Software bugs

Ben Goodger argues for the use of Mozilla binaries rather than vendor binaries because binaries have security patches applied earlier:

If security is important to you, this demonstration should show that browsers that are redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla will itself for its supported products.

.

Christopher Aillon criticises this as bad practice:

Other projects make sure that the vendors know of a security vulnerability, supply the patch and new tarball (if applicable, which it is in mozilla.org’s case), give a brief period of time for the vendors to catch up, and then do a synchronous release with them at a planned time.

(via Slashdot)

Popularity: 62% [?]

Havoc Pennington describes the coordinated release process for security bugs:

The simplest thing is to quietly notify any of the major Linux or BSD distributions and let them take it from there… Once you notify someone, wait to hear back. The upstream maintainer would normally announce the vulnerability and commit patches to CVS at the same coordinated time that vendors post packages. If you patch in CVS before anyone is ready with packages, your users are vulnerable during the gap (and generally unhappy about it). Worse, by committing a patch to CVS you’re doing something that a black hat could notice, but most sysadmins will not notice.

Popularity: 100% [?]