[sldev] Viewer security vulnerability disclosure group

[Tammy Nowotny]

Meadhbh Hamrick (Infinity) wrote:
>
> so.. getting back to Rob's original post...
>
> "do you think it's acceptable for Linden to REQUIRE members of the 3rd 
> party viewer community to sign a non-disclosure agreement as a 
> precondition of receiving early disclosure notices?"
>
> and if not, why?

My L$5 on that: I think it's acceptable.  There are all sorts of good 
reasons why LL might want to tell the developers certain things they 
aren't ready to tell the whole world, although in general it is best not 
to keep more secrets than you absolutely have to.  As for how users can 
patch their viewers, well--- if the user is on an operating system 
released during the current century, then software developers should be 
able to semi-automatically push updates to the user community. (That's 
what Linden Lab does.) If users are on an older OS, they can be urged to 
visit a website, or the developer can even email update notices to 
registered users.

Henri said:
>
>>
>> Take Firefox... v1 has been discontinued even though it's the only
>> version that can run reasonnably fast on old, i586 computers (thanks
>> to GTK+ v1 which is much less bloated than v2 and runs twice or thrice
>> faster). Firefox v2 will soon be discontinued too... there are no
>> security fix for discontinued Firefox branches: that's life...
>>
Mozilla.org actually did release an update to FireFox 2.0 recently.  In 
the case of FireFox, it's not just FireFox which is open source; the 
basic Mozilla browser standard is itself open source.  FireFox can't be 
all things to all people, and there might come a point where it would be 
better to build a whole new Mozilla browser from the ground up for 
legacy hardware rather than to keep patching the original v1 FireFox 
browser.


>