On Sat, 2010-04-10 at 08:10 -0700, johnjbarton wrote: > On 4/9/2010 6:06 PM, Matt McCutchen wrote: > > Are you saying that Mozilla shouldn't encourage users to bother their > > server operators because if the problem were real, the server operators > > would already have fixed it? I think you give the server operators way > > too much credit. People are lazy. I trust Mozilla much more than the > > average sysadmin to properly assess vulnerabilities. > > Your assessment of the relative commitment and competence of these two > groups of people is unjustified by facts.
Indeed, but do you have facts supporting the opposite conclusion? > I appreciate your commitment to improving Web security. Please channel > this passion in a respectful fashion. Rather than arrogantly asserting > superiority over server admins and irresponsibly exhorting users to > harass them, build a clearer case for the potential dangers here. Then > contact the communications people in Mozilla, large international Web > service companies, professional organizations of server administrators, > news organizations, slash.dot, and so forth. Explain the problem and the > fix. This procedure will prepare you and the people you contact for > future similar problems and strengthen our entire system. A coordinated PR effort led by Mozilla would be great. However, I don't see what is wrong with users contacting their sysadmins individually to advocate that a vulnerability be patched, just as they would make any other request of the sysadmins. If the sysadmins want to make an argument that it isn't important in their particular case, fine, but the users have every right to ask. -- Matt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
