Slashdot Mirror

Source

The Mozilla development team released Firefox 3.6, codenamed Namoroka, on 21 January 2010 after some anticipation; Firefox 3.5 was a step forward in features but two steps backward in performance. As a minor update, Namoroka was a chance to optimize the last release.

So, now that it's out, did it alleviate some of these problems? Well, let's find out by looking at what 3.6 offers over 3.5.

First and most visible is support for skins, called personas. Firefox developers have been tinkering with the XUL format and they cite its power. They also claim that it has been under-utilized, so personas were a "natural addition."

TraceMonkey received a performance boost, caching more bytecode in RAM using the new "Stored History Integration Table" system which dynamically stores each JavaScript routine as an object in memory in order to more quickly access it during execution.

Firefox's plugin system also received an overhaul, and now lets the user know when a plugin is incompatible. Mozilla also included support for full-screen Theora and WOFF, the Web Open Font File format, as well as additional but otherwise unspecified performance and security enhancements.

Overall, it's a nice list of bullet points for the bump from 3.5 to Nakamora, but the fact that performance wasn't a priority already points away from optimization and to new features. And the features are actually not new at all, but fixes for issues that should have been taken care of during the initial design stages or other numerous upgrades.

For instance, Firefox has been skinnable for years using XUL, and personas are just a hack to this system that allows the user to use bitmapped images as toolbar backgrounds. You are not mistaken if you just had a flashback to Internet Explorer 3.

These personas also slow the browser down, negating any advantage from the TraceMonkey JavaScript engine. One writer on the web even suggests that the TraceMonkey enhancements were done in anticipation of new-feature bloat. Talk about the tail wagging the fox!

Plugin incompatibility usually occurs when a plugin was written for an older version of the plugin system, which demands a question about the wisdom of upgrading the plugin system for Nakamoru the first place. But that's just how Firefox developers roll.

Now, if you're running an incompatible plugin, Firefox alerts you at startup and launches the plugin manager, a JavaScript-based app that contacts Firefox's plugin server and swaps all kinds of metadata in a frantic attempt to update your third party add-ons.

Several of the changes are plainly just developmental masturbation. For example, Theora is the least-used web video codec, with the penetration that the newer QuickTime X has. And WOFF is an open standard that Mozilla wants to support for political reasons that isn't actually in use anywhere.

So what exactly are Mozilla development managers doing?

If a private company with an opaque development model like Apple can apply the breaks and optimize an entire operating system, à la Leopard to Snow Leopard, why can't a public, transparent development team be bothered to do the same for something much less complex like a web browser?

However I don't see, how can a webserver know what fonts are installed

A website can even know what sites you visited through sleazy css sniffing. Fortunately browsers are catching up... http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/

A hell of a lot of people have computers and devices that are already equipped to play H.264. Very few people have computers and devices equipped to play Theora.

Apparently over 615 million computers are equipped to play Theora:

http://www.mozilla.com/en-US/firefox/stats/

I doubt all of those computers are owned by a very few people. I'd suggest that many, many millions of people have computers equipped to play Theora.

Now that Google has all that StreetView WiFi data, maybe they can put together a free WiFi geo-location service

Like this?

> To be fair, I run the chrome nightly build (available as a ubuntu package).

Ah. Well, ok. Comparing apples to oranges... ;)

> Do you know of any data showing how many extensions the average user uses?

Depends on how you define "average user". http://blog.mozilla.com/addons/2009/08/11/how-many-firefox-users-use-add-ons/ says that somewhere between 33% and 53% of users had at least one extension installed. So the average user uses 0-1, is my guess.

The Firefox logo that Slashdot uses for Firefox-related stories is severely out of date. Slashdot is still using the very first logo from ancient times, whereas Firefox has gone through two branding updates since then, the most recent one with Firefox 3.5. Here is the new logo.

"GP's point is that there are real performance gains that they could be making..."

Firefox is the most unstable program in common use. Every recent update has included fixes for instability, and there are many more sources of instability. THAT'S the performance gain needed most.

Somehow Firefox interacts with Windows XP with Service Pack 3 in such a way that it crashes Windows. Anyone fixing the Firefox instabilities will have bragging rights, and maybe job offers, because they will also discover the cause of the instability in Windows.

In contrast, I have never known Firefox instabilities to crash Linux. Linux just throws Firefox out of memory.

The instability in Firefox occurs especially when many windows and tabs are open, and Windows XP is hibernated or put in standby several times. Normally only people who do a lot of research have many windows and tabs open. However, the instabilities are indications of coding errors that need to be corrected. Also, those who do research should be served, also, and not just because they may be vocal and influential.

