Gervase Markham wrote:
>"Mozilla 1.0 should have no known remote security holes at the time
>of release
>
Actually, I'd like to push this one further and suggest a security
review before the release.
Rationale: I believe that security bugs are the worst possible ones.
* A cracked machine may mean *all* data on that machine being erased
or published. Often, a cracked machine has to be re-installed from
scratch. So, dataloss or crash bugs are minor bugs in comparison
to security bugs.
* Most browser / mail bugs work through firewalls (unlike, e.g.,
most kernel bugs). Often, machines behind a firewall trust each
other to some degree, meaning that a whole network might fall.
* Security bugs give very bad press (and rightly so, IMO)
Unfortunately, we have a "human resource" problem. mstoltz repeatedly
asked for help with security reviews in different areas, with not much
success. I personally wasn't and probably won't be much help either :-(.
Any ideas how to get qualified people with enough time to help?
Ben
