Never Say Never
Ben claims browsers that are redistributions of the official Mozilla releases are never
going to give you security updates as quickly as Mozilla will itself for its supported products
.
I'd like to note that if this is true, it is because of mozilla.org isn't playing by the same rules that other open source projects play by. Other projects make sure that the vendors know of a security vulnerability, supply the patch and new tarball (if applicable, which it is in mozilla.org's case), give a brief period of time for the vendors to catch up, and then do a synchronous release with them at a planned time. This is entirely possible to do; we have done it before. I would like to note that I am grateful toward Neel Mehta of ISS X-Force for enforcing this policy for MFSA2005-30. I was able to release patched versions for RHEL[234] within 20 minutes of the official release (builds were done previously, we were doing QA on them, etc.), Fedora[23] within two hours, and rawhide shortly thereafter (though it only gets updated in the mornings). For the record, 24 hour turnaround is considered excellent. This ensures everyone happy: the user because they have a secure product; the distributor because they have happy customers; and the vendor because they have both happy users (indirectly -- it still displays their branding) and happy distributors.
Maybe one of these days, we can do that again.
Update 20050522 19:25:24 -0500: the slashdot article is misleading.
