chris hofmann
unread,Nov 1, 2011, 10:16:53 PM11/1/11You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Jesse Ruderman, Brian Smith, dev-pl...@lists.mozilla.org, cur...@mozilla.com, securit...@mozilla.org
Part of the reasoning around sg:crit? was to help us get out of
unproductive debate and deep research into the criticality, and keep the
focus on just getting the bugs of that class fixed. e.g: "There is
enough evidence here that this could be turned into critical explotable
bug, but no one is going to do that extra level of work, lets just get
the bug fixed quick and move on..."
My fear is that we will now be reverting to a system that needs to
remove all ambiguity about the exploitability, which could leave bugs in
triage longer, and lengthen the cycle between discovery and getting the
fix in the hands of our users.
By "our development partners" I'm assuming you mean the other other
engineers working on the project who also must make trade offs between
time spend evaluating the criticality of the bugs, v. just fixing the
bug. I'm not sure how this serves them either.
-chofmann
>> So, if anything, I would prefer to formalize the sg:<rating>? scheme like we have done for tracking-firefoxX and status-firefoxX flags, and hopefully make it easier for secteam to help negotiate the severity with the developers& contributors of the affected component.
> _______________________________________________
> dev-planning mailing list
>
dev-pl...@lists.mozilla.org
>
https://lists.mozilla.org/listinfo/dev-planning