Google Groups Home
Help | Sign in
netscape.public.mozilla.security
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Security announce group
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   3 messages - Collapse all
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
Ben Bucksch  
View profile
  More options Dec 12 2000, 4:02 am
Newsgroups: netscape.public.mozilla.security
From: Ben Bucksch <mozilla.n...@bucksch.org>
Date: Tue, 12 Dec 2000 10:03:51 +0100
Local: Tues, Dec 12 2000 4:03 am
Subject: Re: Security announce group
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Ben Bucksch wrote:
> Ideally, a release engineer would also create an approriate fix  
> distribution, e.g. an XPI file containing the fixed library only.  
> However, this must not hold back the post by more than a few hours.

This is only, if mozilla.org still wants to release binary Milestones
and "support" them (with security fixes). Otherwise, waiting for the
next nightly should be fine.

    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Mitchell Stoltz  
View profile
  More options Dec 13 2000, 8:19 pm
Newsgroups: netscape.public.mozilla.security
From: Mitchell Stoltz <msto...@netscape.com>
Date: Wed, 13 Dec 2000 17:16:40 -0800
Local: Wed, Dec 13 2000 8:16 pm
Subject: Re: Security announce group
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Making people aware that vulnerabilities exist and how to protect
themselves is a good thing. However, I won't be able to participate in
such a newsgroup, and if Mozilla security problems are going to be
disclosed rapidly, this will seriously limit my and probably Netscape's
ability to participate in Mozilla security discussions. Basically, the
publishing of vulnerabilities will have to come from Netscape's PR
department, not from me or any other security engineers. I make a
distinction, as you apparently do, between technical discussion of
security bugs between engineers from different organizations, and public
disclosure of these bugs. I am much more interested in the former.

Along those lines, I am opposed to any hard and fast deadlines on the
public disclosure of any security bug information (such as requiring
disclosure of a vulnerability within five days). Such a requirement is
unnecessary, since the reporter of a bug has the option of taking it
public at any time.
      -Mitch

Ben Bucksch wrote:
> Even if we don't fully disclose bugs, it is very important to have
> notifications about them.

-----
Views are mine, not Netscape's

    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Ben Bucksch  
View profile
  More options Dec 14 2000, 12:54 am
Newsgroups: netscape.public.mozilla.security
From: mozilla.n...@bucksch.org (Ben Bucksch)
Date: 14 Dec 2000 05:55:15 GMT
Local: Thurs, Dec 14 2000 12:55 am
Subject: Re: Security announce group
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Mitchell Stoltz wrote:
> Making people aware that vulnerabilities exist and how to protect  
> themselves is a good thing. However, I won't be able to participate
> in  such a newsgroup, and if Mozilla security problems are going to
> be  disclosed rapidly, this will seriously limit my and probably
> Netscape's  ability to participate in Mozilla security discussions.
> Along those lines, I am opposed to any hard and fast deadlines on the  
> public disclosure of any security bug information (such as requiring  
> disclosure of a vulnerability within five days).

Mitch,

my suggestions for the security announce group were based on the
assumption that the important parts of Frank Hecker's proposal will be
accepted in "mostly consensus" (which of course includes Netscape) and
implemented.

Apart from the fact that you object the forced disclosure after a
certain time (which was a key part in Frank's proposal, and we should
discuss it in that thread), it is not clear to me, what else, if
anything, you object in my security announce group proposal.

Especially, what do you think about making announcements about the
*fact* that there is a vulnerability and suggesting workarounds (i.e.
the announcements about new bugs in my proposal)?

I don't see security reasons speaking against that. OTOH, this would be
IMO incredibly important for both Mozilla developers / testers and
distributors. (I hope, it is clear why and I don't have to give reasons.)

I can see marketing considerations speaking against that, depending on
which marketing strategy is used. If these are blocking such
announcements from your side, please be detailed about it (if marketing
isn't blocking that, too :-( ), so we have a base for making suggestions.


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2008 Google