Why we need Gecko updates

Ben Bucksch ben.bucksch at beonex.com
Wed Dec 9 08:43:30 UTC 2015


R Kent James wrote on 09.12.2015 02:46:
> I think that Postbox has basically just said that users don't care 
> that much about security updates, so neither do they. I don't think 
> that they do them, or at least if they do only a few. Security updates 
> are like a religion at Mozilla, and yet the lack of pushback to 
> Postbox on this issue shows that users are not that concerned. Not 
> that we should drop our religion, just saying that if we want to be 
> open to all options, we should at least ask "Maybe security updates 
> are not as important as we think that they are?" BenB, I only said as 
> the question, I am not implying that I know the answer.

I think that security updates are mandatory.

If you *know* that there are security holes, and you do know at latest 
when Firefox published security advisories, and you don't fix them, you 
might be liable by law for all implications, and you might not be able 
to exclude that in any contract, because it might be considered willful 
negligence. The fact that you know that risk (or should have known) 
makes a big difference in law. Just as when you don't put fences in a 
place where you ought to, and somebody falls and dies, you're on the hook.

Law aside, at the very least, it's highly irresponsible to expose your 
users to that risk. Saying that users don't care when their most private 
data is open for grabs, and identity theft is easy, and hacking them is 
easy, is just closing eyes.

Frankly, I can't believe you even put this up for discussion. That 
"users don't care about security" theory is so Y2K. Even Microsoft 
learned the hard way that it does matter, even if users are not aware of 
it. They turned the ship with WinXP SP2 in 2004, but too late. Nobody 
trusts them anymore.

Ben



More information about the tb-planning mailing list