Thanks Fabrice/Frederik for the answers here. Just to add/clarify a few points:
- Report all Mozilla security issues (including FxOS) to [email protected] - Agreed we need to improve the reporting of security issues per release - I’m working on this at the moment. In the meantime [1] has list of vulnerabilities per Gecko versions (which includes FxOS), and can be mapped to FxOS version here [2] - Information about what the FxOS security team does and how to contribute to FxOS security is https://wiki.mozilla.org/Security/B2G. We are actively working to recruit community members to help - please get in touch if you are reading this and think you can help. I’m not sure what Town Hall questions you are referring to, but if have further questions I’ll do my best to answer them. Thanks, Paul Theriault FxOS Security Lead [1] https://www.mozilla.org/en-US/security/advisories/ [2] https://wiki.mozilla.org/Release_Management/B2G_Landing On 20 Jan 2015, at 8:30 pm, Frederik Braun <[email protected]> wrote: > Hi Adrian and Fabrice. > > Thank you for raising these important questions. I want to pick up a few > of the questions inline. > > > On 20.01.2015 00:37, Fabrice Desré wrote: >> Hi Adrian, >> >> Good to see you're already full speed ahead in 2015! >> >> On 01/19/2015 09:06 AM, Adrian Custer wrote: >>> Hello all, >>> >>> It seems some of you are making plans for Firefox OS 3.0. An update on >>> the plans and planners working on user security for that new version >>> would be useful to the community. >> >> The planning is still happening, so we don't really have a public update >> to make. But if you have concrete ideas they are welcome. >> >>> The Mozilla Manifesto clearly states: >>> >>> 04 Individuals’ security and privacy on the Internet are fundamental >>> and must not be treated as optional. >>> >>> https://www.mozilla.org/en-US/about/manifesto/ >>> >>> This would suggest that the Firefox OS project is institutionally >>> obligated to consider user security as a core concern in its plans for >>> Firefox OS 3.0. >> >> I think we already do a fair job there. Not perfect for sure. >> >>> Unfortunately, over the past year, the response to the concerns raised >>> by the community on the mailing list and in questions to be addressed in >>> the town hall has been less than satisfactory: >>> * the issue of OS security updates was not addressed directly but >>> instead deflected with a vague plan to make more apps user >>> upgradable (which is a partial, and minor, solution), >> >> We do work with OEMs and carriers when security issues are found to >> ensure that they push updates. That happens in security bugs, I can cc >> you to one of them if you want an example. >> >>> * the follow up to unanswered questions promised at the end of the >>> town hall meeting did not happen so those questions are still open, >> >> I agree this is not satisfactory. >> >>> * there does not appear to be any point of contact for security issues >>> or for security vulnerabilities in Firefox OS, >> >> Any security related question can be directed to Paul Theriault. > > Please note that [email protected] is the desired input channel for > *every* Mozilla related security issue. You can also file security bugs, > and the FxOS security team *will* handle them. That's a promise. > > You can also come talk to us in #fxossec on irc.mozilla.org. > >> >>> * the Mozilla security center does not track Firefox OS >>> vulnerabilities unlike its other products, >>> (https://www.mozilla.org/en-US/security/known-vulnerabilities/), >> >> Right, we should probably fix that. >> > > Yes, this is a bummer, but uptake of our security updates further down > the road made us a bit hesitant here :-/ > >>> * there has been no recent discussion of how to protect Firefox OS >>> users from outdated and vulnerable versions of gecko which are still >>> being sold on the market, >> >> What does "recent" means? We can re-hash how this is mostly out of our >> control for devices that already shipped, etc. We focus on fixing our >> architecture to have more leverage there, but that will take some time. >> >>> * in one exchange, some group did reveal it was working on developing >>> a formal threat model for their work but that model was not then >>> revealed publicly. >> >> I don't know what you refer to, and you're not providing references. >> >>> This raises a number of questions: >>> - where is the security work for Firefox OS 3.x being planned? >> >> Paul has docs with goals for his team. I'm not sure how up to date it >> is, but see >> https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Ap-jgPe0UrMhdHRPbFd0dXZWaTJYby1Ta3hrRzQ5Nmc#gid=8 > > This document seems outdated (and isn't public to all members of the > mailing list). Our latest version is at > https://wiki.mozilla.org/Security/B2G/Goals > >> >>> - who is doing the planning? >> >> Mozilla's Firefox OS team. >> >>> - how are issues being tracked? >> >> Like usual, everything will be in bugzilla. >> >>> - what formal threat model is being developed and where does that work >>> now stand? >> >> No idea. >> >>> - who is determining the scope of work and what security issues will >>> be ignored for the 3.x OS series? >>> - with whom will the ultimate responsibility (i.e. blame) rest for the >>> vulnerabilities which emerge in the 3.x lifecycle? >> >> I'm not sure what you imply with these 2 questions. That's very >> dismissive à priori. >> >> Fabrice >> > > _______________________________________________ > dev-b2g mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-b2g
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
