Hi,
[some words about the current Mozilla security bug policy and
its "implementation"]
Full ACK.
Just for an example: some friends of mine (computer science students, not
"normal" users) still use Mozilla 1.0 on their machines. They don't upgrade
because they don&
Daniel Veditz wrote:
Let's forget about the AOL-burdened past. I--and the Mozilla Foundation, I'm sure--want us to do the right thing now.
Yes, I hoped so. That's exactly the reason why I posted this.
Can we start over and give the existing policy (as written, not as executed) a try for a milest
Ben Bucksch wrote:
> That's not fair. I wanted to issue warnings, but need the allowance of
> the security group, esp. its former owner, which I practically never
> got. I tried, IIRC, but ended up thinking that it's futile.
Let's forget about the AOL-burdened past. I--and the Mozilla Foundation
On 2004-03-25, Daniel Veditz <[EMAIL PROTECTED]> wrote:
>
> We will be including Firefox and Thunderbird information on the
> vulnerabilities page going forward and testing against them.
Excellent. Thanks.
--
Michael
___
Mozilla-security mailing list
[
Michael Lefevre wrote:
> Something of an aside, but there is currently zero information about
> security issues in Firefox, which aren't necessarily in sync with those in
> Seamonkey (IIRC a fix was put into FF 0.8 which for a security issue which
> had been fixed in seamonkey 8 months earlier, but
On 2004-03-24, Daniel Veditz <[EMAIL PROTECTED]> wrote:
> Ben Bucksch wrote:
>
>> I forgot:
>>
>> * There are currently 36 fixed, hidden bugs. Some of them fixed a
>> year ago.
>
> I will be updating the vulnerabilities page (and unhiding bugs) for the 1.7
> release, I'll make sure to ch
Ben Bucksch wrote:
Daniel Veditz wrote:
I don't think you've demonstrated problems with the policy but rather
that
we have to do a better job implementing it.
I see. I guess we have differing viewpionts. Given that we ask for
secrecy, I think that the policy should *ensure* for outsiders/users
Daniel Veditz wrote:
I don't think you've demonstrated problems with the policy but rather that
we have to do a better job implementing it.
I see. I guess we have differing viewpionts. Given that we ask for
secrecy, I think that the policy should *ensure* for outsiders/users
that we're doing the
Ben Bucksch wrote:
>
> The policy isn't working.
...
> [...] can we use full disclosure now?
I don't think you've demonstrated problems with the policy but rather that
we have to do a better job implementing it. A *much* better job.
> * Public security bug lists [...]
> per policy on
Ben Bucksch wrote:
* The known, hidden security bugs are usually *not* being fixed
timely (contrary to assertions by Mitch during the policy
discussion IIRC). Some critical ones rotted for years until they
were driven out. There are currently 59 hidden, unfixed bugs.
Th
Ben Bucksch wrote:
> I forgot:
>
> * There are currently 36 fixed, hidden bugs. Some of them fixed a
> year ago.
I will be updating the vulnerabilities page (and unhiding bugs) for the 1.7
release, I'll make sure to check the ancient ones too.
> * A query for the formerly hidden,
I forgot:
There are currently 36 fixed, hidden bugs. Some of them fixed a
year ago.
A
query for the formerly hidden, now disclosed bugs
In October 2001, we discussed a security bug policy for mozilla.org,
which resulted in the
current policy. I was quite unhappy about the policy, with the
worst problems listed in the attached post. I also included Mitch's
reply.
However, the policy very much reflected Netscape's interestes, pr
13 matches
Mail list logo