2 thoughts on ““We can be good even where we’re not perfect”

  1. While it’s certainly great that the vulnerability was addressed that quickly, I think knocking “Patch Tuesday” in the same breath is unfair. A later post of yours does not put the two ideas together, but the entire reason Microsoft went from ‘patching whenever an issue arose’ to ‘patching on the second Tuesday of the month’ was to offer consistency to sysadmins the world over. If you’re responsible for thousands of computers, and need to *test* the patches before deploying them to workstations, you need to work on a schedule. I may not love everything Microsoft does, but this was a very good one. Picture all that user rage about frequent Fx updates, and channel that to dozens of MS security updates a year. Microsoft does still do ‘out of band’ updates when vulnerabilities are severe, and seems to have a roughly 5 day turnaround on that.

    Policy matters aside, that was indeed great work by RelEng. I’m just trying to highlight the sysadmin side of the equation, which I fear Mozilla ignores.

  2. Gerv, full agreement here. Kudos to everyone helping to react so speedily, from those who investigated, found and fixed the bug to release management, engineering and QA. We’ve come a long way in that regard.

    That said, while we already made some great efforts to reduce attack surface for as-yet-unknown vulnerabilities, I think that incident has taught us that we need to become even better there.