Re: On Mozilla-* updates

To: debian-security@lists.debian.org
Subject: Re: On Mozilla-* updates
From: Matt Zimmerman <mdz@debian.org>
Date: Wed, 3 Aug 2005 08:44:04 -0700
Message-id: <[🔎] 20050803154404.GO11479@alcor.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 42f0b224$0$15781$db0fefd9@news.zen.co.uk>
References: <42ed07db$0$16001$da0feed9@news.zen.co.uk> <20050731174501.GA2758@steve.org.uk> <20050731180920.GA28521@mails.so.argh.org> <[🔎] 20050802122951.GA11375@informatik.uni-bremen.de> <[🔎] 20050802160902.GG2508@alcor.net> <[🔎] 42efc64b$0$7594$db0fefd9@news.zen.co.uk> <[🔎] 20050802194642.GL2508@alcor.net> <[🔎] 42efd1b1$0$18043$db0fefd9@news.zen.co.uk> <[🔎] 20050802203334.GS2508@alcor.net> <[🔎] 42f0b224$0$15781$db0fefd9@news.zen.co.uk>

On Wed, Aug 03, 2005 at 01:01:40PM +0100, antgel wrote:
> Matt Zimmerman wrote:
> > You're welcome to attempt to convince the Mozilla project to change
> > the way that they work for the benefit of distribution security teams.  If I
> > recall correctly, others have unsuccessfully attempted this in the past, but
> > since you are interested in this issue, perhaps you will try again and
> > report back to us.
> 
> If it comes to that then I will.  I'd like to see how this thread pans
> out.  From what I gather so far, there are three issues:

It has come to that.  There is clearly a communication gap.

However, last night we learned that a Mozilla security representative will
be present at OSCon, as will Debian and Ubuntu representatives who are
willing to talk with him about this issue, so we'll see what comes of that.

> 1) There is no visibility of some Mozilla security patches due to the
> embargo.
>
> We do have visibility of these via mdz.

I have only heard this issue from the testing security team.  I am happy to
relay patches to them on request, but it would probably be more effective
for them to request access directly from Mozilla.

> 2) Mozilla security patches are not easy to find and isolate.
> 
> Ben has disputed this, saying that we should be able to extract all
> necessary patches.  Public ones from
> http://www.mozilla.org/projects/security/known-vulnerabilities.html then
> bugzilla, and embargoed ones via mdz.

Ben has now explained that this is in fact not sufficient.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: On Mozilla-* updates
  - From: Ben Bucksch <ben.bucksch@beonex.com>

References:
- Re: On Mozilla-* updates
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>
- Re: On Mozilla-* updates
  - From: antgel <antony@antgel.co.uk>
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>
- Re: On Mozilla-* updates
  - From: antgel <antony@antgel.co.uk>
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>
- Re: On Mozilla-* updates
  - From: antgel <antony@antgel.co.uk>

Prev by Date: Re: On Mozilla-* updates
Next by Date: Re: On Mozilla-* updates
Previous by thread: Re: On Mozilla-* updates
Next by thread: Re: On Mozilla-* updates
Index(es):
- Date
- Thread