Re: The sec-approval process makes users safer

Hi, I'm taking this opportunity to share a new wiki page documenting guidelines for patching a core-security bugs: https://wiki.mozilla.org/Security/Firefox_security_bug_fixing You'll find generic security principles about handling security bugs, as well as the detailed process for fixing securit

Re: The sec-approval process makes users safer

On 9/10/19 3:53 PM, Daniel Veditz wrote: Other groups must be using that flag also Sure, it just means "this needs a test checked in". "Only" 718 fixed bugs with a sec- keyword have that flag. A mere trifle! ;) -Boris ___ dev-platform mailing li

Re: The sec-approval process makes users safer

On Tue, Sep 10, 2019 at 9:35 AM Boris Zbarsky wrote: > On 9/10/19 12:30 PM, Boris Zbarsky wrote: > > I just checked, and there are currently 826 bugs that have > > "in-testsuite?" set on them where I am the flag requester. > > And overall there seem to be ~7300 bugs that have that flag set. > Ot

Re: The sec-approval process makes users safer

On 9/10/19 12:30 PM, Boris Zbarsky wrote: I just checked, and there are currently 826 bugs that have "in-testsuite?" set on them where I am the flag requester. And overall there seem to be ~7300 bugs that have that flag set. -Boris ___ dev-platform m

Re: The sec-approval process makes users safer

On 9/10/19 12:16 PM, Dan Mosedale wrote: Seems like it ought to be straightforward to do something to cause in-testsuite? flags to send mail occasionally, or show up on some dashboard, or... Could be worth it. I just checked, and there are currently 826 bugs that have "in-testsuite?" set on t

Re: The sec-approval process makes users safer

Seems like it ought to be straightforward to do something to cause in-testsuite? flags to send mail occasionally, or show up on some dashboard, or... Dan Am Di., 10. Sept. 2019 um 09:11 Uhr schrieb Andrew McCreight : > > On Tue, Sep 10, 2019 at 4:55 PM Dave Townsend wrote: > > > On Mon, Sep 9, 2

Re: The sec-approval process makes users safer

On Tue, Sep 10, 2019 at 4:55 PM Dave Townsend wrote: > On Mon, Sep 9, 2019 at 6:01 PM Jeff Walden wrote: > > > Those of you longer in the tooth may remember Firefox was successfully > > exploited in Pwn2own 2012...and we didn't have to lift a finger to fix > it. > > We already had -- in the Fire

Re: The sec-approval process makes users safer

On 9/10/19 7:55 AM, Dave Townsend wrote: > How often do we go back and land those tests and comments after the fix has > been in the release builds for a suitable amount of time? I always land my tests...at some point. I don't know if everyone else adequately remembers to do so. We don't forma

Re: The sec-approval process makes users safer

On Mon, Sep 9, 2019 at 6:01 PM Jeff Walden wrote: > Those of you longer in the tooth may remember Firefox was successfully > exploited in Pwn2own 2012...and we didn't have to lift a finger to fix it. > We already had -- in the Firefox release shipping days later. 🤦 > > https://bugzilla.mozilla.o

Re: The sec-approval process makes users safer

Hi Jeff, thank you for bringing this up! Halvar Flake (also formerly of P0) argues here that committing a patch is not very different from committing the test case: Which is not something I'm willing to believe in totality. I thi

The sec-approval process makes users safer

Those of you longer in the tooth may remember Firefox was successfully exploited in Pwn2own 2012...and we didn't have to lift a finger to fix it. We already had -- in the Firefox release shipping days later. 🤦 https://bugzilla.mozilla.org/show_bug.cgi?id=735104 (pwn2own bug) https://bugzilla.m