[wp-hackers] Development Process

Doug Stewart dstewart at atl.lmco.com
Thu Jul 27 16:00:48 GMT 2006 

Robert Deaton wrote:
> On 7/27/06, Doug Stewart <dstewart at atl.lmco.com> wrote:
>> Robert Deaton wrote:
>> That royally pissed off Microsoft, yet Firefox and Opera reacted quickly
>> and fixed issues raised by Metasploit.  Let's be Firefox, not Microsoft
>> in our approach to these things.  Perhaps we should take a look at their
>> methodologies for addressing security issues...
>
> Now that's more of the response I was hoping to see.
>
> Firefox itself has both a security mailing list and their bugzilla
> available for reporting and discussiong security issues. Both are open
> to the public. Personally, I like the idea of a mailing list, but one
> that is closed to invitation only (and maybe with archives that are
> updated after each release for the public to see the discussion that
> took place).
>
> I know the first argument is going to be "Firefox's security lists are
> open to the public, why shouldn't ours be?" First and foremost, it
> would be very difficult to target a single person running Firefox to
> infect them in any way. Second, its not just the security of our users
> we're putting at risk, we're putting shared hosting companies at risk
> as well. Servers are more popular targets for a certain range of
> malicious black hats because they have the bandwidth that infecting
> home machines through a browser does not. And last but not least,
> Firefox can update itself when a new security fix is available, so to
> them, who cares if the whole world sees as long as its resolved within
> a short enough time?
The ability to auto-update is a very recent addition to Firefox and
Thunderbird - I could be wrong, but I don't think Seamonkey even has
parity in this respect yet.  You're right, though, in that a blogging
platform is inherently a different proposition than a web browser and
the effects of auto-updating are too perilous to give any weight to such.

Is there a way to "stealth" tickets in Trac?  Perhaps anything tagged as
"security" could be hidden from anyone but Trac admins and the submitter
until the issue was marked as "closed", in which case the ticket could
be opened to the world.  'Twould use the existing infrastructure in a
new way to handle an old, persistent problem...

-- 
------------
Doug Stewart
Senior Systems Administrator/Web Applications Developer
Lockheed Martin Advanced Technology Labs 
dstewart at atl.lmco.com

More information about the wp-hackers mailing list