On 2013-08-07, at 1:05 PM, Jacob Appelbaum <[email protected]> wrote:
> Nadim Kobeissi: >> >> On 2013-08-07, at 12:58 PM, Jacob Appelbaum <[email protected]> wrote: >> >>> Nadim Kobeissi: >>>> >>>> On 2013-08-07, at 12:44 PM, Jacob Appelbaum <[email protected]> wrote: >>>> >>>>> Bbrewer: >>>>>> "We're understaffed, so we tend to pick the few things we might >>>>>> accomplish and writing such advisory emails is weird unless there is an >>>>>> exceptional event. Firefox bugs and corresponding updates are not >>>>>> exceptional events. :(" >>>>>> >>>>>> Pardon me, >>>>>> But it does seem that this one was. >>>>>> >>>>>> No? >>>>> >>>>> Yeah, this was such a case - a month ago, we didn't know it was such a >>>>> case - no one did, not even Mozilla. >>>> >>>> That's funny — didn't Mozilla issue a security advisory for it a month >>>> ago? That would imply that they actually did know that it was such a case. >>>> >>> >>> The exploit is the exceptional event. Roger just covered this with >>> exceptional clarity. >>> >>> Al - did Mozilla know it was being exploited in the wild, a month ago? >>> Was there a known difference at the time between this bug and say, the >>> others which were fixed in the ESR17 release cycle? >> >> Does an exploit need to exist in the wild and be discovered first in order >> to warrant a security advisory? I didn't know this! >> > > The advisory was about bug being exploited in the wild, so, yes. That > was covered well in Roger's last email. I'm aware, I did read his email. I was just under the impression that you publish advisories about *vulnerabilities*, not about *exploits*. But perhaps you're teaching me (and the rest of the community) something new here! ;-) > > I'd encourage you to read Roger's email (again, or for the first time). > Specifically the part where we encouraged users to upgrade, notified > every browser user that there was a security update and so on. That's pretty great, but it doesn't count as an advisory, no matter how hard you seem to want it to. THIS is an advisory: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html NK > > All the best, > Jacob > -- > Liberationtech list is public and archives are searchable on Google. Too many > emails? Unsubscribe, change to digest, or change password by emailing > moderator at [email protected] or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
