I don't have a full list of all posts at hand (some of which may be removed), but I've seen some other similar stuff as well; it's not an isolated incident. I was reading through the previous thread on this issue (goproxy sending loads of requests) and this one was posted as an example there.
I was indeed in the wrong when I made this comment four years ago. I have since apologized for it. I don't intend to re-litigate anything on HN at this point, but I have good reason to believe that this incident is unrelated to the reason I am presently banned.
The linked comment was indeed out of line, and perhaps you feel justified in thinking that it should be sufficient grounds for a permanent expulsion from the community. I won't argue with that, fair enough. However, I don't think it's reasonable to use it as grounds to suggest that anyone should have their servers DoSed by Google with no recourse, and I think blocking Google is a reasonable move given two years of inaction from the Go team to resolve the issue.
> I don't think it's reasonable to use it as grounds to suggest that anyone should have their servers DoSed by Google with no recourse
Of course not; this entire thread isn't necessarily hugely on-topic here, but it got brought up, so ... well ... here we are. And in fairness, you did bring up your ban in the posted article.
> The linked comment was indeed out of line, and perhaps you feel justified in thinking that it should be sufficient grounds for a permanent expulsion from the community. I won't argue with that, fair enough.
No, I don't think anyone should be banned for a singular comment, no matter how egregious. Everyone deserves second chances, and third ones, even fourth ones maybe. There's some decent data from Stack Overflow that shows that after a ban many people keep posting and many don't get a second ban (i.e. their behaviour improves).
> I have good reason to believe that this incident is unrelated to the reason I am presently banned.
I think the thing is that it's part of a pattern. Usually the "final straw" isn't the worst incident, or even that bad of an incident in itself. Incidents like this aren't isolated and previous behaviour does tend to factor in: "oh, that's the same guy who called us a bunch of morons last year".
> "oh, that's the same guy who called us a bunch of morons last year"
Wait, did some folks in the Go community write that EFAIL site that was referenced as a reason to drop OpenPGP? If so, that changes the context of the post a bit, but I didn't see anything indicating that was the case in the linked thread.
Obviously, your expulsion from the Go issue tracker for abusive conduct is a separable issue from the Go module proxy, as you can see from Go project participants reiterating that the offer to exclude you from the refresh list still stands.
Clearly it was not satisfactory to you, since it was made over 8 months ago, and you didn't take them up on it. I'm objecting here only to the framing you've created that your ouster from the Go issue forum --- which we can see was done with cause --- is what precipitated this situation.
We can behave like adults, ask why it's not satisfactory, and come to a more agreeable mutual solution, or we can blithely offer an incomplete solution, muzzle the other party, and just continue our DDoS.
See, here you just did it again: "muzzle the other party", as if it was causally connected to your disagreement about how the module proxy should work, and not to the abuse you inflicted on members of that community.
I think it's worth taking a step back here to say that IMHO regardless of whether the OP's previous comments justify his expulsion from the issue tracker, having the only other available "DDoS opt-out" mechanism be to email Russ Cox directly is _completely insane_ and unacceptable for an organization of Google's size and funding level. If they're going to ban members from the community (perhaps justifiably so), Google needs to either provide another public place to make one of these requests, or preferably make the DDoS feature opt-in rather than opt-out.
I admitted that my comments about EFAIL -- four years ago now -- were in the wrong, and apologized for them. Unless you're going to argue that this issue should justify consuming 70% of my system's network bandwidth without recourse, move on.
In the interest of not feeding the trolls, I think I can safely stop engaging with you on this thread. Or maybe on any thread -- you and I never seem to have a productive conversation on this website.
> In the interest of not feeding the trolls, I think I can safely stop engaging with you on this thread. Or maybe on any thread -- you and I never seem to have a productive conversation on this website.
HN would be so very much more pleasant with ignore-lists.
Since GH requires login to see minimized comments, here it is:
ddevault on Feb 15, 2019
"EFAIL" is an alarmist puff piece written by morons to slander PGP and inflate their egos. The standards don't need to change to fix the problems it mentions. The proposals help... marginally. The problem is not and was never with OpenPGP, it's with poorly written email clients (e.g. all email clients).
Virtually nobody uses PGP, and it is not at all pivotal. It is one of the least important widely-known cryptosystems on the Internet; like the book "Applied Cryptography", it has a cheering section because of the era in which it was released, and a generation of lay-engineers has taken PGP as a synecdoche for all privacy cryptography.
It is also badly broken and has an archaic design.
Most notably: Filippo had nothing to do with EFail, which was one of the most important cryptographic results of the last 5 years. You don't so much need Drew Devault to tell you that; it's peer-reviewed research.
