NVAccess and the slow Erosion of trust: I still believe that NVDA is the best available screen reader, and I still donate monthly.
-
@fastfinge Agreed. But I even faced difficulty, and soft criticism, communicating the poor output of the feature to NVAccess. I was under the impression that they wanted me, and others, not to expect much from a feature like that, while praising its privacy-focused, on-device aspects.
@amir Yes. And I experienced hard criticism for even discussing a security feature in public. This, too, is a problem. Is NVAccess under funding pressure? Are they struggling to get grants, and public criticism of them is endangering that? Repeat it with me, everyone: I'm probably missing context, so I'll just have to trust that NVAccess knows things I don't. -
@amir Yes. And I experienced hard criticism for even discussing a security feature in public. This, too, is a problem. Is NVAccess under funding pressure? Are they struggling to get grants, and public criticism of them is endangering that? Repeat it with me, everyone: I'm probably missing context, so I'll just have to trust that NVAccess knows things I don't.
@fastfinge @amir Security through obscurity isn't always the way to go. Especially where community trust is involved.
-
NVAccess and the slow Erosion of trust: I still believe that NVDA is the best available screen reader, and I still donate monthly. These are just a chronicle of decisions that have made me go... Huh. What? stuff.interfree.ca/2026/05/20/nvaccess-and-the-slow-erosion-of-trust.html #screenreader #nvda #a11y
@fastfinge I wish so much of this wasn't on-point.
* I don't have enough of an understanding of the addon store stuff to be informed, but pulling Remote into core seemed a lot of work for relatively little gain to me.
* the on-device description stuff was mad, given the profusion of other addons already out there and its crapness when they did work on it,
* and the lack of a bridge from 64 bit felt like a kick in the teeth. as you say: the move was needed, but the support for developers fell short.I love NVDA and will champion it, but I do wonder about the direction and decisionmaking sometimes.
-
@fastfinge I wish so much of this wasn't on-point.
* I don't have enough of an understanding of the addon store stuff to be informed, but pulling Remote into core seemed a lot of work for relatively little gain to me.
* the on-device description stuff was mad, given the profusion of other addons already out there and its crapness when they did work on it,
* and the lack of a bridge from 64 bit felt like a kick in the teeth. as you say: the move was needed, but the support for developers fell short.I love NVDA and will champion it, but I do wonder about the direction and decisionmaking sometimes.
@cachondo @fastfinge None of it is on point, and if he'd bothered taking the time to actually ask us any of the questions up front, we would happily have cleared up any confusion.
-
@cachondo @fastfinge None of it is on point, and if he'd bothered taking the time to actually ask us any of the questions up front, we would happily have cleared up any confusion.
-
@fastfinge @cachondo The fact that we have been MORE open & willing to discussin things on here than basically any other company (please, point me to a thread in which ANY company got more involved on ANY topic? I'm waiting....) All we asked was that where you believe something is a security vulnerability, you disclose that privately in the first instance. That's all, nothing more sinister. Otherwise, I really don't think you can make any kind of argument that we don't discuss things publically.
-
@fastfinge @cachondo The fact that we have been MORE open & willing to discussin things on here than basically any other company (please, point me to a thread in which ANY company got more involved on ANY topic? I'm waiting....) All we asked was that where you believe something is a security vulnerability, you disclose that privately in the first instance. That's all, nothing more sinister. Otherwise, I really don't think you can make any kind of argument that we don't discuss things publically.
-
@fastfinge No one said that. It's an open source project, discussion happens on the issue tracker and/or mailing list. Or you can ask them here. You know this. Should NVDA have a full time public relations person to handle all concerns? Who pays for that? What priorities suffer?
Your piece seems somewhat premised on the idea that you must trust NVAccess in an informational vacuum. I don't think that's true at all. You could just... ask them why they did XYZ. If that answer isn't satisfactory, okay, the discussion has moved forward.
-
@fastfinge @cachondo IN your article, you yourself open with "But I'm probably missing context, so I'll just have to trust that NVAccess knows things I don't." - hence, why would you not reach out to us first to find out WHY we did things a certain way?
