Ben Bucksch wrote: > Gervase Markham wrote: > >> If a bug is security-confidential, then some form of warning will be >> agreed (unless none of the participants requests that one be agreed.) > > What if not?
If you ask in the bug for the participants to agree a warning text, one should be agreed. If you want that stated in the policy, say so - but it seems like common sense to me. > What if it takes too long? What if it's inappropriate for me? You have to raise those concerns in the group. Others may share them. A form of words will be reached. This is consensus :-) >> I think that the answer to this is basically "you can't have it." > > Then I think my answer to this will basically be "Then I don't want to > play with you". That would be unfortunate, as I believe your users would lose out if you were not a member of the security group. > Weren't we talking about consensus? We were. But it appears we have reached an impasse. You will not accept being told what you can and cannot say by the security group; Netscape will not accept you being permitted to say whatever you like and perhaps hurting their users by being over-generous with vulnerability information. If you claim that the latter could never happen, then you should have no objection to saying only what is agreed by the group. >> If Netscape feels it can't contribute because it can't be sure you >> aren't going to shaft _their_ users, then they won't. > > How am I going to "shaft" their users?? As I understand it, the entire reason that this web page announcement proposal has been put forward is so that a member of the security group does not (advertently or inadvertently) reveal information which leads to trouble for the users of other members' software. This is why what is said must be agreed upon. >> I think Mitch is saying that the web page (which has checkin and >> change control) is the master source, > > Which I think is wrong. You cannot ask me to reload the page every 3 > hours, if I want to be sure to get the latest warning. You as a distributor of Mozilla-based products, or you as an end-user? As a distributor, you will be a member of, and active in, the security group and involved in any discussions which lead to a post on the page. As an end-user, you should not be referring to that page at all, but to whatever mechanism the distributor of your software has for notifying you of security problems. Gerv
