[Just trying to get Daniel's E-mail address right this time.] On Mar 16, 2024, at 08:58, Mark Millard <mark...@yahoo.com> wrote:
> Eugene Grosbein <eugen_at_grosbein.net> wrote on > Date: Sat, 16 Mar 2024 13:16:21 UTC : > >> 16.03.2024 17:03, Daniel Engberg wrote: >> >>> A key difference is though that browsers such as Firefox or Chromium are >>> maintained upstream including reporting etc. >> >> It does not stop browsers from being vulnerable all the time. All times. So, >> no difference in practical point of view. >> In theory, there is difference. Not in practice. > > My guess here is that Daniel is thinking of properties like: > How long does a discovered vulnerability generally stay as > a vulnerability after discovery? There might generally be a > difference for code maintained by an upstream vs. code not > maintained by an upstream, for example. There might be > practical consequences to such distinctions in various kinds > of cases. > > The overall Boolean status for "being vulnerable" in at least > one way vs. Daniel's comment seem mismatched and not all that > relevant to each other. > > The "tools, not policy" point could apply to both. My point > here is more limited to the potentially mismatched kind of > referenced context. === Mark Millard marklmi at yahoo.com