Comments on: Ask Jesse answer: Mozilla security process http://www.squarefree.com/2005/05/04/ask-jesse-answer-mozilla-security-process-internship/ Jesse Ruderman on Firefox, security, and more Thu, 20 Nov 2008 08:27:15 +0000 http://wordpress.org/?v=2.5 By: Block Sheep http://www.squarefree.com/2005/05/04/ask-jesse-answer-mozilla-security-process-internship/#comment-1200 Block Sheep Thu, 05 May 2005 04:32:35 +0000 http://www.squarefree.com/2005/05/04/ask-jesse-answer-mozilla-security-process-internship/#comment-1200 Re: Getting users to keep Firefox updated It's get's even more difficult with blunders like this: * ANOTHER bug in the File Save dialog - MozillaZine Forums - http://forums.mozillazine.org/viewtopic.php?t=228991 * Bugzilla Bug 283730 - https://bugzilla.mozilla.org/show_bug.cgi?id=283730 Re: Getting users to keep Firefox updated

It’s get’s even more difficult with blunders like this:
* ANOTHER bug in the File Save dialog - MozillaZine Forums - http://forums.mozillazine.org/viewtopic.php?t=228991
* Bugzilla Bug 283730 - https://bugzilla.mozilla.org/show_bug.cgi?id=283730

]]> By: Frank Hecker http://www.squarefree.com/2005/05/04/ask-jesse-answer-mozilla-security-process-internship/#comment-1183 Frank Hecker Wed, 04 May 2005 17:37:50 +0000 http://www.squarefree.com/2005/05/04/ask-jesse-answer-mozilla-security-process-internship/#comment-1183 You write "Someone (maybe me) should keep a list of all the security UI in Firefox and ensure the necessary precautions are applied." It would be truly wonderful if you and/or others were to look at the Firefox (and Thunderbird) security UI and figure out how it could be improved, particular for typical users. You write “Someone (maybe me) should keep a list of all the security UI in Firefox and ensure the necessary precautions are applied.” It would be truly wonderful if you and/or others were to look at the Firefox (and Thunderbird) security UI and figure out how it could be improved, particular for typical users.

]]> By: Nikolas 'Atrus' Coukouma http://www.squarefree.com/2005/05/04/ask-jesse-answer-mozilla-security-process-internship/#comment-1180 Nikolas 'Atrus' Coukouma Wed, 04 May 2005 13:46:22 +0000 http://www.squarefree.com/2005/05/04/ask-jesse-answer-mozilla-security-process-internship/#comment-1180 Re: Getting users to keep Firefox updated I know a lot of users <i>like</i> the subtlety of the update notification. In particular, everything on windows pops up with a big bubble demanding attention right now and will continue to harass you every fifteen minutes of your life until you do what it wants. I definitely think it's good to be noisy and explain it the first time around, but after that it should quiet down. I imagine a dialog with the "don't ask me again" checkbox would make sense. I also think that any noisiness should be confined to critical updates. I really don't need to be pestered to update my extensions. Re: Getting users to keep Firefox updated
I know a lot of users like the subtlety of the update notification. In particular, everything on windows pops up with a big bubble demanding attention right now and will continue to harass you every fifteen minutes of your life until you do what it wants.

I definitely think it’s good to be noisy and explain it the first time around, but after that it should quiet down. I imagine a dialog with the “don’t ask me again” checkbox would make sense. I also think that any noisiness should be confined to critical updates. I really don’t need to be pestered to update my extensions.

]]> By: Michael Krax [mikx] http://www.squarefree.com/2005/05/04/ask-jesse-answer-mozilla-security-process-internship/#comment-1179 Michael Krax [mikx] Wed, 04 May 2005 12:40:51 +0000 http://www.squarefree.com/2005/05/04/ask-jesse-answer-mozilla-security-process-internship/#comment-1179 Actually i made up my mind on sending advisorys when a patch get's checked in into public CVS. I still strongly disagree with this behavior and consider it more or less a full information disclosure, but i dicided to hold my advisorys back in the future until the patch gets released or the bug gets exploited in the wild. Since there is mostly no workaround beside re-compiling on your own or disable javascript (both unlikely actions) triggering an advisory to early doesn't help. A drasticly too good documented checkin would still make me release an advisory, though. But the Mozilla Security team was doing a good job in doing "obfuscated" checkins lately. Actually i made up my mind on sending advisorys when a patch get’s checked in into public CVS.

I still strongly disagree with this behavior and consider it more or less a full information disclosure, but i dicided to hold my advisorys back in the future until the patch gets released or the bug gets exploited in the wild. Since there is mostly no workaround beside re-compiling on your own or disable javascript (both unlikely actions) triggering an advisory to early doesn’t help.

A drasticly too good documented checkin would still make me release an advisory, though. But the Mozilla Security team was doing a good job in doing “obfuscated” checkins lately.

]]> By: michaell http://www.squarefree.com/2005/05/04/ask-jesse-answer-mozilla-security-process-internship/#comment-1177 michaell Wed, 04 May 2005 12:15:34 +0000 http://www.squarefree.com/2005/05/04/ask-jesse-answer-mozilla-security-process-internship/#comment-1177 Thanks for the comprehensive answer - will be easier to find if I want to point someone to what you've said in the future. Sounds like (from your internship answer in the next entry) you'll be able to help with some of this stuff when you're there. :) Thanks for the comprehensive answer - will be easier to find if I want to point someone to what you’ve said in the future.

Sounds like (from your internship answer in the next entry) you’ll be able to help with some of this stuff when you’re there. :)

]]>