I haven't tested Firefox with Windows 7 yet, but will do that in the next month.

Another valuable performance fix would be to allow multiple instances of Firefox, so that a crash in one instance does not affect the others. Google's Chrome is designed that way.

Please don't give excuses. Crashes need to be fixed. Much of the reason for the popularity of Firefox is the availability of extensions. Logically, Mozilla cannot simultaneously recommend extensions that crash Firefox and blame the extensions for crashing Firefox.

Firefox crashes.

Crash Statistics.

Crash Reporting.

"GP's point is that there are real performance gains that they could be making..."

Firefox is the most unstable program in common use. Every recent update has included fixes for instability, and there are many more sources of instability. THAT'S the performance gain needed most.

Somehow Firefox interacts with Windows XP with Service Pack 3 in such a way that it crashes Windows. Anyone fixing the Firefox instabilities will have bragging rights, and maybe job offers, because they will also discover the cause of the instability in Windows.

In contrast, I have never known Firefox instabilities to crash Linux. Linux just throws Firefox out of memory.

The instability in Firefox occurs especially when many windows and tabs are open, and Windows XP is hibernated or put in standby several times. Normally only people who do a lot of research have many windows and tabs open. However, the instabilities are indications of coding errors that need to be corrected. Also, those who do research should be served, also, and not just because they may be vocal and influential.

I haven't tested Firefox with Windows 7 yet, but will do that in the next month.

Another valuable performance fix would be to allow multiple instances of Firefox, so that a crash in one instance does not affect the others. Google's Chrome is designed that way.

Please don't give excuses. Crashes need to be fixed. Much of the reason for the popularity of Firefox is the availability of extensions. Logically, Mozilla cannot simultaneously recommend extensions that crash Firefox and blame the extensions for crashing Firefox.

Firefox crashes.

Crash Statistics.

Crash Reporting.

http://bit.ly/adukJN:

In its last several releases, everyone's favorite Open Source browser has become an unstable mess of add-ons, plugins, and other hacks that chew up memory like a fat kid with a chocolate-dipped corn dog. In fact, just last week, SecurityFocus released news of a devastating exploit in Firefox 3.5.5 that they blame squarely on its unstable architecture.

From its infancy Firefox has been the product of collaborative effort, unifying code from hackers worldwide. But thanks to the Hayes Law, we see that there is a "sweet spot" to such a development style, and that Firefox has long since left it behind. In the chart below, we can see that the number of Firefox developers has increased exponentially since 2002, and that number will more than double in 2010.

But it's time to be honest: either Firefox, as a modern web browser, will have killer performance on 64-bit, multicore Intel chips or it's not worth downloading and installing. And since, as we have seen in the recent past, that Firefox is actually getting slower with each release, Firefox is certainly a waste of time for anyone who takes their web browsing seriously.

The Hayes Law states that, given a specific type of software project, there is a certain complexity associated with it, and with that complexity an optimal number of developers. It's actually a little more complicated than that, taking into account development model, coding platform, programming language, and code repository platform, but in the end it's easy to plug in the numbers and see where a project's headed.

Against the Hayes Law, Firefox appears to have jumped the shark sometime after the Firefox 2.0 in 2006. The next major release, Firefox 3.0 in 2008, introduced many issues users today complain about: bloat, sloth, instability, and insatiable hunger for memory. Firefox user complaints increased in tandem, all syncing up with the jump in developers. Ergo Firefox's problem: too many cocks in the kitchen.

To further underline this growing problem, Firefox completely falls down in Acid3: Firefox 3.5 scores 93/100, and Firefox 3.6 scores only 87/100. Needless to say, Firefox 4.0 mockups score 0/100. Sadly, this is a continuation of a trend: Firefox took the longest of all browsers to beat Acid2. And don't even think about Acid4. Firefox is collapsing under its own weight.

The core of this problem looms: the number of developers, as seen in the chart above, will only continue to skyrocket for Firefox 3.6 and beyond. By the time Firefox 4.0 is released, sometime in December 2010, the number of developers will be nearly 4,000, almost a full magnitude greater than the optimal 445 or so in 2006. Clearly, Firefox is about to capsize.

So what is to be done? Users can petition the Mozilla Corporation and the Mozilla Foundation to rethink their development model, focus on optimization instead of new features, and perhaps backpedaling on some of the less sensible projects like Mozilla Mobile and the non-standard XUL interface. Concerned individuals should log into Mozill

http://bit.ly/adukJN:

In its last several releases, everyone's favorite Open Source browser has become an unstable mess of add-ons, plugins, and other hacks that chew up memory like a fat kid with a chocolate-dipped corn dog. In fact, just last week, SecurityFocus released news of a devastating exploit in Firefox 3.5.5 that they blame squarely on its unstable architecture.

