Mozilla and Security
Tuesday March 28th, 2000
Nothing like a little rhetoric to get you hopping in the morning. This latest comes from some guy called AP who made a submission to Slashdot regarding a discussion currently going on in n.p.m.security. In it, he states that the Mozilla team is contemplating limiting access to security bugs, implying that the team is substituting obscurity for security. He fans the flames by saying "Are Mozilla developers missing the point of open source (implying open security bugs) or are they under pressure from Netscape?"
If you read the discussion thread titled "Security bugs and disclosure" in n.p.m.security, you will see that the discussion is not exactly what AP portrayed, and mozilla.org members are actually having a serious discussion about disclosure, security and Open Source. This is what Open Source is about, people!!! What kind of access would you have to this kind of discussion if the process was closed? Open Source isn't just about open code - it's about open discussion, as well. And mozilla.org has provided ample opportunity for discussion regarding practically every level of the development process. I think the fact that AP came across this discussion at all proves that the discussion process is adequately open.
If you have opinions regarding this, you should feel free to post them in the security newsgroup, but please read the previous posts in the thread, because they are reasonable posts from people who are trying to do the right thing.
#12 Re: Let's not get deflected...
by bambamm20 <email@example.com>
Tuesday April 25th, 2000 7:37 AM
You are replying to this message
This is a very arogant and un-open source statement that you just made. If they release the security bugs to the publicpeople will be aware of what is going on and how are they vulnerable in the first place. Second of all releasing the security bugs allowes thousands upon thousands of programmers to look over and scrutinize the source code... You don't have to write the code to understand it. How do you think the LINUX kernel developed over the years, do you really think they were familiar with the kernel source code......NOPe, they looked over it and contributed to it helping make it stronger and more secure, and stable at that. So all the talk of only the one who wrote it can understand it is pre sensationalism. I say free the source and the bugs we have a right to know, we also have a right to fix it(open-source). If the bugs arent released and the public is not made aware, I say it is no different than IE where the user knows none of it's vulnerabilities, and they can't do anything about them, because they have to wait till the beurocrats get around to fixing it. Release it. I say. best thing to do.