Mitchell Stoltz wrote:
> Making people aware that vulnerabilities exist and how to protect
> themselves is a good thing. However, I won't be able to participate
> in such a newsgroup, and if Mozilla security problems are going to
> be disclosed rapidly, this will seriously limit my and probably
> Netscape's ability to participate in Mozilla security discussions.
> Along those lines, I am opposed to any hard and fast deadlines on the
> public disclosure of any security bug information (such as requiring
> disclosure of a vulnerability within five days).
Mitch,
my suggestions for the security announce group were based on the
assumption that the important parts of Frank Hecker's proposal will be
accepted in "mostly consensus" (which of course includes Netscape) and
implemented.
Apart from the fact that you object the forced disclosure after a
certain time (which was a key part in Frank's proposal, and we should
discuss it in that thread), it is not clear to me, what else, if
anything, you object in my security announce group proposal.
Especially, what do you think about making announcements about the
*fact* that there is a vulnerability and suggesting workarounds (i.e.
the announcements about new bugs in my proposal)?
I don't see security reasons speaking against that. OTOH, this would be
IMO incredibly important for both Mozilla developers / testers and
distributors. (I hope, it is clear why and I don't have to give reasons.)
I can see marketing considerations speaking against that, depending on
which marketing strategy is used. If these are blocking such
announcements from your side, please be detailed about it (if marketing
isn't blocking that, too :-( ), so we have a base for making suggestions.
