[Back in 2015, Mozilla promised transparency but was anything but regarding some products and vulnerabilities. I had contacted Slackware trying to determine if they were impacted and found out their hands were tied, due to Mozilla. I am posting my raw notes as-is, just so they are public and can be referenced.]
https://blog.mozilla.org/security/2015/09/04/improving-security-for-bugzilla/
Openness, transparency, and security are all central to the Mozilla mission.
Slackware says:
I understand the desire to have all that information, but upstream seldom prepares it in time for our packages, so the link to their security information page is all we have the resources to provide for Mozilla packages. In this case, there’s still nothing at the upstream link for Seamonkey security updates.
If upstream would include a NEWS (or other text file) in the releases with a handy list of Mozilla IDs or CVEs, we would certainly paste it into our advisories as we do for other projects that provide security identifiers in an easy to obtain fashion.
I notice:
OK wait… so your 2.35 package is actually SeaMonkey 2.35, and their advisory page is presumably two versions out of date (2.34 / 2.35, not counting the possibility of a minor revision in there, e.g. 2.34.1)? If so then I will certainly harass Mozilla on this. It isn’t fair or responsible to downstream to push an update and not give them such details.
I also have a feeling the information is there to be had via the Firefox page at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/, since they can affect multiple products, e.g. https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
Hrm, actually no! It looks like they stopped including SeaMonkey details in Firefox advisories back in March. This appears to be the last to mention both based on a quick search:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
Also, advisory goes live, original bug ticket still locked almost every time. that is not open or transparent.
Leave a Reply