Ben Bucksch wrote:
> Step 2
What do we do with fixed bugs? I assume immediate disclosure, right?
As discussed earlier (in March, this group), it seems that we cannot
wait for a particular distributor to put out a new release, as each
distributor has different release schedules (e.g. should we wait until
Redhat brought out a new version of Redhat Linux before we disclose a
bug?). Also, "distributor" is a vague term, since *anybody* can be a
distributor of Mozilla - if nothing else, then to himself.
To spell that out: Why should somebody building Mozilla himself or using
occasional "good" nightlies from mozilla.org not have a right to know
about a certain bug, and potentially be longer than necessary be
vulnerable, just because we waited for a certain distributor to bring
out the next release?
I don't think, distributors *have* to wait for a new release at all -
with XPInstall, it is easy to provide small and relatively convient
security updates, by distributing only the previously-buggy library and
letting the installer script override the current installation of it.
The notification can be as simple as a link in a post to a mailinglist -
the user would only have to open the URL in Mozilla. More convient
processes are thinkable, e.g. Mozilla polling a server for updates at
each startup or so.
