On Tuesday, August 6, 2013 at 9:58 AM, Brian Conley wrote:
> Al, I'm not a developer, so please bear with me.
>
> Do you disagree that TBB is forked software?
That depends on your definition. They aren't taking a fork of Firefox and
running off with it for a year or two. They are (and I don't know the process)
either forking each ESR release or applying our ongoing ESR patches to an ESR
line. In either case, I think of it as Firefox ESR + Tor patches, not really as
a fork.
> If I fork Firefox and build my own browser from there, do I have no
> responsibility to my users to fix bugs that originated in your original code,
> now that my codebase is separate from yours?
>
>
>
Except they did that and do that. That isn't the issue here. The bug was fixed
six weeks ago. TBB took that fix. The users that got exploited were *not*
running the current version. Firefox assigns CVEs and issues advisories for any
externally reported security issue we fix and for internally reported issues
that are not simply memory corruption or crashes. There is no point in the Tor
folks cutting and pasting our advisories onto their site. They *may* wish to
link to our advisories on our site but that's up to them.
Al
--
Liberationtech list is public and archives are searchable on Google. Too many
emails? Unsubscribe, change to digest, or change password by emailing moderator
at [email protected] or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