From its infancy Firefox has been the product of collaborative effort, unifying code from hackers worldwide. But thanks to the Hayes Law, we see that there is a "sweet spot" to such a development style, and that Firefox has long since left it behind. In the chart below, we can see that the number of Firefox developers has increased exponentially since 2002, and that number will more than double in 2010.

But it's time to be honest: either Firefox, as a modern web browser, will have killer performance on 64-bit, multicore Intel chips or it's not worth downloading and installing. And since, as we have seen in the recent past, that Firefox is actually getting slower with each release, Firefox is certainly a waste of time for anyone who takes their web browsing seriously.

The Hayes Law states that, given a specific type of software project, there is a certain complexity associated with it, and with that complexity an optimal number of developers. It's actually a little more complicated than that, taking into account development model, coding platform, programming language, and code repository platform, but in the end it's easy to plug in the numbers and see where a project's headed.

Against the Hayes Law, Firefox appears to have jumped the shark sometime after the Firefox 2.0 in 2006. The next major release, Firefox 3.0 in 2008, introduced many issues users today complain about: bloat, sloth, instability, and insatiable hunger for memory. Firefox user complaints increased in tandem, all syncing up with the jump in developers. Ergo Firefox's problem: too many cocks in the kitchen.

To further underline this growing problem, Firefox completely falls down in Acid3: Firefox 3.5 scores 93/100, and Firefox 3.6 scores only 87/100. Needless to say, Firefox 4.0 mockups score 0/100. Sadly, this is a continuation of a trend: Firefox took the longest of all browsers to beat Acid2. And don't even think about Acid4. Firefox is collapsing under its own weight.

The core of this problem looms: the number of developers, as seen in the chart above, will only continue to skyrocket for Firefox 3.6 and beyond. By the time Firefox 4.0 is released, sometime in December 2010, the number of developers will be nearly 4,000, almost a full magnitude greater than the optimal 445 or so in 2006. Clearly, Firefox is about to capsize.

So what is to be done? Users can petition the Mozilla Corporation and the Mozilla Foundation to rethink their development model, focus on optimization instead of new features, and perhaps backpedaling on some of the less sensible projects like Mozilla Mobile and the non-standard XUL interface. Concerned individuals should log into Mozill

http://bit.ly/adukJN:

In its last several releases, everyone's favorite Open Source browser has become an unstable mess of add-ons, plugins, and other hacks that chew up memory like a fat kid with a chocolate-dipped corn dog. In fact, just last week, SecurityFocus released news of a devastating exploit in Firefox 3.5.5 that they blame squarely on its unstable architecture.

From its infancy Firefox has been the product of collaborative effort, unifying code from hackers worldwide. But thanks to the Hayes Law, we see that there is a "sweet spot" to such a development style, and that Firefox has long since left it behind. In the chart below, we can see that the number of Firefox developers has increased exponentially since 2002, and that number will more than double in 2010.

But it's time to be honest: either Firefox, as a modern web browser, will have killer performance on 64-bit, multicore Intel chips or it's not worth downloading and installing. And since, as we have seen in the recent past, that Firefox is actually getting slower with each release, Firefox is certainly a waste of time for anyone who takes their web browsing seriously.

The Hayes Law states that, given a specific type of software project, there is a certain complexity associated with it, and with that complexity an optimal number of developers. It's actually a little more complicated than that, taking into account development model, coding platform, programming language, and code repository platform, but in the end it's easy to plug in the numbers and see where a project's headed.

Against the Hayes Law, Firefox appears to have jumped the shark sometime after the Firefox 2.0 in 2006. The next major release, Firefox 3.0 in 2008, introduced many issues users today complain about: bloat, sloth, instability, and insatiable hunger for memory. Firefox user complaints increased in tandem, all syncing up with the jump in developers. Ergo Firefox's problem: too many cocks in the kitchen.

To further underline this growing problem, Firefox completely falls down in Acid3: Firefox 3.5 scores 93/100, and Firefox 3.6 scores only 87/100. Needless to say, Firefox 4.0 mockups score 0/100. Sadly, this is a continuation of a trend: Firefox took the longest of all browsers to beat Acid2. And don't even think about Acid4. Firefox is collapsing under its own weight.

The core of this problem looms: the number of developers, as seen in the chart above, will only continue to skyrocket for Firefox 3.6 and beyond. By the time Firefox 4.0 is released, sometime in December 2010, the number of developers will be nearly 4,000, almost a full magnitude greater than the optimal 445 or so in 2006. Clearly, Firefox is about to capsize.

