List, I was told to send this to freedesktop.org admins, but as I fully expect that this will be controversial among some Mesa developers, I thought that I would write to this list first and check that there is enough agreement here.
WebGL-enabled browsers have faced security bugs in all drivers --- Mesa is not special in this respect. When that happens, we need to have conversations with the driver developers, not only to get the bugs fixed in future driver versions, but also to get the insight that we need in the short term to assess the security implications of the bug, develop mitigations, and decide whether the affected driver needs to be blacklisted. Discussions of security-sensitive bugs need to be private. I understand that this is a controversial statement in many F/OSS communities, but it is how all browser projects, including Mozilla and Chromium, work, and that part has to be accepted as an axiom in the present discussion. Given that, what has happened is that when browser developers (Mozilla and Chromium at least) identified security bugs in Mesa, as Mesa's bugzilla does not currently have the option to hide security bugs, we had to resort to * either using private e-mail * or CCing Mesa developers on our own secure bugs Both solutions are poor, and a better solution would be for Mesa's bugzilla to allow hidden security bugs so we could work there. Given that security bug discussion can't be open, that is the "least bad" solution possible. Any questions? Do you support or oppose me asking FD.o admins to allow hidden bugs on Mesa's bugzilla? Benoit _______________________________________________ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
