On Mon, Sep 9, 2019 at 6:01 PM Jeff Walden <[email protected]> wrote: > Those of you longer in the tooth may remember Firefox was successfully > exploited in Pwn2own 2012...and we didn't have to lift a finger to fix it. > We already had -- in the Firefox release shipping days later. 🤦 > > https://bugzilla.mozilla.org/show_bug.cgi?id=735104 (pwn2own bug) > https://bugzilla.mozilla.org/show_bug.cgi?id=720511 (cover bug, > discussion only of a spec-compliance issue) > https://bugzilla.mozilla.org/show_bug.cgi?id=720079 (sec bug noting the > sec issue) > > We later discussed whether the exploit had been "achieved" by reading our > public commits. https://bugzilla.mozilla.org/show_bug.cgi?id=735104#c2 > The fruit of this discussion was our security approval process, where > security patches land only after approval, in relative lockstep close to > release, with incriminating tests/comments removed. This is also where > sec-approval comment hoop-jumping began.
How often do we go back and land those tests and comments after the fix has been in the release builds for a suitable amount of time? _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