So what is to be done? Users can petition the Mozilla Corporation and the Mozilla Foundation to rethink their development model, focus on optimization instead of new features, and perhaps backpedaling on some of the less sensible projects like Mozilla Mobile and the non-standard XUL interface. Concerned individuals should log into Mozill

Curious. What version of Firefox? And on which OS?

You may be interested in http://blog.mozilla.com/tglek/2010/01/19/chromium-vs-minefield-cold-startup-performance-comparison/

http://bit.ly/9AvjLc:

The Mozilla development team released Firefox 3.6, codenamed Namoroka, on 21 January 2010 after some anticipation; Firefox 3.5 was a step forward in features but two steps backward in performance. As a minor update, Namoroka was a chance to optimize the last release.

So, now that it's out, did it alleviate some of these problems? Well, let's find out by looking at what 3.6 offers over 3.5.

First and most visible is support for skins, called personas. Firefox developers have been tinkering with the XUL format and they cite its power. They also claim that it has been under-utilized, so personas were a "natural addition."

TraceMonkey received a performance boost, caching more bytecode in RAM using the new "Stored History Integration Table" system which dynamically stores each JavaScript routine as an object in memory in order to more quickly access it during execution.

Firefox's plugin system also received an overhaul, and now lets the user know when a plugin is incompatible. Mozilla also included support for full-screen Theora and WOFF, the Web Open Font File format, as well as additional but otherwise unspecified performance and security enhancements.

Overall, it's a nice list of bullet points for the bump from 3.5 to Nakamora, but the fact that performance wasn't a priority already points away from optimization and to new features. And the features are actually not new at all, but fixes for issues that should have been taken care of during the initial design stages or other numerous upgrades.

For instance, Firefox has been skinnable for years using XUL, and personas are just a hack to this system that allows the user to use bitmapped images as toolbar backgrounds. You are not mistaken if you just had a flashback to Internet Explorer 3.

These personas also slow the browser down, negating any advantage from the TraceMonkey JavaScript engine. One writer on the web even suggests that the TraceMonkey enhancements were done in anticipation of new-feature bloat. Talk about the tail wagging the fox!

Plugin incompatibility usually occurs when a plugin was written for an older version of the plugin system, which demands a question about the wisdom of upgrading the plugin system for Nakamoru the first place. But that's just how Firefox developers roll.

Now, if you're running an incompatible plugin, Firefox alerts you at startup and launches the plugin manager, a JavaScript-based app that contacts Firefox's plugin server and swaps all kinds of metadata in a frantic attempt to update your third party add-ons.

Several of the changes are plainly just developmental masturbation. For example, Theora is the least-used web video codec, with the penetration that the newer QuickTime X has. And WOFF is an open standard that Mozilla wants to support for political reasons that isn't actually in use anywhere.

So what exactly are Mozilla development managers doing?

If a private company with an opaque development model like Apple can apply the breaks and optimize an entire operating system, à la Leopard to Snow Leopard, why can't a public, transparent development team be bothered to do the same for something much less complex like a web

http://bit.ly/d0Glam:

I am often away from my computer for weeks at a time, digging at archaeology sites, before I return to clean, sort, and catalog my finds. And every time I launch my browser of choice, I have to sit through yet another Firefox update.

Sometime's it's a major update, like Firefox 3.6 for instance, but more often than nottoo oftenit's some stupid little tertiary update that requires Firefox to download, quit, root around on the hard drive, and restart with a whole damn brand-new binary. Why?!

Just once I'd like to sit down, boot up, and get to work instead of wading through this slow, irritating process that the Mozilla developers subject me to.

I've become envious of my friends who run Safari, Apple's home-grown browser, which is updated less frequently. If they want more frequent updates, they download and install WebKit, but can otherwise continue on day after day without interruption in Safari.

I like this model, as it lets busy people like me get more work done, so I am thinking of purchasing a Mac. Really, anything to get me away from the time-wasting wreck of a browser that Firefox has become is a good idea.

The Firefox model crashes and burns its users. Literally, too, when you think about all of its other addling bugs and design flaws that crash the browser and burn countless CPU cycles.

So until I can see the web in a whole new way with Safari on a new Mac, it'll be another day, another Firefox update.

Thanks a lot for nothing, Mozilla.

It's not about things like this?
Read the comments. See how many people are ditching Firefox because of flash? I know people in my office that switched TO IE. Who the hell switches to IE unless they're really upset?

Read a little lower and you find the real culprit: https://bugzilla.mozilla.org/show_bug.cgi?id=558055

Which is solved by removing flash. I did. No more FF crashes.

You forgot to add that this needs either Chrome, or Google Gears.

No, stock firefox supports it.

