--On Monday, July 14, 2025 00:28 +0100 Stephen Farrell <stephen.farrell@xxxxxxxxx> wrote: > > Hiya, > > A friendly amendment: > > On 14/07/2025 00:01, John C Klensin wrote: >> But that leads to a second question, which >> is whether the community should expect decisions to use such tools >> to to be accompanied by a public analysis of the risks and >> tradeoffs that led to the decision to go ahead. > > That'd be one way to do things, but at a cost for the tools > team in terms of effort, and a risk for them in terms of being > liable to be asked by the community to bring them a rock. I'm sensitive about the rock-bringing and other possibilities (from my perspective, just another example of why I don't want to encourage a mailing list and the (IMO inevitable) community bikeshedding that would follow). However, I do not think it unreasonable to expect the Tools Team to be sensitive to these issues and think about them. Asking them to write up a short note about their thinking and decision does not feel like extra work unless they are operating in a mode of "we need a tool for X, let's use the first one anyone happens to have heard of and mentions" and I think they are already far too professional and thoughtful to be doing that. > An alternative and maybe better way to handle this might be > for those in the community (who care) to document their > current/recent preferences so that the tools team can decide > when to live with those or when not to do that. E.g. as I said > I use NoScript with FF, but I'm not sure how many other IETFers > might, which would affect how the tools team consider adopting > things that do/don't work well in such a setup. There're probably > a bunch of ways to group the kind of oddball setups we use (I'm > guessing quite a few IETFers may have oddball setups:-), to try > to identify common techniques (e.g. restricting JS, blocking > tactics etc.) and to maybe try figure out how many people have > each kind of setup. I'm not sure. First, I use NoScript with FF too, so there are at least two of us. But I don't think I'm really concerned about the setup. Yes, I find it very annoying to see a message that tells me that I can't look at something without logging in when what is really meant is that something prevented them from running a particular script or accessing something in a particular domain. I'd much rather see the "something went wrong" types of messages that seem much more typical when NoScript blocks something. In either case (or others) and whether the problem is sloppy programming, design choices with which I disagree, or something else, I don't think it is the tools team's problem to protect me from them. Trello is not likely to be a problem for me again because I'll either decide that whatever information it controls is not worth the trouble, or I'll access it through some machine or browser with fewer (or different) protections, or I'll allows NoScript to let whatever is needed through (either temporarily or permanently). None of that should be the Tools Team's problem. The sort of report or short note I'm looking for might be helpful in my deciding what to do but, if the tools I use cost me an extra minute or two, that probably shouldn't be an issue either. Instead, I'm concerned that, as a community of supposed Internet experts who treat each other with respect, that respect should extend to avoiding unnecessarily putting each other at risk (regardless of which risks one considers most important). In some ways, that means trying to protect against the threats that, for you and me, NoScript is protecting against... and against other threats that might be caught by other tools for those who run them. I hope and assume tools team efforts and decisions are part of that "we". I think we also should be providing an example to others that a lower-risk environment is feasible and workable. To say what may be almost the same thing differently, if our story, instead, is that the Internet is a dangerous place and each of us is on their own and better watch out for themselves in whatever way they can, presumably with little advice from the IETF... well, I can live with that but it might suggest that the Security Area should be reviewing its priorities. best, john
