Tree Branches for Mozilla 1.7

Wednesday April 14th, 2004

On Monday, the new Mozilla 1.7 branch was cut from the trunk, in preparation for the final release of Mozilla 1.7 in mid-May. As well as 1.7, the branch will also provide the foundation for Mozilla Firefox 1.0 and several other Mozilla-based applications. Post-1.7, the new branch will replace 1.4 as the stable development baseline. Checkins to the branch require approval from — the trunk, meanwhile, is now open for 1.8 Alpha development work. Consult tinderbox for the latest tree status.

#8 Re: Re: Re: Re: Some info about security fixes wou

by jesse <>

Friday April 16th, 2004 12:56 AM

You are replying to this message

"Jesse, this is not about mozilla having security holes, this is also not about a specific bug number, because there are more security related issues in mozilla still left unfixed."

I don't think you have access to any of the bugs in question. It's hard for me to know whether you're trolling, mistaking "marked as security-sensitive" for "a (major) security hole" after seeing only the bug number, extrapolating, or correct. If you're correct, I want to know what the bug number(s) so I judge its severity, see what Mitch, caillon, dveditz, etc. have said on the bug, and e-mail the security group if I think it's been incorrectly neglected.

"You even filed some of them, a long time ago."

Of the 55 (?) security bugs I filed, 4 are unfixed. The first is severe and I have already committed to disclose it after Mozilla 1.7 and Firefox 0.9 because I am frustrated that it has not been fixed. The second might be severe, depending on my mood. The third is probably not exploitable. The fourth is a variation on the first.

"Also, I don't think I have to tell you the bug numbers, because you can easily look for them in bugzilla."

There are 85 open bugs with 'group' 'is equal to' 'security'. Over half of the oldest 14 are bugs bsharma filed with "?" at the end of the summary, and seem to be requests for security developers to investigate. 22 are UNCO. Some of the UNCO were mistakenly filed as security-sensitive and others are unconfirmed security bug reports.

I don't feel like reading through all 85 bugs to determine which are actually security bugs (and which of those are fixable). Maybe I will this summer when I'm bored and/or when I'm paid to work on Mozilla. Or maybe I'll trust Christopher Aillon to do the right thing next time he goes through the bugs.

"Are you saying that there are no security related bugs left unfixed in current builds?"

I am not saying that.

"Do you agree that this November 2003 document should be updated?"

I assume you're talking about <…nown-vulnerabilities.html>. Sure, it would be nice if it was updated more often, but I'm not volunteering and I'm not convinced that's a better use of dveditz's and caillon's time than making Mozilla secure.