> On Tue, Aug 6, 2013 at 12:30 PM, Jacob Appelbaum
>> Please feel free to answer the question, we're happy to learn from an
>> example. Are either of you involved in such an example? Might we learn
>> from your example? If so, where might we see it?
> Tails references upstream advisories, or at least did so in the past.
I agree - Tails does a pretty good job of referencing upstream but they
don't email out an advisory for each issue in each upstream project. Nor
do they do a specific analysis of each bug spending many days of people
time per bug. Somewhere there is a line and clearly, we failed to meet
the high standards of a few folks on this list. I'm mostly curious if
that high standard will be expressed in a cohesive manner where we might
learn from it.
> I actually think they are going overboard with those, but it's an
Where do you draw the line? I guess with release notes that bump
versions, mention that users should upgrade and so on?
I tend to like the Tails way of doing things - I have advocated for a
little more linkage to security advisories. Still, I think it is not as
critical as a secure updater or packaging TBB for various packaging
systems. We're understaffed, so we tend to pick the few things we might
accomplish and writing such advisory emails is weird unless there is an
exceptional event. Firefox bugs and corresponding updates are not
exceptional events. :(
Also, I'll note even Tails doesn't reference sub-modules of the specific
projects - they are just linking to DSA and related pages.
> The whole situation is pretty funny, by the way, since Mike Perry (TBB
> was accused of maintaining Freedom Hosting by those OpDarknet clowns two
> years ago:
It is awful for Mike and I can't even begin to find it funny in the
least. Though I'll take your point that it is rich with awful irony.
All the best,