> I'd be happy to make a > mozilla-is-irresponsible-for-shipping-a-browser-with-no-sandbox-and-not-enforcing-CA-policy-and-more > mailing list but I'd still express my strong opinions here too.
IMO, refusal to actually enforce the CA policy is identical to other stupid decisions like Firefox not using PIE (ASLR) on Linux. In that case, it's because one or two users had a workflow of navigating to the directory and running the binary directly via a specific file manager that can't run PIE binaries because libmagic considers them to be a library. The choice to place minor short-term pain faced by a tiny minority of end users over the security of everyone else is a consistent one. The policy decisions are brain-dead across the board in Mozilla projects and only the opinion of Mozilla employees really matters, regardless of the "community" claims. I say this as someone who wasted countless hours (>800 commits, many of them substantial) contributing to Mozilla projects and learned of their outright contempt for their users and their community. They're willing to set the security standards *really low* because all that matters is market share. I can't really understand how they ended up in the position of having the dominant trust store used by FOSS projects. Debian and other projects should move away from simply shipping Mozilla's trust store as-is ASAP.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
