In my personal opinion, given that most of the actions for the remediation plan are expected to be completed during the first quarter of 2021, if the community considers that the plan adequately prevents further issues, it would be reasonable to establish a deadline to take such a decision based on the effective execution of the plan by the date of that deadline, demonstrated by means of an independent audit report.
On the other hand, I'd like to understand if the option being in consideration is a partial distrust (i.e. eliminate the trust bits for serverAuth) or a total distrust. BR Pedro _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy