> That's much less than you said were OK in your last posts and much less > than I need. You now constrain the info I give my users to what you > publish for Mozillam, while yesterday, you said "You can inform *your* > users via your mailing list, release notes, etc, as long as you make an > effort not to provide enough information to allow someone to reproduce > the bug". > > I want to issue warnings (to my users) > > 1. for *all* bugs I consider severe enough and
If a bug is security-confidential, then some form of warning will be agreed (unless none of the participants requests that one be agreed.) If it's not, you can publish what you like. So, as I understand it, no-one will prevent you from issuing a warning of some form. On the other hand, take the GIF overflow bug in NS 4.77 as an example. If we had a bug like that, are you really going to warn your users to disable images? If not, there's no point in issuing any warning at all until there's a fix available. > 2. in I wording I choose, with content I choose (as long as I don't > disclose reproduction info or something close to it) I think that the answer to this is basically "you can't have it." Sorry to sound cruel or harsh, but there it is. All vendors, including Netscape, will publish only what the group agrees on. Why should you be different? > Rationale: > 2., because my users are of course less technically savvy than Mozilla > contributors, and the workarounds are also likely to be different for > Beonex Communicator (different default settings, different install > strategy etc.). I might even need to reveal more (still vage) facts > about a bug than the official warning does, when I think that this is > necessary for my users to judge their risk and to work around the bug. > Reaching "consensus" also takes time, more time than is acceptable for > me in some situations. > > 1.: please try to understand my situation. I see a bug, know that users > risk their whole network security because of that buffer overflow, and, > for any reason, the reporter or the security group decides not to issue > a warning, so I am not allowed to warn my users. That's unacceptable and > cruel (sorry for the hard word, but that's how I feel about it). Let's look at the other situation. Neither you nor your users find out about the bug because it's been filed in Bugscape. Netscape keeps it quiet for as long as it likes, and meantime your users get shafted by the skript kiddies exploiting it. I'm not saying that this possibility allows Netscape to dictate the terms of the entire security group proposal without discussion; I am merely making the point that the usefulness of the group goes up with the number of the participants, in proportion to what those participants contribute. If Netscape feels it can't contribute because it can't be sure you aren't going to shaft _their_ users, then they won't. And everyone loses. > If you want to prepare the warnings for mozilla.org, incl. their > wording, in the security group, that's certainly fine with me. > BTW: I wouldn't define a web-"page", because I think that > newsgroups/mailing lists are the best method to publish such urgent and > important info. Having the same info additionally on a webpage is surely > nice, though. I think Mitch is saying that the web page (which has checkin and change control) is the master source, and anyone can disseminate whatever they want wherever they want from that page. Gerv
