Gervase Markham wrote: > If a bug is security-confidential, then some form of warning will be > agreed (unless none of the participants requests that one be agreed.)
What if not? What if it takes too long? What if it's inappropriate for me? > On the other hand, take the GIF overflow bug in NS 4.77 as an example. > If we had a bug like that, are you really going to warn your users to > disable images? Maybe. Maybe I'm going to warn them to possibly not use the browser at all. > I think that the answer to this is basically "you can't have it." Then I think my answer to this will basically be "Then I don't want to play with you". Weren't we talking about consensus? > I'm not saying that this possibility allows Netscape to dictate the > terms of the entire security group proposal without discussion; I am > merely making the point that the usefulness of the group goes up with > the number of the participants, in proportion to what those > participants contribute. And I am saying that too "liberal" terms in the security bug group make it useless for me, no matter if anybody participates or not. > If Netscape feels it can't contribute because it can't be sure you > aren't going to shaft _their_ users, then they won't. How am I going to "shaft" their users?? > I think Mitch is saying that the web page (which has checkin and > change control) is the master source, Which I think is wrong. You cannot ask me to reload the page every 3 hours, if I want to be sure to get the latest warning.