I am no cheering fan, for sure, but I think it's disingenuous to say PGP is one of the least important systems on the internet. Debian package distribution, notably, depends rather pivotally on PGP to ensure authenticity. Keybase uses PGP as it's root trust mechanism. There are plenty of email services that use PGP to secure messages. I've even come across some recent (as in the last few years) startups using PGP to implement their internal or application-level trust relationships (run by quite sane and well adjusted individuals nonetheless). I worked at a Unicorn in the last 10 years that implemented secret storage and distribution using GPG tooling. In fact, recently and close to home for me, we implemented some application level key exchanges and the security person we consulted with for a 2nd set of eyes actually said (paraphrasing), "I don't like this thing it's custom but if you use ElGamal I'd be more comfortable because at least it's well understood."
Of course these are all things that can and probably should be replaced by something more palatable. So why haven't they?
If it's not obvious, my argument is neither for nor against PGP, really. It's that I'm tired of hearing about how much PGP sucks without also hearing about the solution. I think the burden is on the people wishing to eradicate it to muster up the blesséd alternative and shepherd it into the vernacular.
It is one thing to make a case for the continued maintenance of PGP, or even to say that it has a place in modern cryptography (that's an outré thing to say among cryptography engineers, but, whatever).
It's another thing entirely to say that any cryptography engineer critical of PGP must have a weird personal vendetta against it, as you did upthread.
Harsh criticism of the failings of PGP is practically an orthodoxy among cryptography engineers. It is not a good design by modern standards, and lots of cryptographers would dearly love to be rid of it. Push back on them because you don't think it's worth the time for Debian to switch to minisign, fine, but don't slander people while you're doing it.
I didn't say "that any cryptography engineer critical of PGP must have a weird personal vendetta against it". I know the history and context around the matter. I know Filo has actually tried to do the work to replace PGP. I know it didn't stick. I imagine he more than many people understands how difficult the task of replacing it is. But in my opinion that should lead to a more tempered stance that represents an understanding of this subtlety. Instead we see him on team deprecate PGP software because it's not what We want golang users using. Excuse me if I attribute a small ounce of personal pride to that stance. I could be wrong. This is a discussion thread not a formal essay. I respect many things about Filo. I'm just critical of this particular crusade.
I mean yeah, you're right. PGP has been culturally deprecated for years now. There's no skirting that. I am quite happy that Debian is switching to minisign. Once that transition is complete that will be one less reason to keep PGP around. Really, I have absolutely zero allegiance to PGP. I'm just willing to admit that it works (and quite well) despite all the shortcomings that cryptography engineers love to spar with during happy hours. I sincerely do not disparage efforts to replace PGP. I am just tired of the passé mantra that PGP sux amirite or gtfo. As we both clearly understand, it's not really that simple.
You could reasonably agree or disagree with Filippo take, and after quite a bit of discussion it was decided to not deprecate the opengpg[1]. I'm pretty sure that Drew's comment contributed exactly 0% to that decision.
[1]: It was deprecated a two years later as no one stepped up to maintain it, so it bitrotted even further, and there are other (better) 3rd party implementations anyway. Speaking up is nice, actually doing the work is better.
PGP is difficult to replace. It’s very well supported, and frankly works sufficiently well (sure, it’s outdated, but so is SSH, TLS etc). There are other software that might be more secure and user friendly, but PGP is also secure. A lot of extremely sensitive information is encrypted with pgp.
This is a weird definition of "personal", like PGP kicked his dog or something. The arguments he makes against it are detailed and the agreement of most working cryptographers, even if they don't agree with his specific deprecation schedule. Some people would call that "good engineering".
“Good engineering” would be to meticulously develop and standardize a replacement before idealistically purging the world of alleged “bad software”. Since this endeavor has yet to be undertaken, PGP it is. Good engineers understand this reality.
Look, you can make solid arguments till you are blue in the face about why PGP is unclean and unfit for modern cryptography. And you can be 100% right. But that doesn't mean people who disagree are wrong. There are 100% valid arguments and use cases for PGP too. It takes a mature personality to understand this nuance. And to understand that sharing a mic drop piece about why PGP sucks, getting your security buddies to laugh with you, and then trying to rip it out of existence is incredibly short sighted, ill mannered, and not in the least bit “good engineering”.
Come the fuck off this "mature personality" shit if you're going to write like this. He proposed freezing a module no one wanted to maintain in a library specifically meant to host stuff with weaker compat guarantees, he didn't hop in a DeLorean and kill Zimmermann's grandpa.
Meanwhile, the critical project Drew insisted he keep it for is... deprecated and unmaintained!
That was referencing past conversations I've had where it was very much like I describe. I'll admit I'm channeling some past frustrations and stereotyping and apologize for not making the distinction clear. I am not referring to you or anyone here or anyone on the golang thread, for the record.
Do you have a source?