Hi. On Thu 2002-09-19 at 08:10:08 +0100, Alastair Scott wrote: > On Wed, 2002-09-18 at 23:36, Franki wrote: > > > I don't think the answer would be yes... > > By a strange coincidence a very interesting post from Thor Larholm (of > the IE list) regarding Mozilla appeared on [bugtraq]. I reproduce it in > full; it would seem that the "yes" can't be very confident (of course, > we will never know what Microsoft finds, and fixes, internally):
You are going to compare apples with oranges. I read that posting on bugtraq, too, and think it was way off (claiming that one would/should get a different view of mozilla): 1. These are bugs _fixed_, not open bugs as with IE. 2. Mozilla has never made a secret about 1.0.0 having security bugs, but strongly recommended an upgrade to 1.0.1 when it came out (http://www.mozilla.org/, topic "Mozilla 1.0.1 released") 3. You can complain about them not listing all bugs explicitly, but then 4. complain to your vendor (aka distribution). mozilla.org does not provide end-user support. 5. The list contains bugs of which is not known if they have security relevance or not, but only, that they *might* have. 6. Some of those were serious, other were mere inconveniences. 7. There are three open security bugs listed for 1.0.1. Have a look at them and (hopefully) feel warm and safe, if these are the worst to fear... 8. As you said yourself, you will never know, how such a list for IE would look like. In short, the main thing one can accuse mozilla.org of, according to the "proof" this posting provided, is that they did not listed comprehensive details about all bugfixes which may have security relevance. Well, I have yet to see such a list from Microsoft. My point is: Although I would also prefer mozilla.org to push information about such bugs more, this lack cannot compared in any way to a company which still has more than a dozen security related bugs not fixed for *several* months in their equivalent product (not counting mail components and others, which Mozilla provides, too). Btw, it is common practise to *not* announce any bug with possible security implications. That is, because most time it is not worth the time to find out if the bug really had potential to be exploited. Just as abitrary example, consider which announcements you read about PHP. Then go and dig into their Changelog and look for any fixes which might have security relevance (e.g. all crashes related to variables and function calls). Then reconsider the Mozilla list you forwarded. </rant off> ;-) Bye, Benjamin.
msg104536/pgp00000.pgp
Description: PGP signature
