On Sat, 2015-04-25 at 11:54 +0200, Sylvestre Ledru wrote: > > Even when they're still supported by upstream, they simply receive far less > > scrutiny (in terms of security audits/analysis) than the current versions. > > Also often security holes are silently fixed, without being identified as > > such. > > > As Firefox release manager, I can tell you that this statement is incorrect. > For every security bug, if the information is not present, the question > "is ESR31 impacted?". Sure, I but I didn't talk about this at all. I referred to code that is changed/removed which may contain bugs that contains perhaps security issues, which are never identified as such, maybe not even as "normal" bug.
> And if you saw any security holes being silently fixed, this was not on > purpose and it was a mistake. No I haven't seen any particular cases, but this has happened to all different kinds of software, libc (GHOST), the kernel and so on. I don't think that Mozilla can make extensive security audits of every line of code that is about to be changed/removed, so it's IMHO naive to believe that FF would be safe from this situation, whereas mostly all other software is not Best wishes, Chris.
smime.p7s
Description: S/MIME cryptographic signature
