Ian G wrote:
OK, could we speculate that Mozo apps also could turn out a security
update for their products in ... say 2 business days? Or, what number?
And then, we could suggest that the whole process is likely to take
a week (5 business days)?
The Firefox team has done security updates within a timeframe of ~5 days
(business or otherwise); for example, see the Quicktime-related security
vulnerability that was announced on 2007/09/12 and fixed in a security
update by 2007/09/18:
http://www.mozilla.org/security/announce/2007/mfsa2007-28.html
One major cause of delay for typical security vulnerabilities is trying
to figure out a proper fix that doesn't cause other bugs
(security-related or otherwise). For a root compromise the "fix" (i.e.,
removing the root or disabling the trust flags) is straightforward and
so this sort of delay could presumably be less. The lower bound on
response time is likely determined by the time needed to do QA on the
resulting update release.
So personally I'd consider a 5-day timeframe reasonable, and based on
past conversations with people doing update releases, I think it might
be pushed down as low as 3 days.
Frank
P.S. Anyone interested in the general issue of how the Mozilla project
responds to vulnerabilities can consult the Mozilla security
announcements database:
http://www.mozilla.org/security/announce/
combined with the associated Bugzilla reports (linked to from the
announcements).
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