-
@fastfinge No one said that. It's an open source project, discussion happens on the issue tracker and/or mailing list. Or you can ask them here. You know this. Should NVDA have a full time public relations person to handle all concerns? Who pays for that? What priorities suffer?
Your piece seems somewhat premised on the idea that you must trust NVAccess in an informational vacuum. I don't think that's true at all. You could just... ask them why they did XYZ. If that answer isn't satisfactory, okay, the discussion has moved forward.
@prism @fastfinge @cachondo Thank you. And yes, I have spent the last hour or so on this thread, and I haven't even got to half the article yet. So this HAS cost the organisation my time in doing this, when I suspect most of it could have been resolved just by asking a couple of questions first. And just to be clear, asking questions is perfectly fine. It's where they are done as public accusations of poor behaviour without first having obtained the facts that it gets frustrating
-
@fastfinge No one said that. It's an open source project, discussion happens on the issue tracker and/or mailing list. Or you can ask them here. You know this. Should NVDA have a full time public relations person to handle all concerns? Who pays for that? What priorities suffer?
Your piece seems somewhat premised on the idea that you must trust NVAccess in an informational vacuum. I don't think that's true at all. You could just... ask them why they did XYZ. If that answer isn't satisfactory, okay, the discussion has moved forward.
-
@fastfinge So start them. If you want to answer questions, in addition to asking them.
@cachondo @NVAccess -
@fastfinge So start them. If you want to answer questions, in addition to asking them.
@cachondo @NVAccess@prism @cachondo @NVAccess Seems a bit late to discuss decisions that were already made…somewhere…by someone. Compare to the Linux kernel mailing list. If I want to know what was decided, who decided it, why they decided it, when and where, all discussion is right there. NVDA also operated this way up until the last couple years. When Michael or Jamie decided anything, the reasoning was all in public. Even if I didn’t like it, the chain of thought that got them there was fully visible. -
@prism @fastfinge @cachondo Thank you. And yes, I have spent the last hour or so on this thread, and I haven't even got to half the article yet. So this HAS cost the organisation my time in doing this, when I suspect most of it could have been resolved just by asking a couple of questions first. And just to be clear, asking questions is perfectly fine. It's where they are done as public accusations of poor behaviour without first having obtained the facts that it gets frustrating
@NVAccess @prism @cachondo And that can only happen when the facts aren’t already public. For an open source foundation, that is a problem in and of itself. However, I apologize for wasting your time. In future, I’ll be sure to waste just as much of your time asking questions that should have had public answers when the pull requests were first opened. -
@prism @cachondo @NVAccess Seems a bit late to discuss decisions that were already made…somewhere…by someone. Compare to the Linux kernel mailing list. If I want to know what was decided, who decided it, why they decided it, when and where, all discussion is right there. NVDA also operated this way up until the last couple years. When Michael or Jamie decided anything, the reasoning was all in public. Even if I didn’t like it, the chain of thought that got them there was fully visible.
@fastfinge @cachondo @prism As Drew suggested, what do you want to know? I'm only halfway through your article and most of it is "I don't like this feature, it shouldn't have taken developer time" when, if you'd asked, we could have told you that things like Remote Access, Image Description, Magnifier, etc you complain about - were all done by others and only overseen by us
-
@NVAccess @prism @cachondo And that can only happen when the facts aren’t already public. For an open source foundation, that is a problem in and of itself. However, I apologize for wasting your time. In future, I’ll be sure to waste just as much of your time asking questions that should have had public answers when the pull requests were first opened.
@fastfinge @cachondo @prism But the decisions about <insert feature here> were made <gestures vaguely>. At this point, I do appreciate the passion you have, and I am honestly trying to work with you.... but I don't even know what you are mad about anymore?
