Thumb-wrestling security
Frank Hecker has a good write-up on the decision making process of the Mozilla group's security disclosure policies which caused me to lose time today that I really didn't have to lose.
It gives a breakdown on the issues the Mozilla group faced on whether to go the full disclosure route (I.E., letting everyone see the security postings in the bug tracker) versus keeping it close to the chest, versus a hybrid approach, and does a great job of giving an example where 'full disclosure' could lead to a situation where there's less disclosure.
The part about dealing with Netscape and other partners really stuck out at me, as it was something I hadn't considered:
...mandating full and immediate disclosure for security bug reports placed into Bugzilla was likely to encourage Mozilla vendors (including AOL, but also potentially others) to bypass the Bugzilla mechanisms for handling security-related bugs, by handling that information internally and not making it available to other interested parties in the Mozilla project.
One of the really interesting aspects of many of the larger OSS projects are the disparate groups they have to encompass... like the hackers, crackers, coders, and the larger corporate entities. Having to find middle ground for all of them would be challenging indeed.
While you're there, it's also worth checking out his brand scoring post, which shows the importance of quantifying your demographics when doing simple polling and is something I've taken an even greater interest in lately. It hurts my brain, but in a good way.
Posted by drunkenbatmanFebruary 19, 2005, at 06:55 PM
One of my colleagues just looked over my shoulder and said "thumb-wrestling security? You read the wierdest stuff." All I can say is, congratulations.