguments to win at large, but
we miss a way to reach the general public".

How can we exploit the awful naivness and misbehaving of the
proprietary world?

A mate making pcb designs was complaining about my choice of using
kicad and nothing proprietary, because I'm slower in doing this and
that...  but today he was lamenting his finances, disclosing how much
he's mandated to pay for the pcb tool *each year* even if it's a bad
period, work-wise -- and most likely he'd loose all of this own work
as soon as he stops paying.  But he didn't get the point (not yet, let
me work on him, but I've very few chances I fear).

Now, how can we make kicad (or geda) better and free these inventive
and proficient people from the risk of bankrupting?  Not by showing a
security-naiveness in their tool's vendor, I'm sure.

And, dear proprietary vendor: I know you read me, I'm not that naive.
*We* all know you read us, as we are not naive.  We just refrain from
posting when it makes sense to, and we use GPG, even.

More information about the Discussion mailing list