-
@fastfinge @cachondo @prism As Drew suggested, what do you want to know? I'm only halfway through your article and most of it is "I don't like this feature, it shouldn't have taken developer time" when, if you'd asked, we could have told you that things like Remote Access, Image Description, Magnifier, etc you complain about - were all done by others and only overseen by us
@NVAccess @cachondo @prism If you have understood that to be my primary complaint, I must have written it extremely poorly. Because developer time was never even mentioned once. My complaint is that things seem to be going into NVDA without openly accessible discussion or reasoning about the trade offs. So: Why is NVDA scanning store addons with virustotal? What threat does NV Access believe this prevents, given the overall addon security landscape? What does NVAccess believe is the purpose of addons, and when should an addon be in core vs. Not? Are there types of addons that NVDA does not believe are suitable, and should just be apps on their own? What qualifies a feature for an addon vs. Being part of NVDA? How are decisions made at NV Access, now that they aren’t as frequently discussed on the GitHub or the mailing list? How should external stakeholders get involved in these decisions? Speaking of those decisions: what is the current thinking RE: the 32-bit compatibility layer? Has this been canceled as it’s no longer needed? What is the current thinking on the secure addon API? Are we talking about extremely restricted functionality, or code signing, or manual approval of secure addons, or all three? Where can we see, developers work opt planning (if any) being done on corporate mode? Surely there’s something other than “no news” on an issue tracker or mailing list somewhere. I’m avoiding “Why did you do X last year” style questions, as re-litigation of things already done is utterly pointless. But these are the current questions that I am most concerned about. -
@NVAccess @prism @cachondo And that can only happen when the facts aren’t already public. For an open source foundation, that is a problem in and of itself. However, I apologize for wasting your time. In future, I’ll be sure to waste just as much of your time asking questions that should have had public answers when the pull requests were first opened.
Ok just to satisfy you that it isn't only my time you've taken up this morning, but our other staff who also tried to work through your post, here is a comment from one of our developers:
Also I don't understand why he thinks this stuff was not discussed.
https://github.com/nvaccess/nvda/discussions/19462
https://github.com/nvaccess/nvda/discussions/19807
https://github.com/nvaccess/nvda/discussions/14912
https://github.com/nvaccess/nvda/discussions/16304and a lot of the discussion can be found from the issues/PRs linked in the change log
-
@fastfinge @cachondo @prism But the decisions about <insert feature here> were made <gestures vaguely>. At this point, I do appreciate the passion you have, and I am honestly trying to work with you.... but I don't even know what you are mad about anymore?
@NVAccess @cachondo @prism I’m not mad at all. I’m concerned. Deeply. But that’s far from anger. And I also find it strange that you seem to think my entire purpose is to waste as much developer time as possible, and would be gleeful the more of your time I can manage to take up. I’m so baffled by that assumption thatI’m starting to wonder if your mental model of me as a person is just so far off that mutual communication or understanding is even possible. -
@NVAccess @cachondo @prism If you have understood that to be my primary complaint, I must have written it extremely poorly. Because developer time was never even mentioned once. My complaint is that things seem to be going into NVDA without openly accessible discussion or reasoning about the trade offs. So: Why is NVDA scanning store addons with virustotal? What threat does NV Access believe this prevents, given the overall addon security landscape? What does NVAccess believe is the purpose of addons, and when should an addon be in core vs. Not? Are there types of addons that NVDA does not believe are suitable, and should just be apps on their own? What qualifies a feature for an addon vs. Being part of NVDA? How are decisions made at NV Access, now that they aren’t as frequently discussed on the GitHub or the mailing list? How should external stakeholders get involved in these decisions? Speaking of those decisions: what is the current thinking RE: the 32-bit compatibility layer? Has this been canceled as it’s no longer needed? What is the current thinking on the secure addon API? Are we talking about extremely restricted functionality, or code signing, or manual approval of secure addons, or all three? Where can we see, developers work opt planning (if any) being done on corporate mode? Surely there’s something other than “no news” on an issue tracker or mailing list somewhere. I’m avoiding “Why did you do X last year” style questions, as re-litigation of things already done is utterly pointless. But these are the current questions that I am most concerned about.
@fastfinge @cachondo @prism Ok if nothing else, I can no longer complain that you haven't asked us questions.... I'm confused about the hate on VirusTotal? It's a tool which may pick up malicious code that is available, so why NOT use it? Add-on vs core for a feature is done case by case (based on user benefit, potential downsides, initial vs ongoing work, & more. For remote, as previously noted, it also allowed us to tighten security by bringing those external contact points internal
