My reactions to this are
1) They will be notified first, fine, but make sure that people know
about it. If I'm running Mozilla on my machine, and there's a hole,
I want to know about it so that I can stop using it until it's fixed,
or keep an eye out. The recent con/con problem in 98 caused problems
for some people here because they didn't know about it.
2) It will end up on bugtraq. At which point everyone will know about
it. What is an acceptable amount of time for them to keep the bug quiet?
A week? A Month? If it takes them longer than that to fix it, then they
should tell people surely?
3) As has been pointed out, it's in development. People expect bugs. Only
developers or people who are silly enough to want to run dev software
run it currently. Why not tell them so the bug can be fixed quicker. At
the moment, any bug that can crash mozilla is public knowledge in the
bugzilla database, and I consider crashing software a security problem,
as do many other people (the con/con problem for example).
Liam Bedford 01-4170153
System Administrator WBT Systems, Block 2, Harcourt Ctr.,
Harcourt St., Dublin 2
> -----Original Message-----
> From: ilug-admin at linux.ie [mailto:ilug-admin at linux.ie]On Behalf Of David
> Sent: 28 March 2000 13:48
> To: Liam Bedford
> Cc: ILUG
> Subject: Re: [ILUG] Mozilla
>>> It was Today when ilug-admin at linux.ie shared his opinions on
> [ILUG] Mozilla...
>> > Anyone else seen on /. that mozilla _currently_ intend to hide all their
> > security bugs until they've fixed them...
>>> it's pretty common practice, only developers will be able to fix these
> bugs -- so only developers need know. Why do you need to know ? Since at
> the same time they will be informing every script kiddie out there. I'm
> pretty satisfied with the way they're handling this -- shows they have
> some kind of clue when it comes to security. If you've ever taken a look
> at rootshell.com or securityfocus.com you'll see that the hole is usually
> passed to the vendor first and they're given a grace period. If they take
> no action, it's their fault *then*.
>> > Anyone know who to contact about this, as it sounds remarkably like M$..
> it would only be M$-like if they published the bugs and took no action,
> (used to) happen quite a bit with IIS holes.
>brian at devfoo.net>> "Are you a man or a corpse ?"
> Irish Linux Users' Group: ilug at linux.ie>http://www.linux.ie/mailman/listinfo/ilug for (un)subscription
> List maintainer: listmaster at linux.ie>
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!