On Tue, Feb 11, 2003 at 08:48:46PM +0200, Buchan Milne wrote: > Surely it's up to the shareholders to decide what information needs to > be *publicly* (by which I mean accessible to people who are not > shareholders) accessible. Publishing such information could artificially > deflate stock prices, which is not in the shareholders interest.
Actually no. Shareholders in publically traded companies have no greater rights to information than the general public. This is because the general public needs this information to make decisions as to if they want to buy a stock or not. But even if there was two clases of information, shareholders have not been informed of this material change in Mandrakesoft's operations. As far as changing the stock price of Mandrake's stock. I sure hope you meant that as a joke. Mandrake's stock is halted. It hasn't traded since Dec. 17th. So there is nothing to change the price of: http://finance.yahoo.com/q?s=MAKE.PA&d=v1 > You can, by preventing them. How would people say something like "the > Mandrake community led by Ben Reser is considering forking the Mandrake" > if you stated on your page that you don't claim to represent anyone but > yourself. Sure, you don't have to do this, but in light of what your > current rant has done, it would be responsible. As far as I know the only thing my "rant" has done. Is simply create the discussion. Which is really all I wanted to do. If it really makes you feel better I'll say that it's my opinion. But as far as I know I haven't seen anyone who's assumed otherwise. > As long as you try and ensure that anyone who had read it would not > continue to be misinformed (such as post a link to "corrections" or > ensure it is addressed in your next rant. The first section in the next "rant" is a list of Clarifications. It covers the items you've brought up. > Maybe because they think people are willing to pay? Why does Sun sell > StarOffice, when there are almost no differences between it and > OpenOffice.org? That's fine. But we're only getting these clarifications now long after the questions were raised. > For *most* people you could say Mandrake isn't free at all, they have to > either buy it, or (horror!!!) search for it on ftp mirrors and such. > Just like the updates ... > > Really, you can't then compare Mandrake to ISC as you did in your rant. I can. But it's probably a stretch now that it's more clear what Mandrakesoft is doing. But at the time they didn't bother to clarify. I published my rant practically a *MONTH* after I raised the issues. However, I really do think $5 a month to download from a private ftp site and use a GUI which you paid $1900 for is silly. Especially, considering that MNF is a security product. If the updates aren't part of the initial price then just what are you paying for? At any rate you're getting on my case for a month old post using information that wasn't available at the time. Sorry but I don't have a time machine. > ftp://mandrake.redbox.cz/Mandrake-iso/i586/md5sums.9.1beta3.asc > > But you list issues with possible compromising md5sums, and provide no > solution. Also, what key are we checking the sig with? The one from the > ISO? If you got it with gpg, what's to say the gpg package on the > trojaned ISO wasn't trojaned to not import Mandrake keys but a > compiled-in key? > > I think the current signed md5sums are fine, but you claim problems with > it, and fail to provide any solutions. I thought the solution was obvious. Create detached sigs for each ISO. Provide the keys from various sources. Including Mandrake run and controlled websites. The problem with simply signing the md5sums is that you are: a) Relying on a protocol which has been shown can be manipulated to produce the output you desire: http://ftp.ics.uci.edu/pub/ietf/http/hypermail/1996q2/0236.html (Yes we've known about this since *1996* and yet people still use md5 sums). This means you can't rely upon the sums to be proof that a file has not been modified. Given that the ISOs are several hundred MBs of data it's a sufficent amount of data to create some flexibility for modification. b) It creates a two step process. First you must verify the GPG sig on the md5sum and then verify the sums. This means for users on non-Linux systems not only must they track down GPG but they must also track down a md5sum program. The ideal solution would be to publish md5sums and detached GPG signatures. Users could choose whichever they felt comfortable using or had the tools available to use. The md5sum's could continue to be signed. The accompanying readme could be updated to encourage users to use the GPG signatures. I left this out from the "rant" because it was a rather technical issue that was not a concern to most users. And really was straying from my topic at hand. > But we know that getting some things acomplished here requires > persistence. Like getting an account with rights to upload to contrib. > Like getting a patch in. I don't see why the issues had to be made > public (except the stock issue, which is not a development or security > issue), when they belong on the lists IMHO. Buchan, I've put a lot of effort into a lot of those issues. I pestered Vincent over a period of months about the ISO signatures. He passed it along to the appropriate people. But really this is way offtopic. If you want to come to freenode to continue this conversation or simply to move it to private email that's fine. My nick on freenode is ResDev. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org "America does not go abroad in search of monsters to destroy. She is the well-wisher to the freedom and independence of all. She is the champion only of her own." -- John Quincy Adams, July 4th, 1821
