Re: DAP and security (was: Rename "File API" to "FileReader API"?)

David, you're not listening.

On Thu, Nov 19, 2009 at 3:02 AM, David Rogers <david.rogers@omtp.org> wrote:
> -----Original Message-----
> From: Jonas Sicking [mailto:jonas@sicking.cc]
> Sent: 19 November 2009 10:11
> To: Marcin Hanclik
> Cc: David Rogers; Maciej Stachowiak; Dominique Hazael-Massieux; Robin
> Berjon; public-device-apis@w3.org; public-webapps WG
> Subject: Re: DAP and security (was: Rename "File API" to "FileReader
> API"?)
>
> Third, we'll have to spend efforts maintaining the code, even though
> it benefits only a small number of people. For example if a buffer
> overflow bug is found we'll have to treat that as as serious of a bug
> as a overflow in normal on-by-default code. Up to and including
> engineering efforts to fix the bug, QA efforts to test the fix,
> release resources to spin a new emergency release, and marketing
> efforts asking people to upgrade.
>
> [DAVID] I would expect that you would do this as a matter of course
> anyway as part of the security lifecycle. However a side-benefit from
> your argument would be that policy would therefore help reduce your
> maintenance?

Jonas just said that they had a policy mechanism and that's what
*caused* the problem in the first place.  He solved the problem by
removing the policy lever in Thunderbird that let users shoot
themselves in the foot.

Adam

Received on Thursday, 19 November 2009 15:57:11 UTC