On 4/18/2010 10:36 AM, Matt McCutchen wrote:
On Sat, 2010-04-10 at 08:10 -0700, johnjbarton wrote:
On 4/9/2010 6:06 PM, Matt McCutchen wrote:
Are you saying that Mozilla shouldn't encourage users to bother their
server operators because if the problem were real, the server operators
would already have fixed it? I think you give the server operators way
too much credit. People are lazy. I trust Mozilla much more than the
average sysadmin to properly assess vulnerabilities.
Your assessment of the relative commitment and competence of these two
groups of people is unjustified by facts.
Indeed, but do you have facts supporting the opposite conclusion?
I assume this groups are equally committed, based on personal experience
with both groups and common sense.
I appreciate your commitment to improving Web security. Please channel
this passion in a respectful fashion. Rather than arrogantly asserting
superiority over server admins and irresponsibly exhorting users to
harass them, build a clearer case for the potential dangers here. Then
contact the communications people in Mozilla, large international Web
service companies, professional organizations of server administrators,
news organizations, slash.dot, and so forth. Explain the problem and the
fix. This procedure will prepare you and the people you contact for
future similar problems and strengthen our entire system.
A coordinated PR effort led by Mozilla would be great. However, I don't
see what is wrong with users contacting their sysadmins individually to
advocate that a vulnerability be patched, just as they would make any
other request of the sysadmins. If the sysadmins want to make an
argument that it isn't important in their particular case, fine, but the
users have every right to ask.
I see nothing wrong with users contacting sysadmins. I object to using
the browser as a platform for badgering Web developers to contact
sysadmins on your behalf.
jjb
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