(as an aside, they also *massively* overestimate the impact they can have on the web, hilariously of the belief that Firefox making a stand will somehow stem the tide of H.264 video on the web... it'd be funny if it weren't so sad)

I think you massively underestimate the impact Mozilla had and continues to have on the web. You should look at browser user agent strings sometime. IE, Safari, and Chrome and Opera all claim to be Mozilla implementations.

Ultimately, you're on the losing end of this debate. Open video is where it's at. Google is the biggest video provider on the Internet and Google is all about the open web. In this regard, Mozilla and Google are in perfect alignment:

http://google-opensource.blogspot.com/2010/04/interesting-times-for-video-on-web.html
http://googleblog.blogspot.com/2009/12/meaning-of-open.html
http://www.mercurynews.com/business-headlines/ci_14847976
http://www.0xdeadbeef.com/weblog/2010/01/html5-video-and-h-264-what-history-tells-us-and-why-were-standing-with-the-web/

This is how important Internet companies like Mozilla and like Google think. This is why YouTube will move to open video sooner rather than later. Join the 389 million people who have downloaded Firefox 3.6 so far:

http://www.mozilla.com/en-US/firefox/firefox.html

Use open video and be happy.

Firefox has the ability to set up different profiles. The different profiles can be started from a shortcut icon (each different if you want) with a command line switch.

What you are asking for is exactly what I use different profiles for. One profile for my girlfriend who doesn't like noscript and flashblock (I know, right?), and one for myself with many more plugins and user agents.

Granted, they can't run concurrently but it's a fair approximation of what you're looking for.

I think it's coming in phases. Isn't the next version of Firefox supposed to isolate plugins in their own processes?

It is indeed, in fact I'm writing this post on the beta version.

In contrast I can still use my old Win98 laptop and run the latest browsers.

The lastest version of Firefox does not run on '98
http://www.mozilla.com/en-US/firefox/system-requirements.html

The latest version of IE does not run on '98
http://www.microsoft.com/windows/internet-explorer/support/system-requirements.aspx

The latest version of Opera does not run on '98
http://www.opera.com/support/kb/view/386/

There is a big difference. IE8 checks URLs against Microsoft's phishing database as you visit them, telling Microsoft which sites you visit in the process.
Firefox periodically downloads a file of known phishing sites and searches it locally.

Source

Link 1 Link 2

Why not just go all the way and get a real OS?
And ceiling cat sayed: "Let there b lulz", n there wuz.
Or even chrome

Link 1
Link 2

In addition, you can also use the Plugin Check to make sure you have the most recent versions of plugins to decrease the risk of attack. And don't forget to turn on DEP for all programs and services on Windows.

Sorry to the rest for feeding a troll, but let's have some facts:

A month ago from today, mozilla didn't have any info on the vulnerability:

http://blog.mozilla.com/security/2010/02/22/secunia-advisory-sa38608/

neither did secunia:

http://blog.psi2.de/en/2010/02/20/going-commercial-with-firefox-vulnerabilities/comment-page-1/#comment-666

“This particular report is a bit special because of the lack of information available. Normally, we do not write about vulnerabilities unless certain details are available and / or we can test it. () and previous vulnerabilities reported by this company / person has proved to be reliable.

Mozilla posted was contacted by Evgeny Legerov on the 18th:

http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/

So the response time is well under a month. now compare that to the time it took Microsoft to release the patch for the Aurora exploit:

http://www.wired.co.uk/news/archive/2010-01/22/microsoft-learned-of-ie-zero-day-flaw-last-september.aspx http://www.computerworld.com/s/article/print/9147058/Microsoft_patches_IE_admits_it_knew_of_bug_last_August?taxonomyName=Security&taxonomyId=17

From this evidence I can not come to the conclusion that slashdot is reacting fanboyishly when criticizing microsoft on security. Quite the opposite. I can however say that you're quick at defending microsoft without investigating the whole story, much like what you criticize slashdot readers of doing. I don't know, but in my book that is a fanboyish reaction on your behalf. =]

Sorry to the rest for feeding a troll, but let's have some facts:

A month ago from today, mozilla didn't have any info on the vulnerability:

http://blog.mozilla.com/security/2010/02/22/secunia-advisory-sa38608/

neither did secunia:

http://blog.psi2.de/en/2010/02/20/going-commercial-with-firefox-vulnerabilities/comment-page-1/#comment-666

“This particular report is a bit special because of the lack of information available. Normally, we do not write about vulnerabilities unless certain details are available and / or we can test it. () and previous vulnerabilities reported by this company / person has proved to be reliable.

Mozilla posted was contacted by Evgeny Legerov on the 18th:

http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/

So the response time is well under a month. now compare that to the time it took Microsoft to release the patch for the Aurora exploit:

http://www.wired.co.uk/news/archive/2010-01/22/microsoft-learned-of-ie-zero-day-flaw-last-september.aspx http://www.computerworld.com/s/article/print/9147058/Microsoft_patches_IE_admits_it_knew_of_bug_last_August?taxonomyName=Security&taxonomyId=17

From this evidence I can not come to the conclusion that slashdot is reacting fanboyishly when criticizing microsoft on security. Quite the opposite. I can however say that you're quick at defending microsoft without investigating the whole story, much like what you criticize slashdot readers of doing. I don't know, but in my book that is a fanboyish reaction on your behalf. =]

Or just stay with the 3.5.x series. Problem is, I don't see where they even link to it on their website. Even the 3.5.8 release notes page seems to link to 3.6 for downloads...

The article says:

It is only the current version that is affected, but given that prior releases have different vulnerabilities, reverting to an older version of the browser is ill-advised.

However, the older releases page states that 3.5 will receive security updates until August 2010.

So, since 3.5 was not affected by this specific vulnerability, what vulnerabilities are unpatched in the current 3.5 release (3.5.8)?

If the Beeb or the German government knows something Firefox doesn't know, maybe they should tell us so that people still using/shipping (in the case of most linux distros) 3.5 can upgrade to 3.6? Or, if they *don't* know better, maybe they should stick to fact and not conjecture ...

The vulnerability *only* affects the current 3.6 branch. Patch is complete and will be pushed on the 30th of March.

Here is the Mozilla blog entry on the topic:
http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608

Here is the original bug report:
http://secunia.com/advisories/38608

Ps: can we please get security related articles with some content instead of *OMG, we are all going to die!!* ??

Firefox 3.6.2 was released earlier tonight: http://www.mozilla.com/en-US/firefox/3.6.2/releasenotes/

1% drop? That's all?

Nope, it's not even a 1% drop. It's a 0% drop in marketshare, on Windows machines. MSIE still is getting on 100% of Windows machines sold in Europe (or elsewhere) despite the 'browser ballot' Yep ,that's 100%. Even though the antitrust complaint found that Microsoft was hurting Europe by using it monopoly on desktop OEMs and illegal tying to establish and maintain a monopoly on web browsers the remedy does not include addressing the original complaint.

The browser 'ballot' does not make any kind of remedy, not even a little, involving removal of MSIE from the desktop monopoly. MSIE is still bundled on Windows, even if you install Chromium, Firefox or one of the other extras. So, if you are a big enough asshole to still run Windows, your choices go like this

• MSIE alone
• MSIE + Chrome
• MSIE + Safari
• MSIE + Opera
• MSIE + Firefox
• ...and so on...

The illegal tying is still happening, and each and every instance of MS Windows makes the problem worse. Firefox ran a campaign a few years ago, "take back the web". To do that, MSIE has to go. To get rid of MSIE, Windows has to go. Germany, France and others have advocated dropping the problem. If every country made a push to get Windows off their networks, both public and private, billions would be save each quarter by avoiding the malware that is part and parcel of the Windows experience.

First of all I think you need a timeline to help you understand how this vulnerability was handled:

Feb 1st, 2010: VulnDisco is updated with a zero day exploit for Firefox 3.6. No details on how the exploit works are provided. The exploit is only available in binary form when you buy a copy of VulnDisco. Some people buy VulnDisco and have difficulty in making the exploit work. https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/

March 16th, 2010: First 3.6.2 nightly builds that contain a fix are made available: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

March 18th, 2010: Mozilla announces that the original discoverer of the problem provided them sufficient details to find and fix the vulnerability. They also link to the nightlies linked to above on the March 16th entry. http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/

March 30th, 2010: Scheduled release date.

Assuming that they got the details on the 16th and actually came up with the fix the same day (which is probable), that's a 2 week turnaround. Given that there have been no further nightlies posted for 3.6.2 since the March 16th it seems pretty clear they're in the release stages of getting 3.6.2 out of the door.

I'm not really sure how you expect them to get it out sooner. The largest delay here is them getting the information they needed to fix it. Which accounted for a month and a half worth of time.

Should they work at reducing the lag between having the fix done and putting out releases. Yes and based on my interview there serveral years ago they were committed to doing just that. But there's still an awful lot of work that has to go into actually doing those releases. They don't just magically appear.

What I'm more worried about is that I cannot watch Wikipedia videos with any other device than my PC. Want to see a video clip of a place you're traveling on your phone? Not possible. Want to see videos from Wikipedia with your PS3/360? Not possible. It will create some serious problems, and I don't think Wikipedia is big enough to push the change alone.

