|
|
|
|
|
|
by ivegotnoaccount
1750 days ago
|
|
|
You don't expect it. But if they were to publicize the result of the inspection, promote it and after the said inspection, start manufacturing plutonium safes, you probably would not be happy as a buyer. (I know plutonium is not a good choice for the comparison as in the VPN case, we don't know if what will replace the script will be secure or not whereas plutonium is known to be unsafe, but the idea remains that changing something critical to safety after the audit is not nice to hear at all.) |
|
|
That's fair, but also I don't know any companies in the industry that pay for a fine-toothed-comb audit like this one for every major/minor release because it's simply not practical. I don't think this report pretends or is intended to pretend that a one-time audit is representative of future code any more than a negative COVID test is representative of whether you have COVID two weeks later. But that's not an argument against disclosing that you came up negative on your last test a few days ago, because disclosure is still better than the opposite.
The way Mozilla is handling this is a textbook implementation of typical pretty-good transparency/disclosure practices. A post discussing the big issues, and the full report available publicly. I think it's a cynical take specifically because it's the least charitable take on someone following best practices.