I don't bring up Mosby on my own, but other people ask me about it.
Yes. And what I'm seeing is that every time that happens, you
invent some bullshit about it, such as
strongly insinuating as you have done here, that maybe the tool is not as secure as yours. There are not many way to interpret what you tried to aim at here, with your allegation that somehow my Open Source code might somehow be less secure than yours.
It doesn't matter if people bring Mosby up. That doesn't give you a license to invent fallacies to try to discredit it.
The fundamental difference is you strongly believe in self-signing, and it's a great tool for that but I'm offering an alternative that doesn't go that far to solve the same problem.
It's not a belief problem. I am trying to solve an issue (trusting that the PK from OEM will always be safe, whereas we have concrete examples that this is not always the case) that only self signing can solve, and the other part of self-signing
derives from using Setup Mode and the limitations we have found from platforms that should accept unsigned but don't, so,
since we obviously don't want to remotely pre-sign stuff to have people question our trustworthiness, self-signing is the logical solution.
It's not a crusade and you are not seeing me advocating that my solution is better. It's just different usage scenario according to what people want.
You're interpreting my comments as FUD.
I'm relating what you explicitly insinuated about my code somehow being less trustworthy than yours on the grounds that it is written in C instead of PowerShell, and therefore calling it what it is.
Have I ever written no one should use Mosby? No.
Not directly.
But, from the way you insinuated multiple types that Mosby should be considered less trustworthy than your tool, first because it self-signs, and second because it is written in oh-so-obtuse C, you might as well have.
I share my thoughts on its approach and why my script does it differently.
No. You use bullshit arguments to deprecate what Mosby does. I've caught you multiple times doing that now.
It's not to disparage your project, it's more to explain why I chose my direction.
Which shouldn't matter when out end goal is the same. And I already explained how Mosby is aimed at more than Windows users whereas your script caters for Windows only. If I didn't care about the possibility of OEM playing fast an lose with their PKs, as they have done in the past, or being coerced into disclosing their private signing keys, and if I didn't care about serving all OSes equally, I'd probably have chosen the same direction as you did. But somehow, that narrative never seems to quite make it to your remarks about the differences between Mosby and your script.
Do I get tired of deflecting Mosby questions on a thread dedicated to my scripts, and maybe that tone shows up? Yes.
Not my fault if we happen to have 2 competing means of accomplishing something that users want. Personally, I believe that providing people with
choice is what matters at the end of the day, and that one has to appreciate that competition is good, especially if this or that solution may not quite happen to meet the user's needs.
We can solve this problem if you provide me your preferred contact method for engaging with users when they ask me about Mosby in passing.
Issue tracker. I have hammered it over and over again. If people have a problem with Mosby, they should head to
Issues · pbatard/Mosby.
Or if people want to see the pros/cons of Mosby, they can have a look at the
README that details our approach and has a mini-FAQ. My e-mail is also all over the place.
Remember however that, because you chose a
discussion forum, rather than an issue tracker to address your script support, then of course people will be inclined to discuss. But I would say that's on you for choosing that mode of support.
