Mitchell Stoltz wrote: > You've both missed this point: > --- begin quote --- > Mozilla distributors participating in security bug group activities > can mention in their release notes that a security bug has been fixed, > but we ask that they be vague and not describe the exploit in detail. > --- end quote ---
No, I didn't. Just that this point says "fixed", while I want to inform in both cases - when a bug gets discovered (and I have a workaround) and when I have a fix. > However, I think there's a distinct difference between *allowing* > individual vendors to inform their users, ship new versions, mention > the bug in the release notes, etc, if and when they deem necessary, > and *requiring* that Mozilla.org post even a vague description of each > and every vulnerability submitted. I don't see the difference. In both cases, the public knows about the problem. It's not too hard to subscribe to Beonex's announce mailing list and then assume that the same bug is in all derivates of Mozilla, especially when I say that the bug is not Beonex-specific (just like Debian does in its notices). Crackers are not *that* dumb. > The latter will discourage many vendors from participating at all, > enough so that the security group will become pointless. Can you explain why? I see absolutely no rationale. (Other than bad PR maybe, which I don't think will happen or consider a valid reason in this case.) > My understanding from Mozilla.org (Mozilla staff, please correct me if > I'm wrong) is that Mozilla is not an end user product. Agreed. That's why I spoke about testers when I spoke about Mozilla. > All users of the Mozilla browser are considered to be beta testers, > and Mozilla makes no guarantees about the safety of any build, > including milestones. There is a huge difference between not being able to garantee safety and deliberately not informing testers about known, severe bugs. In fact, not even Netscape or Microsoft garantees safety for any software it releases, to my knowledge. How would you think, if it were known that a certain Mozilla build erases your harddisk, but nobody would tell you, because "they decided not to"? Not informing users grossly raises the risk, and I am not willing to take *that* risk. I am using Mozilla under the assumption that everything possible is done to prevent me from such desasters like severe dataloss or security bugs. If you don't do that, the risk is too high for me. Actually, I would consider that being close to malice (lacking a better word). > Vendors such as Netscape, Red Hat, and Beonex turn these betas into > end-user products, and vendors bear responsibility for the safety of > those products. Where? > I would argue that everyone who needs to know about the bug will still > have access to it through their representative on the security group. Depends on how you define "know". Or am I allowed to mention details ot the bug to a customer? > I realize that this proposal isn't perfectly "open," hah > but it's a compromise that I believe vendors can accept. If I may issue vage warnings (but a bit more concrete than what Frank described) and workarounds at any time and may publically speak about what happens in the security group (but not mention specific exploits or details about a bug itself), then yes, this is what is acceptable to me as a distributor. But this does not mean that it is the right thing to do for Mozilla in general or that this allows ideal treatment of security bugs. (And, in these indirect and abstract ways, the current proposal is IMHO no good for Beonex Communicator or Netscape 6 or any other Mozilla.) > The alternative is for vendors not to file vulnerabilities in Bugzilla > or disclose them to Mozilla.org at all. That remains to be seen. I do think that a compromise could be found that respects more the open nature of open-source projects and the believes of many people (as I understood it). In the current proposal, I see no compromise at all.
