I see. I guess we have differing viewpionts. Given that we ask for secrecy, I think that the policy should *ensure* for outsiders/users that we're doing the right thing. Just like I think that the law should ensure that the police and the secret services do the right thing, not just give them blanket permissions.I don't think you've demonstrated problems with the policy but rather that we have to do a better job implementing it.
Not true, there are guidelines for issuing immediate warningsAh, right, we just never used them. But note the difference between "may warn" and "will warn".
As a member of that group you share in that failing.That's not fair. I wanted to issue warnings, but need the allowance of the security group, esp. its former owner, which I practically never got. I tried, IIRC, but ended up thinking that it's futile.
Another problem with that is that when I have to ask for permission, and wait for the answer, which may not be positive, and then have to argue, often a few days go by, while warnings should be issued within hours to be effective. My proposal tried to solve that.
Oh. I used security@ as an alias for the security group address, for spam-prevention, because I wanted the policy discussion to be public.I propose the following changes to the policy and procedure:A good starting point for discussion, that's what the security group mailing list is for (not, I should point out, [EMAIL PROTECTED] cc'd in this thread, which is for reporting potential problems). If you'd raise these points there I'm sure we could improve things greatly.
Should I re-post the proposal (this time without listing the 'problems')? I'd prefer the public to be able to listen and add to it, but the security group and you as the owner in particular are the main adressees, because we have to decide on it and implement it.
Ben
_______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
