It's still ok to destroy products if (among many other reasons) "the product can reasonably be considered unacceptable for consumer use due to damage, including physical damage, deterioration or contamination, including hygiene issues, whether it is caused by consumers or occurs during the handling of the product [...] and repair and refurbishment are not technically feasible or cost-effective;" but cost-effective means "the cost of repairing or refurbishing a product not outweighing the total cost of destruction of that product and of [all] expenses of replacing that same product."
So essentially, they have to offer all the clothing for donation first, if nobody wants it, it can still be destroyed (that's one of the other exceptions).
Unfortunately another exception is if "it is technically unfeasible ... to remove ... labels, logos or recognisable product design or other characteristics that are ... protected by intellectual property rights". So a luxury brand can probably still go "well our design is protected and we don't want the poors wearing our fancy clothes".
I don't buy it. The actor running the website likely gets paid for every user that installs the app or possibly even every user they direct at the app.
Even in the unlikely case that they get paid for achieving some later payoff, the "work" on the way there is almost certainly 100% automated so there is no harm in spraying the attack more widely (as opposed to Nigeria scams where pre-AI, pre-slave-farm, the scammers would have to invest significant amounts of a very limited resource - their time - on each victim).
> instruction manuals ... often have useful information ... A surprising number of my peers don’t realize this.
That's because instruction manuals always have a lot of useless information, and many of them have only such useless information. One of my computer mice came with guidance to avoid prolonged contact with skin and I'm pretty sure nothing in that manual was of any value.
Manuals used to have tens of pages of useful information, if not more. These days it's just tens, if not a hundred pages of (mostly meaningless) warnings, in different languages, and sometimes only that. If you're lucky there's a single page of mostly pictures and a few lines of text, and typically just the obvious parts.
I went through some old storage boxes yesterday. Found "manuals" for a number of items. One had four manuals. Turned out it was just that they could only stuff half a dozen languages of warnings in one manual, so they made a bunch of them, all just the same warnings, in different languages. More paper for the recycling centre.
I particularly miss the spec page that used to be standard in every manual and is now increasingly rare.
Of course, the really old/good manuals also had schematics, and there were a few cases where those were really help when we actually had to repair stuff like that. For some simpler things that would make sense even today but it ain't happening...
Instruction manuals often only contain legally required information, making them particularly useless.
You've happened upon the difference between compliant and capable. See also, any military technology, which costs 10 times the normal price to meet strict compliance requirements, often while completely disregarding capability.
My favorite response to the issue is the AcessiByeBye plug-in (https://www.accessibyebye.org/) which blocks accessibility compliance overlays that make web pages difficult to use with keyboard navigation and accessibility tools like screen readers, but are needed to meet accessibility regulations.
I think Matrix is the closest equivalent that's reasonably popular, at least for text messaging. There are both web and mobile clients and they interoperate seamlessly. It's also at the point where it somewhat reasonably works for the average user, rather than being the usual UX nightmare that teaches people that anything open source or anything pushed by their nerdy friend should be avoided.
Based on the description, I suspect the main goal isn't "trust" in the security sense, it's essentially a spam filter against low quality AI "contributions" that would consume all available review resources without providing corresponding net-positive value.
> Unfortunately, the landscape has changed particularly with the advent of AI tools that allow people to trivially create plausible-looking but extremely low-quality contributions with little to no true understanding. Contributors can no longer be trusted based on the minimal barrier to entry to simply submit a change... So, let's move to an explicit trust model where trusted individuals can vouch for others, and those vouched individuals can then contribute.
> If you aren't vouched, any pull requests you open will be automatically closed. This system exists because open source works on a system of trust, and AI has unfortunately made it so we can no longer trust-by-default because it makes it too trivial to generate plausible-looking but actually low-quality contributions.
===
Looking at the closed PRs of this very project immediately shows https://github.com/mitchellh/vouch/pull/28 - which, true to form, is an AI generated PR that might have been tested and thought through by the submitter, but might not have been! The type of thing that can frustrate maintainers, for sure.
