|
Sorry, yes, that was crass, and i apologize. I can't edit it, sadly, anymore. I meant it really in the sense that: You have given no reason this couldn't have been done in a fashion that provided the barest minimum of notice or information. Doing so when you can do so is the right thing, and if someone else is not doing that, that does not mean you should duplicate that process. As far as i know, nobody has claimed otherwise, here or there. In fact, there are a number of factual inaccuracies that seem to have been driving parts of this decision (IE "google has stopped supporting angular 1") that a trivial notice and discussion process probably would have corrected. Past that nothing in this discussion has pointed to anything so urgent (especially given the 6+ month time period involved between the original presentation and any notice at all it was banned, and then another 6 months till now) that it required immediate action at the point they did it.
If there was something, again, someone could have, at the very least, said that ("Hey, we discovered a problem, we're going to take immediate action, this may hurt. Sorry"). TL;DR I'm a fan of Ready, aim, fire, not fire, ready, aim.
If it can't be done that way, fine, but no data says that this was the case here. |
I agree. Notice is good. But all sorts of pressures interfere with notice, like embargoes, multiple stakeholders, threat intelligence, IR and active exploitation, and so on.
The important thing is to close the vulnerability. Everything else is distantly secondary.
Also, and respectfully: it is not so much Mozilla's job to know the maintenance status of Google Javascript libraries so much as it is Google's responsibility not to ship Javascript code (or extensions) that make Mozilla insecure.