Re: Security announce group

2000-12-13 Thread Ben Bucksch 

Mitchell Stoltz wrote:

> Making people aware that vulnerabilities exist and how to protect  
> themselves is a good thing. However, I won't be able to participate 
> in  such a newsgroup, and if Mozilla security problems are going to 
> be  disclosed rapidly, this will seriously limit my and probably 
> Netscape's  ability to participate in Mozilla security discussions.

> Along those lines, I am opposed to any hard and fast deadlines on the  
> public disclosure of any security bug information (such as requiring  
> disclosure of a vulnerability within five days).

Mitch,

my suggestions for the security announce group were based on the 
assumption that the important parts of Frank Hecker's proposal will be 
accepted in "mostly consensus" (which of course includes Netscape) and 
implemented.

Apart from the fact that you object the forced disclosure after a 
certain time (which was a key part in Frank's proposal, and we should 
discuss it in that thread), it is not clear to me, what else, if 
anything, you object in my security announce group proposal.

Especially, what do you think about making announcements about the 
*fact* that there is a vulnerability and suggesting workarounds (i.e. 
the announcements about new bugs in my proposal)?

I don't see security reasons speaking against that. OTOH, this would be 
IMO incredibly important for both Mozilla developers / testers and 
distributors. (I hope, it is clear why and I don't have to give reasons.)

I can see marketing considerations speaking against that, depending on 
which marketing strategy is used. If these are blocking such 
announcements from your side, please be detailed about it (if marketing 
isn't blocking that, too :-( ), so we have a base for making suggestions.

Re: Security announce group

2000-12-13 Thread Mitchell Stoltz 

Making people aware that vulnerabilities exist and how to protect 
themselves is a good thing. However, I won't be able to participate in 
such a newsgroup, and if Mozilla security problems are going to be 
disclosed rapidly, this will seriously limit my and probably Netscape's 
ability to participate in Mozilla security discussions. Basically, the 
publishing of vulnerabilities will have to come from Netscape's PR 
department, not from me or any other security engineers. I make a 
distinction, as you apparently do, between technical discussion of 
security bugs between engineers from different organizations, and public 
disclosure of these bugs. I am much more interested in the former.

Along those lines, I am opposed to any hard and fast deadlines on the 
public disclosure of any security bug information (such as requiring 
disclosure of a vulnerability within five days). Such a requirement is 
unnecessary, since the reporter of a bug has the option of taking it 
public at any time.
  -Mitch

Ben Bucksch wrote:

> Even if we don't fully disclose bugs, it is very important to have 
> notifications about them.
> 

-
Views are mine, not Netscape's

Re: Security announce group

2000-12-12 Thread Ben Bucksch 

Ben Bucksch wrote:

> Ideally, a release engineer would also create an approriate fix  
> distribution, e.g. an XPI file containing the fixed library only.  
> However, this must not hold back the post by more than a few hours. 

This is only, if mozilla.org still wants to release binary Milestones 
and "support" them (with security fixes). Otherwise, waiting for the 
next nightly should be fine.