But how do you bootstrap a vouch-list without becoming hostile to new contributors? This seems like a quick way for a project to become insular/isolationist. The idea that projects could scrape/pull each others' vouch-lists just makes that a larger but equally insular community. I've seen well-intentioned prior art in other communities that's become downright toxic from this dynamic.
So, if the goal of this project is to find creative solutions to that problem, shouldn't it avoid dogfooding its own most extreme policy of rejecting PRs out of hand, lest it miss a contribution that suggests a real innovation?
I suspect a good start might be engaging with the project and discussing the planned contribution before sending a 100kLOC AI pull request. Essentially some signal that the contributor intends to be a responsible AI driver not just a proxy for unverified garbage code.
That's the most difficult part oftentimes. People are busy and trying to join these conversations as someone green is hard unless you already have specifically domain knowledge to seek (which requires either a job doing that specific stuff or other FOSS contributions to point to).
Most apps that are in need of notification control either:
a) bundle everything in one category, from critical notifications without which the app can't fulfill its purpose to "HEY YOU HAVEN'T USED ME IN A DAY, USE ME NOW" spam
b) create a new category for spam every time they feel enough users have turned off the previous one, which is often
A similar, even higher profile case that shook the electronics industry around a decade ago was chip manufacturer FTDI releasing an update to their drivers that would detect and semi-permanently brick clones of FTDI USB serial bridge chips [1]. The bricking was performed by setting the USB product ID to zero, preventing Windows and macOS from detecting the device at all; the Linux drivers quickly got updated to recognize the new PID, allowing for the development of unbricking tools. Somewhat ironically, the detection relied on errata of the original parts that the clones fixed [2].
The backlash to this measure was massive, as many legitimate products turned out to use counterfeit FTDI parts without the manufacturers' awareness due to unreliable supply chains. Microsoft quickly pulled the update but FTDI seemed not to care for the most part, eventually releasing another similar update a couple of years later that would deliberately corrupt all data sent through clone chips.
In general, identity (the bank checking who you are) is often involved in regular unlocking and there will be an identity-only recovery procedure that will work even if you lose your usual credential (key, passcode, card, whatever). This may involve drilling a lock and the bill for that.
It actually says "hacking on one of our programs", which makes it even more obvious that it's using the word closer to the positive traditional hacker culture sense.
I'm sure that still looks unprofessional to some people, just like any jargon that isn't corporatese does.
Excluding severe vulnerabilities like ones that completely pwn your machine just by connecting it to an untrusted network is not legitimate for any reasonable bug bounty program.
Of course, a company can do it (they just did!), but it shows that they don't care about security at all.
Especially if the answer is "sorry this is out of scope" rather than "while this is out of scope for our bug bounty so we can't pay you, this looks serious and we'll make sure to get a patch out ASAP".
Ethical disclosure existed before bug bounties. Someone who wants to ensure the remediation of the bug might recognize that the staff member responding to bug bounty reports is limited in their purview and might be badly trained. Upon learning that it is out of scope for the bug bounty program did the author try their security@ or another a referenced security contact?
Your characterization of this bug as one "that completely pwn your machine just by connecting it to an untrusted network" is also hyperbolic to the extreme.
Overall, seems reasonably sensible.
It's still ok to destroy products if (among many other reasons) "the product can reasonably be considered unacceptable for consumer use due to damage, including physical damage, deterioration or contamination, including hygiene issues, whether it is caused by consumers or occurs during the handling of the product [...] and repair and refurbishment are not technically feasible or cost-effective;" but cost-effective means "the cost of repairing or refurbishing a product not outweighing the total cost of destruction of that product and of [all] expenses of replacing that same product."
So essentially, they have to offer all the clothing for donation first, if nobody wants it, it can still be destroyed (that's one of the other exceptions).
Unfortunately another exception is if "it is technically unfeasible ... to remove ... labels, logos or recognisable product design or other characteristics that are ... protected by intellectual property rights". So a luxury brand can probably still go "well our design is protected and we don't want the poors wearing our fancy clothes".
reply