Comment by DonHopkins
8 hours ago
>Security illiteracy? Yes.
Security illiteracy is admitting you were wrong and changing it when somebody points it out.
>Malicious intent? Probably no.
Are you graciously making excuses for malicious intent without considering all the facts? Probably yes.
>Does being security illiterate equal malicious? Debatable.
Refusal to admit there is a problem and fix it, or carrying the water for people who refuse to admit they made a mistake, is deliberate maliciousness, not security illiteracy. Not debatable.
Illiterate is "inability to read and write" by definition. I know people who submitted bug reports requesting: "hi, I want to use your API, please add wildcard origin header", after getting explanation they propose "ok, JUST add my domain, I'm an opensource contributor, trust me". They ask to remove security features, recognizing them as security features, but only caring about their convenience (like "don't enforce 2fa", "don't warn about untrusted links"). They don't know about defense in depth and even if you explain them, they will skip your explanation, because they can't read.
The fix is to remove the package…
And to scan all of the other packages for phoning home without very explicitly informing the user about it and kicking them out if they don't.
https://packages.debian.org/search?searchon=names&keywords=o...