[tptacek]

Google has repeatedly been equally abrupt in making breaking changes to other people's apps/products/pages/sites to resolve security problems. I'm glad they do, and I'm glad Mozilla isn't fucking around with stuff like this either.

[DannyBee]

I'll assume this is true (not my area!):

1. Just because one guy is an idiot does not mean the other should be.

2. You know, you may want to tell people and establish a process for telling people that this is happening (ie it should not take until person files github issue asking what's up when they validate their app to know what's going to be okay and not)

(and if the answer is "google doesn't do that", see #1 :P)

[tptacek]

The people you just called idiots are demonstrably not idiots. Your company is extraordinarily lucky to employ them.

[DannyBee]

Sorry, yes, that was crass, and i apologize. I can't edit it, sadly, anymore.

I meant it really in the sense that: You have given no reason this couldn't have been done in a fashion that provided the barest minimum of notice or information. Doing so when you can do so is the right thing, and if someone else is not doing that, that does not mean you should duplicate that process.

As far as i know, nobody has claimed otherwise, here or there.

In fact, there are a number of factual inaccuracies that seem to have been driving parts of this decision (IE "google has stopped supporting angular 1") that a trivial notice and discussion process probably would have corrected.

Past that nothing in this discussion has pointed to anything so urgent (especially given the 6+ month time period involved between the original presentation and any notice at all it was banned, and then another 6 months till now) that it required immediate action at the point they did it. If there was something, again, someone could have, at the very least, said that ("Hey, we discovered a problem, we're going to take immediate action, this may hurt. Sorry").

TL;DR I'm a fan of Ready, aim, fire, not fire, ready, aim. If it can't be done that way, fine, but no data says that this was the case here.

[tptacek]

Sorry, I thought I had written a longer comment but got distracted, so that came out sharper than I meant.

I agree. Notice is good. But all sorts of pressures interfere with notice, like embargoes, multiple stakeholders, threat intelligence, IR and active exploitation, and so on.

The important thing is to close the vulnerability. Everything else is distantly secondary.

Also, and respectfully: it is not so much Mozilla's job to know the maintenance status of Google Javascript libraries so much as it is Google's responsibility not to ship Javascript code (or extensions) that make Mozilla insecure.