(FYI there is no such thing as “irresponsible” disclosure. If my transactions weren’t as private as I expected them to be I’d like to know as soon as possible so I’d stop creating any more, instead of possibly having more of my privacy violated until someone fixes it.)
I have no idea what this is referring to. I’ve talked with people involved with Zcash prior, and campaigned for it to be FOSS, but I’ve never claimed to be personally wholly responsible for any license changes and haven’t heard any rumors.
Disclosing a passive bug affecting user privacy, so that users were aware and could make an informed decision, when there was no stated disclosure process and I hadn’t heard from the maintainer after two days over a critical issue (now one week and still running, with no established contact nor public comment from them).
@conradoplg answered the questions, and I’m sorry my own work as a researcher (and Twitter drama) is overflowing into other communities. I’m not the one who made the post, but it still shouldn’t be here, and only is due to my work. I’ll also clarify I’ve never received any funding from a Zcash organization (definitely) nor posted a donation address to the Zcash community (to the best of my recall, pretty certain).
Can you unremove the metaphor? I dont understand what you mean.
Kayaba and Conrado have done a good job explaining, I think. Fixing the problem might help things going forward but doesnt change the past transactions so it doesnt matter when or how it’s disclosed (from my basic reading). Earlier the better so users today can decide what they want to do.
Note FIY, from my DMs with Zcash developers, at least one of those answers is yes. I’m not going to name names, because people have the right to do anything they like in their spare time. How did you arrive at a definite no for the entire team?
First, the vulnerability is pretty simple. I don’t think Luke needs “help” finding it. I don’t agree with calling this an “irresponsible disclosure”. Dero should be grateful they had 48 hours. They should have treated the report with more respect. It sounds like they were looking down on it.
Second, and more importantly, good developers have many interests. What people do in their free time is their business (except for NDA, etc). IMO, Zcash will not benefit from a walled garden.
I can see some members are very upset when our devs work on other crypto projects.
I think they consider this “helping the enemy”. But in software engineering, there is a common base that is developed together (specially with OSS).
For instance, RocksDB is Facebook’s fork of LevelDB from Google. They have contributions from various sources.
The secret is to know what to share and what to keep…
I had no help from anyone on the vulnerability I found, the PoC I made, and the disclosure I wrote.
I have talked with various people from ECC/ZFND over the years. AFAIK, none of those conversations have been considered on the clock. If any ECC/ZFND members are on the clock for answering community questions on Discord, it’s unknown to me. If any ECC/ZFND members took something I reached out with, decided it had value to be done as part of their research at work, and did so, it’s unknown to me. I have never had any dedicated support/collaboration from the ECC/ZFND though. I’ve always personally interacted with individuals.
I’ve also personally interacted with ZCG recipients, and I’ve even given project advice to some. I’ve never had financial assistance from any, did not receive technical assistance here (again, I did not from anyone), and have no reason to assume any of my personal interactions where considered on anyone’s clock.
No one affiliated with Zcash was aware of this recent disclosure, nor asked any hypotheticals for it, before it was published. I don’t think I had any conversations with Zcash affiliated people in that two day window.
Is that complete and thorough enough we can move on?
Wow. That’s incredibly toxic. I wonder how would you feel if someone went ahead and did it to Zcash. Will you still respond with rehashed alt-right memes?
I heard everything I need to hear. I will be on my way.
