Hi Adrian and Fabrice. Thank you for raising these important questions. I want to pick up a few of the questions inline.
On 20.01.2015 00:37, Fabrice Desré wrote: > Hi Adrian, > > Good to see you're already full speed ahead in 2015! > > On 01/19/2015 09:06 AM, Adrian Custer wrote: >> Hello all, >> >> It seems some of you are making plans for Firefox OS 3.0. An update on >> the plans and planners working on user security for that new version >> would be useful to the community. > > The planning is still happening, so we don't really have a public update > to make. But if you have concrete ideas they are welcome. > >> The Mozilla Manifesto clearly states: >> >> 04 Individuals’ security and privacy on the Internet are fundamental >> and must not be treated as optional. >> >> https://www.mozilla.org/en-US/about/manifesto/ >> >> This would suggest that the Firefox OS project is institutionally >> obligated to consider user security as a core concern in its plans for >> Firefox OS 3.0. > > I think we already do a fair job there. Not perfect for sure. > >> Unfortunately, over the past year, the response to the concerns raised >> by the community on the mailing list and in questions to be addressed in >> the town hall has been less than satisfactory: >> * the issue of OS security updates was not addressed directly but >> instead deflected with a vague plan to make more apps user >> upgradable (which is a partial, and minor, solution), > > We do work with OEMs and carriers when security issues are found to > ensure that they push updates. That happens in security bugs, I can cc > you to one of them if you want an example. > >> * the follow up to unanswered questions promised at the end of the >> town hall meeting did not happen so those questions are still open, > > I agree this is not satisfactory. > >> * there does not appear to be any point of contact for security issues >> or for security vulnerabilities in Firefox OS, > > Any security related question can be directed to Paul Theriault. Please note that [email protected] is the desired input channel for *every* Mozilla related security issue. You can also file security bugs, and the FxOS security team *will* handle them. That's a promise. You can also come talk to us in #fxossec on irc.mozilla.org. > >> * the Mozilla security center does not track Firefox OS >> vulnerabilities unlike its other products, >> (https://www.mozilla.org/en-US/security/known-vulnerabilities/), > > Right, we should probably fix that. > Yes, this is a bummer, but uptake of our security updates further down the road made us a bit hesitant here :-/ >> * there has been no recent discussion of how to protect Firefox OS >> users from outdated and vulnerable versions of gecko which are still >> being sold on the market, > > What does "recent" means? We can re-hash how this is mostly out of our > control for devices that already shipped, etc. We focus on fixing our > architecture to have more leverage there, but that will take some time. > >> * in one exchange, some group did reveal it was working on developing >> a formal threat model for their work but that model was not then >> revealed publicly. > > I don't know what you refer to, and you're not providing references. > >> This raises a number of questions: >> - where is the security work for Firefox OS 3.x being planned? > > Paul has docs with goals for his team. I'm not sure how up to date it > is, but see > https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Ap-jgPe0UrMhdHRPbFd0dXZWaTJYby1Ta3hrRzQ5Nmc#gid=8 This document seems outdated (and isn't public to all members of the mailing list). Our latest version is at https://wiki.mozilla.org/Security/B2G/Goals > >> - who is doing the planning? > > Mozilla's Firefox OS team. > >> - how are issues being tracked? > > Like usual, everything will be in bugzilla. > >> - what formal threat model is being developed and where does that work >> now stand? > > No idea. > >> - who is determining the scope of work and what security issues will >> be ignored for the 3.x OS series? >> - with whom will the ultimate responsibility (i.e. blame) rest for the >> vulnerabilities which emerge in the 3.x lifecycle? > > I'm not sure what you imply with these 2 questions. That's very > dismissive à priori. > > Fabrice > _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
