Security release needed

[Gervase Markham]

Developers,

Vladd has pointed out that security bug 272620 is now public knowledge, 
having been posted to Bugtraq before Christmas.
https://bugzilla.mozilla.org/show_bug.cgi?id=272620
So we need to do a security release. It's an XSS problem, so it's not as 
if attackers can drop the database, but we need to get moving.

2.16.8 is ready to go - there are two security patches to check in.
2.18.0 has the blocker list we all know about. See Jake's weblog.
2.19.2 could go at any time, really - it's just a development release.

I just posted the following idea in bug
https://bugzilla.mozilla.org/show_bug.cgi?id=108870
which is our last remaining major 2.18 blocker. Please let me know what 
you think.

<snip>

I understand the following things to be true:

- We need to do a security release ASAP (because of bug 272620)
- It would be good if that release was 2.18 final as well.
- This is the major remaining bug for 2.18 final.
- If you check this patch in on the tip, it'll break my patch for 73665,
   which would be annoying.

So here's what I suggest:

- You write and review a patch here for the 2.18 branch *only*, and
   check it in ASAP.
- We release 2.16.8, which has nothing to do with this patch
- We release 2.18 final, with this patch
- We release 2.19.2, without this patch
- We all breathe a sigh of relief
- Max and I try and get bug 73665 done before we branch for 2.20
- If we succeed, fine. If we fail, we revive this patch for the 2.20
   branch also, at that point.

This plan seems to me to be the quickest way to get 2.18 and the 
security releases out of the door. What do you think?

Gerv