Gervase Markham wrote: > Ben Bucksch wrote: > >> Gervase Markham wrote: >> >>> If a bug is security-confidential, then some form of warning will be >>> agreed (unless none of the participants requests that one be agreed.) >> >> What if not? > > If you ask in the bug for the participants to agree a warning text, > one should be agreed.
I'm talking about a case where a strong party disagrees that *anything* at all should be make public. E.g. Netscape or someone else finds the GIF buffer overflow you mentioned, and Netscape doesn't want to have any warning made by any vendor. > If you want that stated in the policy, say so - but it seems like > common sense to me. You mean that there will *always* be a meaningful warning, if *I* (i.e. any participant in the security bug group) want to? If you write that in the policy, that'd be good. [part cutted - I'd only repeat myself, if I replied.] >> Weren't we talking about consensus? > > We were. But it appears we have reached an impasse. Right. Not only can't I get my views reflected (forced disclosure, even if unfixed, after a certain amount of time), it seems like I have to fight very hard for my absolute minimun requirements. I have no experience in these things, but I think that's usually the point where either the other party agrees or the fighting party leaves the negotiations. > you [...] perhaps hurting their users by being over-generous with > vulnerability information. > > If you claim that the latter could never happen, then you should have > no objection to saying only what is agreed by the group. The latter assertion is wrong. I am concerned that a strong party in the group deliberately blocks or obfuscates the warning in order to hide the bug. >> How am I going to "shaft" their users?? > > As I understand it, the entire reason that this web page announcement > proposal has been put forward is so that a member of the security > group does not (advertently or inadvertently) reveal information which > leads to trouble for the users of other members' software. This is why > what is said must be agreed upon. blabla. Please explain, concretely, how Netscape's users would be harmed by me informing my users about security holes in Beonex Communicator / Mozilla. (No concrete reproduction info, of course.) >> You cannot ask me to reload the page every 3 hours, if I want to be >> sure to get the latest warning. > > You as a distributor of Mozilla-based products, or you as an end-user? As whoever needs to know what is on the page. The page is intended for mainly Mozilla contributors.
