David, you're not listening. On Thu, Nov 19, 2009 at 3:02 AM, David Rogers <david.rog...@omtp.org> wrote: > -----Original Message----- > From: Jonas Sicking [mailto:jo...@sicking.cc] > Sent: 19 November 2009 10:11 > To: Marcin Hanclik > Cc: David Rogers; Maciej Stachowiak; Dominique Hazael-Massieux; Robin > Berjon; public-device-a...@w3.org; public-webapps WG > Subject: Re: DAP and security (was: Rename "File API" to "FileReader > API"?) > > Third, we'll have to spend efforts maintaining the code, even though > it benefits only a small number of people. For example if a buffer > overflow bug is found we'll have to treat that as as serious of a bug > as a overflow in normal on-by-default code. Up to and including > engineering efforts to fix the bug, QA efforts to test the fix, > release resources to spin a new emergency release, and marketing > efforts asking people to upgrade. > > [DAVID] I would expect that you would do this as a matter of course > anyway as part of the security lifecycle. However a side-benefit from > your argument would be that policy would therefore help reduce your > maintenance?
Jonas just said that they had a policy mechanism and that's what *caused* the problem in the first place. He solved the problem by removing the policy lever in Thunderbird that let users shoot themselves in the foot. Adam