convenient.email

Hey - #infosec people:

is there a way you tend to communicate "I don't care about what the design says, this is what we are actually doing"
Hypolite Petovan friendica (via ActivityPub)
I don't know about #infosec, but on the #Fediverse, this is pretty much the ActivityPub/Mastodon dichotomy from what I understand.
This entry was edited (2 years ago)
That is definitely the case. The drift there seems analogous to "This is what the W3C says" vs "This is what Chrome does" (insert my unearned opinion that Mastodon is a bad actor here)

In this case it's "Our design doc says this, our implementation says this, but since the spec says this, that must be what it is"
Hypolite Petovan friendica (via ActivityPub)
Where do you place "the spec"? In "design" or "implementation"?
This entry was edited (2 years ago)
Sorry, "the spec" is the design doc, I just used two different words because I am a monster
Hypolite Petovan friendica (via ActivityPub)
If there's a known difference between the design doc and the implementation, then the design doc is pretty much useless and should be corrected, because it probably would be cheaper than correcting the implementation.
This entry was edited (2 years ago)
Well, that's the point. I am trying to get them to admit the difference *exists*

"Hey, if I sign up with this password, it passes an error! What's the actual rules for this? And shouldn't we expose them to the client?"

"Oh, we have no rules"

"Why can't I sign up with this terrible password then"

"oh, because it's terrible"
Hypolite Petovan friendica (via ActivityPub)
Ugh.
This entry was edited (2 years ago)
We *seem* to be doing it right, but don't communicate what we are doing, and need to do that
Hypolite Petovan friendica (via ActivityPub)
Update the spec, add user-facing errors, etc... you know the drill.
This entry was edited (2 years ago)
All I get to do is say "this passed security review" or no
Hypolite Petovan friendica (via ActivityPub)
Well, did it?
Luckily I had a manager step in and say if someone gets an error on signup that doesn't explain how to fix it, then isn't not passing design, so I was good and can keep trying to upload 10GB passwords