Am 03.12.2013 19:03, schrieb Mike Bartlett:
Hi Joachim, Mike here from Gitter.
We just posed an explanation on this on our blog:
http://blog.gitter.im/the-write-stuff/
Regarding JavaScript domains, it's fairly standard stuff:
1) Our own CDNs (multiple domains for performance reasons).
2) UserVoice Widget (for customer support)
3) MixPanel & Google Analytics (well, for analytics)
4) Optimizely (for split testing)
Our APIs that talk to Github are all on our servers, not client side and
are 100% within our control.
Anyway. I hope the blog post shines some light on the situation and we'll
soon be pushing an update which addresses some peoples concerns.
Well, I have two issues with Gitters, one addressed, one unaddressed.
The issue you addressed is that Github does not give you the kind of
minimum permission that you need.
Ideally, you'd ask Github to design a better permission system. Or ask
your users to rally support for that. I find it a bit eyebrow-raising
that this approach wasn't mentioned, but it might be just an oversight.
The issue that you did not address is that Javascript means we're
essentially placing our PCs' keys under the doormat for you.
We need to trust in your honesty that you don't do anything bad with our
computers. Now I'm pretty sure you won't, but I know that this kind of
trust is misplaced in, say, 5% of cases, and among the 20 people whom
I'd like to trust, I don't know which one of them is the 5% case who's
going to install adware or a zombification rootkit.
To use Gitter (or *any* JS-based website, actually), you're asking us to
also assume that you didn't get a National Security Letter, forcing you
do install an exploit and never talking about it.
You're also asking us to trust not only in your honesty but also in your
competence as a website admin - that gitter.im will never be hacked,
that you have proper security procedure installed in cases there is a
breach, that kind of stuff.
Now if you're using all kinds of third-party Javascript, you're also
asking us to trust not only you but also all of these third parties.
Which is a clear sign that you didn't consider the security concerns of
your users at all. Your answer that explained what these scripts are
supposed to do, instead of explaining how you're preventing them from
doing something you didn't intend, was further confirmation that you
haven't thought users' security through... and it's confirming my
decision to not use Gitter, I have to say (no offense intended, it's
just that you neglected an important part of my security while asking to
make an exception to my security, and that simply doesn't fly).
I hope I made my background a bit clearer.
Regards,
Jo
--
You received this message because you are subscribed to the Google Groups
"sympy" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sympy.
For more options, visit https://groups.google.com/groups/opt_out.
