Short comment to inform thinking:
On 7/13/25 10:06 PM, John C Klensin wrote:
--On Monday, July 14, 2025 00:28 +0100 Stephen Farrell
<stephen.farrell@xxxxxxxxx> wrote:
Hiya,
A friendly amendment:
On 14/07/2025 00:01, John C Klensin wrote:
But that leads to a second question, which
is whether the community should expect decisions to use such tools
to to be accompanied by a public analysis of the risks and
tradeoffs that led to the decision to go ahead.
That'd be one way to do things, but at a cost for the tools
team in terms of effort, and a risk for them in terms of being
liable to be asked by the community to bring them a rock.
I'm sensitive about the rock-bringing and other possibilities (from
my perspective, just another example of why I don't want to encourage
a mailing list and the (IMO inevitable) community bikeshedding that
would follow). However, I do not think it unreasonable to expect the
Tools Team to be sensitive to these issues and think about them.
Asking them to write up a short note about their thinking and
decision does not feel like extra work unless they are operating in a
mode of "we need a tool for X, let's use the first one anyone happens
to have heard of and mentions" and I think they are already far too
professional and thoughtful to be doing that.
Thanks for those kind words. While you are considering this, note that
there is more than the tools team to consider. The current approach to
side-meetings, for example, isn't a tools-team provided solution. It's
exploration by the secretariat, IESG, and meetings team to find
something better than what we had at 122. Everyone involved takes the
same care you attribute to the tools-team here, and I expect these
observations will feed into whatever is chosen for next time.
RjS
An alternative and maybe better way to handle this might be
for those in the community (who care) to document their
current/recent preferences so that the tools team can decide
when to live with those or when not to do that. E.g. as I said
I use NoScript with FF, but I'm not sure how many other IETFers
might, which would affect how the tools team consider adopting
things that do/don't work well in such a setup. There're probably
a bunch of ways to group the kind of oddball setups we use (I'm
guessing quite a few IETFers may have oddball setups:-), to try
to identify common techniques (e.g. restricting JS, blocking
tactics etc.) and to maybe try figure out how many people have
each kind of setup.
I'm not sure. First, I use NoScript with FF too, so there are at
least two of us. But I don't think I'm really concerned about the
setup. Yes, I find it very annoying to see a message that tells me
that I can't look at something without logging in when what is really
meant is that something prevented them from running a particular
script or accessing something in a particular domain. I'd much
rather see the "something went wrong" types of messages that seem
much more typical when NoScript blocks something. In either case
(or others) and whether the problem is sloppy programming, design
choices with which I disagree, or something else, I don't think it is
the tools team's problem to protect me from them. Trello is not
likely to be a problem for me again because I'll either decide that
whatever information it controls is not worth the trouble, or I'll
access it through some machine or browser with fewer (or different)
protections, or I'll allows NoScript to let whatever is needed
through (either temporarily or permanently). None of that should be
the Tools Team's problem. The sort of report or short note I'm
looking for might be helpful in my deciding what to do but, if the
tools I use cost me an extra minute or two, that probably shouldn't
be an issue either.
Instead, I'm concerned that, as a community of supposed Internet
experts who treat each other with respect, that respect should extend
to avoiding unnecessarily putting each other at risk (regardless of
which risks one considers most important). In some ways, that means
trying to protect against the threats that, for you and me, NoScript
is protecting against... and against other threats that might be
caught by other tools for those who run them. I hope and assume
tools team efforts and decisions are part of that "we". I think we
also should be providing an example to others that a lower-risk
environment is feasible and workable.
To say what may be almost the same thing differently, if our story,
instead, is that the Internet is a dangerous place and each of us is
on their own and better watch out for themselves in whatever way they
can, presumably with little advice from the IETF... well, I can live
with that but it might suggest that the Security Area should be
reviewing its priorities.
best,
john
