Rostyslaw Lewyckyj wrote:
Robert Kaiser wrote:
Rostyslaw Lewyckyj wrote:
Mozilla's Firefox web browser versions 2 and 3 top the list with 40
reported flaws.

The real interesting part is how many users out there (absolute or
percentage) are using products with unfixed security flaws? How many
days of having no fix for a known security vulnerability did the
different products have?
It not important how many different flaws there were in any given

Come again?? Not important how many flaws made it past all internal
quality controls and presumably beta testing into a released version
of the product?

There is no "internal" in open source. Everything is public. The open community is the testing and quality control, be it in testing or in code reviews. Every single line of the code is out there for everyone to look at, user, developer, white hat or black hat. And that's why we don't hide minor flaws that probably cannot be exploited, as companies with closed source like to do. We label everything we find in our own development that has been in a release as security relevant and publish at least a minor severity advisory once we release the updates that fix this flaw. Most of the issues you'll see in Mozilla software are actually first published by us, and together with a version that actually contains the fixes, and together with the source code that fixes it. How many others do things that way? You just cannot compare apples with oranges, sorry.

Non organizational users, i.e. without centralized upgrade,
are unlikely to upgrade promptly. Heck, even centers with
dedicated computer administration, are often behind on versions
and fixes.

So, what you're saying basically means that anyone using centralized upgrades voluntarily is insecure. Well, if they like being insecure, why do we care about their security at all?

Robert Kaiser
support-seamonkey mailing list

Reply via email to