In general I find the "must have hardware support now" argument a bit short sighted. By that reasoning there would never be any change in video codecs. In any case, the PS3 and 360 even combined represent a very small percentage of internet connected devices. And the 360's larger problem is not having a web browser so Wikipedia video would be streamed from your PC anyway and if needs must you can transcode on the fly.

As mobile phones go, my Nokia N900 plays Theora. It also runs Firefox. Fennec is on Maemo 5 (the N900's OS) and will soon be available for Android, Windows Mobile, and future MeeGo devices. Millions of devices in the field already have the capability to play Ogg Theora and it will only become more trivial to do so with Firefox releases for those platforms.

but they're choosing not to implement it for strictly ideological reasons.

Yes.

Hell, did you even read the description of the addon?

Guess what, I'm using it.

lose all the integrated DOM support, video overlays, and all the other crap that makes the video element superior to straight object embedding.

And the sites using those features are... http://people.mozilla.com/~prouget/demos/round/index.xhtml ? As far as non-Windows users are concerned, the most painful problem is Flash being crap for video playback, and the fix for that is one add-on or greasemonkey script away.

Please, that's garbage. The battle is lost.

The battle may be lost, but that doesn't change a thing. No, garbage is saying the war is over, and then crying foul when someone else has the balls to take a stand.

The latest studies seem to say that Ogg Theora is "more than good enough" for web video. See: http://hacks.stage.mozilla.com/2009/06/open-video-codecs-and-quality/ http://www.freesoftwaremagazine.com/columns/firefogg_transcoding_videos_open_web_standards_mozilla_firefox

It’s like comparing your 10th generation of a sports car, that got optimized for decades, against a brand-new experimental car.
Of course the old one will win! But that says nothing about how it will be, when the new one got the same amount of optimization.

But what is important, is that the new car offers so many new freedoms, that it’s worth it, even if it were much slower.

In this case, the seamless embedding of videos, and the native playback alone, are two killer points that you can never ever achieve with Flash. Or can Flash do this: http://people.mozilla.com/~prouget/demos/

All it takes is a little JS browser detection and this:

Please Upgrade to Firefox

I agree but defining or limiting it to one codec is a fail.

Web browsers support a variety of open image formats. There's no particular reason why they can't support a variety of open video formats. Theora is ready for use now, Dirac will be ready in the future. If Google releases VP8 as an open format (as many expect they will) then at some point there will be at least three open video formats to choose from.

Theora I doubt will ever get hardware support. I could be wrong but I don't see it. Google's codec could if they created their own chip and made it part of Android but odds are they will not do that because they will have to support it on YouTube or look like fools if they don't. YouTube has already spent how much money support H.264 for the iPhone?

Accelerated playback of Theora is already available:

http://www.schleef.org/blog/2009/11/11/theora-on-ti-c64x-dsp-and-omap3/

Millions of devices already have the capability to accelerate Theora playback. They just need the software. Fennec (Firefox for mobile) supports Theora playback on the Nokia N810 and N900:

http://www.mozilla.com/en-US/mobile/

And Fennec is coming to Android:

http://arstechnica.com/open-source/reviews/2010/02/hands-on-and-under-the-hood-ars-tests-firefox-on-android.ars

Mozilla will happily support VP8 in Firefox if Google releases it as an open format.

Tnen you have Microsoft. They have not said they will support the video tag at all! My guess is that fantasize that SilverLight will be the new standard.

IE is always a problem. Fortunately you can work around it with Cortado, a Java based Theora player:

http://www.theora.org/cortado/

Or with a Silverlight based Theora player:

http://arstechnica.com/open-source/news/2010/02/nuanti-brings-html5-and-ogg-theora-video-to-silverlight.ars

Neither is ideal, but for the time being it's the best you can do in IE. I think IE will support HTML5 video eventually. It's more a question of "when" than "if".

Oh, you want to add insult to injury? The newest Adobe updates includes crapware! That's right, it will install "Norton Security Scan" which will then bug the piss out of your users to buy it if you don't warn them ahead of time to uncheck the box. Fun huh? But if you are using Firefox an easy way to check is to go here but I agree it is a PITA that it doesn't autoupdate. of course now that they are bundling crapware I'm not so sure I would trust them to update by themselves anyway.

But I couldn't disagree more about Patch Tuesday. When I was working on large deployments patch Tuesday was a Godsend, as it gave me time to test before rolling out to the main PCs. The last thing you would want in a large enterprise environment is patches being released every other day. You would spend all your time fighting fires unless you deployed a WSUS and refused to allow the machines to update without permission. The only thing I would do differently is allow the option of signing up for patches as they are finished, but that would probably cause more exploits as script kiddies hacked the patches and put out exploits ahead of patch Tuesday. As long as MSFT keeps putting out KB articles with workarounds for problems before patch Tuesday I'm okay with it.

