W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: DAP and security (was: Rename "File API" to "FileReader API"?)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 19 Nov 2009 07:51:09 -0800
Message-ID: <7789133a0911190751s36480eb3x75b3715f9bdd0e60@mail.gmail.com>
To: David Rogers <david.rogers@omtp.org>
Cc: Jonas Sicking <jonas@sicking.cc>, Marcin Hanclik <Marcin.Hanclik@access-company.com>, Maciej Stachowiak <mjs@apple.com>, Dominique Hazael-Massieux <dom@w3.org>, Robin Berjon <robin@berjon.com>, public-device-apis@w3.org, public-webapps WG <public-webapps@w3.org>
David, you're not listening.

On Thu, Nov 19, 2009 at 3:02 AM, David Rogers <david.rogers@omtp.org> wrote:
> -----Original Message-----
> From: Jonas Sicking [mailto:jonas@sicking.cc]
> Sent: 19 November 2009 10:11
> To: Marcin Hanclik
> Cc: David Rogers; Maciej Stachowiak; Dominique Hazael-Massieux; Robin
> Berjon; public-device-apis@w3.org; public-webapps WG
> Subject: Re: DAP and security (was: Rename "File API" to "FileReader
> API"?)
>
> Third, we'll have to spend efforts maintaining the code, even though
> it benefits only a small number of people. For example if a buffer
> overflow bug is found we'll have to treat that as as serious of a bug
> as a overflow in normal on-by-default code. Up to and including
> engineering efforts to fix the bug, QA efforts to test the fix,
> release resources to spin a new emergency release, and marketing
> efforts asking people to upgrade.
>
> [DAVID] I would expect that you would do this as a matter of course
> anyway as part of the security lifecycle. However a side-benefit from
> your argument would be that policy would therefore help reduce your
> maintenance?

Jonas just said that they had a policy mechanism and that's what
*caused* the problem in the first place.  He solved the problem by
removing the policy lever in Thunderbird that let users shoot
themselves in the foot.

Adam
Received on Thursday, 19 November 2009 15:57:10 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT