Ben Bucksch wrote: > Stuart Ballard wrote: > >> It may be that someone's latest >> branded release has the bug, or something else, but there must be >> *something*. >> > That's almost always the case. The worst and thus most important and > interesting bugs will probably be kept condfidental for a years or so.
Actually, I believe that the length that was supplied by Mitch was 9 months or so. That's certainly not years and allows many of our users to get the changes into their hands. As I've said in another post it's really up to the reporter of the bug to make the final determination about when specific information about a vulnerabilty should be released to the public at large. > I don't think that will work. I expect many parties with an interest in > closure being members of the security group, and people falling back to > closed when they are not sure, because "there's nothing to harm if we > don't disclose, but much to harm if we do" (they think). Maybe so but I don't think that's a bad thing since the reporter is just being cautious. > In other words, I trust neither mozilla.org staff nor the security group > at large to do the right decisions about disclosure. Even if they do the > right thing most of the time, that's not enough. It's the exceptions > that count here. One open security hole is enough to let everything fall. Unfortunately, the alternative is that you don't have the information about the vulnerability at all since many who would have participated in the security group wouldn't be sharing information at all. As for your prophetic visions of doom and gloom I think that an entirely open policy would make things worse, not better in many respects. Both in the sense that there would be less sharing of information between distributors to end users and that you would just be feeding the skript kiddies information about how to exploit vulnerabilities for hapless users. I don't think that mozilla.org is going to try to enforce a policy where security related bugs are "forced" to be open without a lot of delegation to the person who opened the bug and consensus from a group of people who are trustworthy and reasonable. We aren't in the business of using what little power we do have to force people to do things they don't want to. When we do that, people stop contributing. Our role is to put together a structure that allows people to share information, not to enforce our own ideology onto others. --Chris -- ------------ Christopher Blizzard http://people.redhat.com/blizzard/ Mozilla.org - we're on a mission from God. Still. ------------
