Nadim Kobeissi: > > On 2013-08-06, at 11:46 AM, Al Billings <[email protected]> > wrote: > >> Nadim you seem confused by how this works. Tor doesn't need to >> issue advisories for Firefox issues. We, at Mozilla, already issue >> them. Perhaps they can link to them clearly but if you want to know >> about security issues Mozilla fixes in Firefox, you're best served >> by reading Mozilla advisories. There's not much point in >> duplicating them on a second site. Tor would be better served by >> writing advisories for its own, unique, security fixes. > > Tor doesn't need to issue advisories for Firefox issues. Tor needs to > issue advisories for Tor Browser issues, and not five weeks later > when s**t hits the fan. I really don't think one can reasonably > disagree with the above statement. Tor Browser is a Firefox fork.
Should we issue a single advisory for each possible security issue that Firefox has already noted in their change log? Each confirmed security issue? Should we ask for a second CVE to cover each CVE they receive? Your point is unclear in practice. Please do spell it out and if possible, please demonstrate how you do so in your own projects? All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