Sure. HTML combined with CSS and Javascript / AJAX will do 80-90% of what Flash is used for.

No. XHTML5+CSS3+JS2+AJAX+DOM3+SVG+Video/Audio will not only do 100% of what Flash does. It will do more. Like being able to seamlessly embed everything that Flash does with the rest of the page.
And there is no reason why JavaScript can’t be as fast or faster than ActionScript. After all it’s pretty much the same language.

Here are some examples: http://people.mozilla.com/~prouget/demos/ (Try the movement tracker.)

(Note: Trying not to slashvertise, just sharing some info about a program that's helped me stay secure. I have no affiliation with Secunia, I just like the tool a lot.)

I scan with Secunia's (a Danish computer security company) freeware tool to check if I have insecure applications.

3 times out of 4, when something has a category 4 or category 5 exploit (e.x. click2own), it's Adobe Flash Player, Shockwave, AIR, Reader/Acrobat, etc.

It's also interesting because it tells you if your browsers are insecure (due to plugins or the browser itself). Both IE8 and Chrome are insecure in current versions with all patches.

It was pretty eye opening for me, because I thought that I kept secure, but I had 20 insecure applications when I first got the scanner. I'm always skeptical about getting stuff for free, but I imagine that Secunia uses the data to improve the accuracy of their business software.

To return to the story topic... when possible, use Adobe alternatives (e.x. Sumatra instead of Adobe Reader) and check your flash player and shockwave player versions at least once a week.

Firefox Users can use Mozilla's plugin check.

One more thing in my diatribe...recent versions of the Shockwave Player don't update correctly. I installed the latest version to fix a couple critical vulnerabilities only to find out that it wouldn't reomve the vulnerable files from my system directory. I had to download the Shockwave uninstaller, reboot my PC, reinstall shockwave, and reboot again. I felt like I was back on Windows 9x again.

Will modern web browsers run on Win2k?

Yes.

Did IE really lock that many people into Windows? ActiveX was only really used in the wild for Intranet deployments, and in that case IE is used more as a distributed application client than a web browser, so the same lock-in could have been achieved by bundling an unlimited client license to IE with the BackOffice or NT Server.

Ask that the people in South Korea. It's basically impossible to do online banking without IE. http://blog.mozilla.com/gen/2008/09/29/987-internet-explorer-in-south-korea/

...and only with programs that they want you to use...

Wait, what?! How do you people not get modded down for this blatant misinformation? There are absolutely no restrictions on what applications you can run on OSX, as evidenced by the vast selection of free and open source software available for it, much of it competing directly with apple products.

Your fallacy is, that you forget the following:

Web developers LOOOOVE the power of XHTML5*+SVG+CSS3+JS2+Video. Believe me: Every web developer out there is nagging every decider out there as often as he can, so he can create a cool high-tech site with vector graphics and hypertext embedded in each other, intelligent application-like interfaces and native video.
This site alone makes half the web developers I know cum on the spot: http://people.mozilla.com/~prouget/demos/ (Try the movement tracker. Notice that this is JavaScript!!)

(* A real professional would never use HTML5 without the X. It’s for amateurs and spaghetti coders, and preferably combined with PHP. ^^)

No, they can't...at least not if you do the extra leg work necessary to check the certificate yourself. Adding their CA cert to the browser only gives them the ability to generate certificates that are accepted based on that CA cert. You can still view the certificate information to see which CA cert originated the certificate being used to secure your session.

Try it yourself. Got to https://addons.mozilla.com/ and examine the cert. You'll see that it was issued by Verisign. Any certificate issued by CNNIC would show up as being issued by CNNIC. If you verify that the certificate that secures the session used to pull the extension originated from a historically-trusted CA rather than this new, suspect, CA, you can be sure that the Chinese government has not used the inclusion of the CNNIC CA certificate to perform a MitM attack on that session.

The majority of exploits nowadays attack plugins. Firefox is just as vulnerable to PDF exploits as IE is.

That most attacks come through plugins is exactly why Firefox is better than IE

You can get it here: http://www.mozilla.com/en-US/m/

http://www.mozilla.com/en-US/firefox/system-requirements.html

Seriously, it might sound really "anti-Microsoft" or being pathetic, but everyone should really either be blacklisting or reducing the available functionality of websites to users still browsing with MSIE 6.0

Reducing functionality and putting up a message to let users know that they need to upgrade, would be the best decision.

After all, it's not as if there aren't any alternatives available...