Gervase Markham wrote:
Amir Herzberg wrote:
I'm rather surprised at this comment. After all, you (claim to)
believe in open process, and surely criticism of your actions is a
part of that. If somebody feels this is somewhat contrary to the
stated goals and principles of Mozilla and the open community in
general, what's wrong about voicing this in any forum?
Because of the potential downsides. If there are headlines everywhere
"SSL no longer dependable", "browser makers running scared", some
participants may perhaps pull out of the collaborative process and go
off and do their own thing quickly to counter the negative publicity.
Gerv, I'm not sure that the above statement was well advised. The
criticsm voiced was _not_ about SSL not being dependable or anything
like that, it was merely about your process. By making this statement,
people may interpret it that you and the Mozilla security group in
general, and other vendors, think that this is the case, and just want
to fix things quietly... Which of course is not the case.
And in that case we really _would_ be forced to play "follow the leader"
if we wanted a standardised cross-browser UI.
So: if the `leader` goes a certain way, e.g. due to such event, then you
will be, in your opinion, forced to follow... that seems to explain your
actions. Explain but not justify.
What I'm asking for is discretion.
I am not angry, I'm sure you and Heikke simply did not consider the
implication of your following a closed process and the need to dislose
that decision. Frankly, a simple apology would have made me feel
better about it, but I don't insist, after all sometimes `sorry seems
to be the hardest word` :-)
I'm not going to apologise for doing what we did, or for respecting
confidences we were asked to respect,
Well, as I said, I won't insist.
I wonder: was the mere fact of you meeting with them a secret? If so,
did you get permission to disclose this secret (was it declassified)?
It must have been `top secret` since you were forced to take evasive
actions, i.e. tell us you need usability tests, criteria, code, etc.
when you simply could have said that you decided to follow a specific
direction and are not currently interested in outside contributions.
This would have been the right thing to do, imho.
because I believe we did the right
thing. In fact, although I'm in some ways relieved that Ian has gone off
in a huff because it's freed up half an hour of spare time in my day, I
almost regret even mentioning it because of the discord it's caused.
Which discord? This tiny bit of criticism you got?
Anyway, I sincerely wish you guys do a great job and look forward to
hear of it, if and when it is sufficiently declassified. We'll continue
improving TrustBar and cooperating and communicating with others openly,
e.g. in the new `anti-fraud` list.
Best, Amir Herzberg
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
