On Sat, Nov 28, 2015 at 11:30 AM, Kartikaya Gupta <[email protected]>
wrote:
> So it seems to me that people are actually in general agreement about
> what the validator can and cannot do, but have different evaluations
> of the cost-benefit tradeoff.
>
> On the one hand we have the camp (let's say camp A) that believes the
> validator provides negligible actual benefit, because it is trival to
> bypass, but at the same time provides a huge cost to add-on
> developers. And on the other hand we have the camp ("camp B") that
> believes the validator provides some non-negligible benefit, even
> though it may significantly increase the cost to add-on developers.
>
> From what I have been told from multiple people, Mozilla does have
> actual data on the type and number of malicious add-ons in the wild,
> and it cannot be published. I don't really like this since it goes
> against openness and whatnot, but I can accept that there are
> legitimate reasons for not publishing this data.
>
It may be the case that access to the raw data needs to be restricted
(though it's not clear to me why) but I don't see why the basic facts
I asked for need to be restricted, and those are all that is needed
to evaluate the question at hand.
-Ekr
>
> On Sat, Nov 28, 2015 at 10:35 AM, Eric Rescorla <[email protected]> wrote:
> > On Sat, Nov 28, 2015 at 2:06 AM, Gijs Kruitbosch <
> [email protected]>
> > wrote:
> >
> >> On 27/11/2015 23:46, [email protected] wrote:
> >>
> >>> The issue here is that this new system -- specifically, an automated
> >>> scanner sending extensions to manual review -- has been defended by
> >>> Jorge's saying, from March when I first brought this up until
> >>> yesterday on the hardening bug [1], that he believes the scanner can
> >>> "block the majority of malware".
> >>>
> >>
> >> Funny how you omit part of the quote you've listed elsewhere, namely:
> >> "block the majority of malware, but it will never be perfect".
> >>
> >> You assert the majority of malware will be 'smarter' than the validator
> >> expects (possibly after initial rejection) and bypass it. Jorge asserts,
> >> from years of experience, that malware authors are lazy and the
> validator
> >> has already been helpful, in conjunction with manual review.
> >
> >
> > Did Jorge in fact assert that that as a matter of fact or as a matter of
> > opinion?
> > Maybe I missed it.
> >
> > This seems like an empirical question. how many pieces of obvious malware
> > (in the sense that once the functionality is found it's clearly malicious
> > code
> > as opposed to a mistake, not in the sense that it's easy to find the
> > functionality)
> > have been found by the review process? How many pieces of obvious malware
> > (in the sense above) have passed the review process or otherwise been
> > found in the wild?
> >
> > -Ekr
> > _______________________________________________
> > dev-platform mailing list
> > [email protected]
> > https://lists.mozilla.org/listinfo/dev-platform
>
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform
