I didn’t want to blog about this but seems like I’m forced to.
Today while I was reading Planet KDE on Google Reader, I read something quite worrisome, this blog by Boudewijn Rempt. Worrisome because it seems to depict our ex-developer Andrea “lcars” Barisani as a newbie of software security and oCERT as a scam.
Now, I have worked with Andrea quite a bit in Gentoo, and oCERT is the security handler for the xine project as well as my first contact when I find interesting things . I wouldn’t believe for an instant that Andrea would try to sneak in a backdoor in the code. Still worth noting because I do have a responsibility for the xine project, so I don’t think he’d be upset with me doublechecking the facts.
I thus asked Robert about it and he pointed out that our very own Ferris reported the failure! (and I would like to thank once again Ferris for always checking test failures, especially for security issues, it’s not the first time he catches something like that). And as Boudewijn said in the post update, Marc Deslauriers from KUbuntu identified the problem in a change from upstream that was reverted.
Okay so why am I writing this post? Well, I first protested on the blog comments to say that if the two of them never heard of Andrea or oCERT, that’s quite their problem. And that trusting upstream just because, well, it’s upstream is not always the right thing; as it turns out it was an upstream mistake after all. I also noted that the post itself was FUD against Andrea and oCERT from a spiteful upstream that tried to put the blame on malice, and that if we are to insult somebody as having not to be trusted because one patch out of a lot that Andrea coordinated before fails, then we should start looking at every project’s commits to see who has introduced which security bug and then point them out as malicious.
Interestingly enough though, expecting a reply, I noticed that the post now has no comment at all. When I posted mine there were another in Andrea’s defence with the author’s replying that even if it was a mistake he was not to be trusted; one from me with a reply from another person, my reply to that and a comment from “joe” pointing out it was upstream. That makes six comments, not zero. I checked a couple of times to make sure it wasn’t a broken cached page too.
I could think this was a bona fide mistake of the database, blog admin panel or anything like that, but as my post’s title say, you get what you ask for, and I am now to understand that Boudewijn Rempt has maliciously deleted the comments that pointed out he was just reporting a woeful reply full of FUD, and he is, thus, not to be trusted.
And if I were to apply his own logic, the whole Krita project’s code should not be trusted, it might be just one huge big backdoor. But I know some of the people working on KOffice are pretty cool and nice guys so I wouldn’t want to say that. But sure as death, I’d wish that some of Boudewijn Rempt peers in the KDE project were to actually try to teach him that this type of posts are just poison against the people who tried to help the community, maybe he’d be able to trust those. Or maybe he’ll just feel angry that I’m reusing part of his own strategy against him.
You get what you ask for, as I said.