Frank Hecker wrote:
> But again, we are talking about people being cut off
> from information only for a limited period of time.
But this period is important. Distribution of fixes takes 1 or 2 days
*at least*. Within that timeframe, crackers would know about the
vulnerability and users of those "unfortunate" distiributions would be
vulnerable. OTOH, users of "approved" distributions would be secured
already, which is a competetive advantage for the latter distributiors.
Note: I don't suggest to let "everyone" in the group. I'm just showing
the problem.
> What I do care about (from a
> mozilla.org point of view) is having only one or two people that are
> held responsible for the security team's operation; in other words, I'd
> like to see the equivalent of a "module owner" for this task.
Yes, that makes sense.
> In
> my opinion if a person is a module owner then they should be responsible
> for providing a rapid response to requests for help with security
> vulnerabilities.
Agreed.
> I'm not sure what you mean
> by "the person causing the bug"? Do you mean the developer who is
> responsible for the code in which the bug occurs?
Yes, the person who wrote the code which shows the vulnerability. Often
(but not always) the person who last touched the line, as shown by bonsai.
> As I discussed above, I think that the core security team (or perhaps
> just the team leader or "module owner") should approve people who want
> to be added to the distributor list, as the security team will have to
> live with any risk.
I think, all members of the team should have a vote on new members, if
appropriate. This avoids the group being controlled by a single person.
The inital members have enough power already, because they are the
"root", i.e. determine the character of the group by selecting the next
members, which again....
>>> The purpose of this
>>> initial period is to assess the severity of the problem, put in place
>>> a plan to address it, and write up information for public release;
>>
>> IMO *this* should be a matter of hours.
>
> Ideally, yes. But I myself don't want to guarantee this can always be
> done in a few hours
Well, I have no experience either, but I think, this should be possible,
and we should madate it, if it is. See my post about the "security
annoucne group".
