On Sun, Mar 11, 2012 at 11:48 PM, Jonas Sicking <[email protected]> wrote: > On Sat, Mar 10, 2012 at 1:41 PM, lkcl luke <[email protected]> wrote: >> this is all really good stuff, jim. but i have to reiterate: WHERE >> IS IT BEING FORMALLY DOCUMENTED? please don't say "in the mailing >> list". > > Once we've had a bit more of a discussion here on the list, I think we > should document everything both as part of the OWA documentation, as > well as part of the general B2G documentation. But at this point I'm > not sure that there is enough consensus to start editing wikis.
not being funny or anything, but consensus be damned! can you remember everything that's going on? because i can't! there's some superb technical input and absolutely critical ideas being discussed here; i'm used to remembering lots of different issues but even *i* can't remember them all. let me try and illustrate, by doing a recap. * someone mentioned "do we need to put ACLs on eval()"? * someone else came up with the brilliant idea of putting words into dialog boxes rather than "yes" or "no", i think it was you * the original post that you wrote was something like 3,000 words long: i actually read it all and came up with 3 separate areas which need discussion and expansion, that might have expanded to 4 * my reply was probably another 3,000 words, i mentioned things like SE/Linux as a potential solution *if* certain criteria were met, i also mentioned debian distro infrastructure as a way to solve one of the _other_ requirements. in other words, even with only .. what.... 15 messages on this topic, it's already getting out of hand... and this is *security* being discussed. even in 1 week's worth of discussion i can't remember who mentioned what. and the reason i can't remember it is because it's all in an uncontrolled and unstructured format that has no top-level headings which are a crucial critical memory-aid. if this was a "User Interface" discussion i'd go "ahh fuckit: not important." ... but for something as critical and fundamental as the security of an entire operating system and its applications management infrastructure, which, if you get it wrong will result in a repeat of the android monoculture nightmare or the windows monoculture nightmare, it would be irresponsible of me _not_ to say "i really think the mozilla foundation needs to take a _little_ bit more care over how the security of B2G is discussed, designed and structured". l. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
