Ka-Ping Yee wrote: > 1. A security bug was just discovered. Should we keep it > secret or not? What should the press release say? > How can we fix this bug, and fix it fast?
This answers most of the questions: http://www.mozilla.org/projects/security/security-bugs-policy.html The policy does not say anything about a press release, but I think that is covered by the known vulnerabilities page. > 1. Netcraft Toolbar > 2. Petnames > 3. Security Skins > 4. SpoofStick > 5. TrustBar Me and a few others have expressed some doubts about getting petnames into the default Mozilla installation. It makes a fine optional extension for security conscious people who are diligent enough to use it, and are willing to pay for the chrome real estate it takes. I have not yet familiarized myself with the other projects. One thing about a class of extensions that check the URL you are visiting against known bad ones from an online source: privacy. I read about some implementation which was IMO too invasive. When a security product like this comes from a commercial company and they get access to your browsing history in real time I see it as a deal breaker. Tweaking the settings and eliminating the commercial party from the picture would make it much more likely to get accepted. > None of them have been usability tested in a browsing situation. Making them into extensions and gathering feedback is one way of getting it. In fact this is what I recommend. Iron out the bugs and usability problems in the extension model first. > I have my own opinions about these options. Ian has his own opinions, > and Gervase has his own opinions. We could argue endlessly about it, > but there comes a point where arguments are based on speculation and > the only way to know is to gather empirical evidence. We should get our opinions listed, though. Which actually makes me want a wiki page somewhere to list things like that (while general discussion should be going on here). I am not well versed with the various mozilla wiki's, so someone else should suggest where to put this stuff. > So, how does the team choose? Are there generally accepted criteria > that a proposal can satisfy in order to be accepted? Is it just a > matter of convincing the right two or three people? For example, if > one of these solutions showed favourable results in a usability study, > would that satisfy the right people? I don't think there is a written set of acceptance criteria. Writing one up would be a good thing. Another doc for the security area or wiki perhaps. Anyone could write/start it, but it would need approval from the Mozilla Security Group of course. In the end it will fall into convincing the right people, but before that you really need to pass the not-yet-written-down-anywhere acceptance criteria. Some rules of thumb could be gathered from my feedback to the petnames extension, like should not require too much (ideally anything) from users, should use minimal chrome real estate and so on. I'd also like to add: make it first into an extension, iron out the bugs, gather usability etc. feedback > I am grateful that you posted the link to the list of people on the > Mozilla Security Group. It's helpful to know those names. It's > just that there are over 60 people on that list, so I'd like to know > a little more about how consensus is reached on design decisions. > I can't imagine that all 60+ people magically agree when something > is proposed. As you probably have experienced, when it comes to > security, and probably even worse with usability, everyone thinks > they're an expert. You can narrow down the list, though, by checking the affiliations of the people on the list, and if you can't figure who to contact you could always start with the owner. And that list is perhaps too big at the moment, because we have to include a representative from each company that ships Mozilla based products, even though some representatives only want to be there to coordinate the security updates between all the vendors. There has been discussion on starting something like vendor-security email alias. The purpose of that list would be to coordinate security updates between various vendors who ship Mozilla-based software. I don't know the current status of this proposal. Consensus is typically reached on the closed security list when someone proposes something and does not hear objections :) Typically there are "go for it" comments, though. I'd have to search the list how we dealt with disagreements, but since I can't remember it off the top of my head, which indicates (at least to me) that there hasn't been that many. -- Heikki Toivonen _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
