Slashdot Mirror

"Sorry, no plans. Due to its Java-based operating system and the inability to build native components, Firefox is not compatible on the Blackberry OS."

"We do not have plans to build an iPhone browser due to constraints with the OS environment and distribution. "
https://wiki.mozilla.org/Mobile/Platforms

Firefox 3.0 doesn't support HTML5 either, but they've included that in the test, and it performs a lot better than IE8.

Firefox has supported <canvas> since 1.5, so it was perfectly fair to include 3.0.

"...when Google goes ahead, tracks your every move, "

https://addons.mozilla.org/en-US/firefox/addon/3173

User Agent Switcher: https://addons.mozilla.org/en-US/firefox/addon/59

Another thing people usually forget about when clearing cookies is that Flash has cookies too and they don't clear along. When have you last time cleared them? Probably never. You can use BleachBit" [sourceforge.net] to clear those along with other software, history and temp data.

Better yet, use the BetterPrivacy Firefox add-on.

CustomizeGoogle is no longer updated, and thus no longer works completely with newer versions of Firefox.

OptimizeGoogle took up where it left off. https://addons.mozilla.org/en-US/firefox/addon/52498

https://addons.mozilla.org/en-US/firefox/addon/6581

It already exists.

https://addons.mozilla.org/en-US/firefox/addon/6581

too late, they beat you to it.

No techie I know installs any toolbar in IE or Firefox.

Does this not count as a toolbar? Because while admittedly I work in the web, almost all the developers I know use it.

That is the only one though, and I'd certainly never install any other that didn't have a clear benefit - and alerting me to new emails isn't a benefit.

While I do agree with most of what you said and 99.9% of toolbars are nothing but useless spyware, there are a few actual useful ones. Just because so many companies have built useless toolbars doesn't mean that there can't be a legitimately useful one amoung the clutter. The Web Developer toolbar is a favorite I usually have installed in firefox as it has a lot of useful tools/shortcuts. Then again I also usually even disable the bookmarks toolbar as the dropdown menu works quite well and i don't like giving up screen space.

Also, a lot of those users with 4-6 toolbars usually manage to hide at least a few of them in the browser window without uninstalling them. Pulling up add-remove programs while removing something else and seeing a list of toolbars is alway an unwelcome surprise. Especially when they need to be convinced that they really don't need all 6 toolbars...

If you have Firefox, use Googlebar Lite instead. It has all the same goodies without the corporasity.

Not quite. It was actually more like this:

• Mozilla: Hey, dudes, all you have to do is to ask "Can we use your trademarks on our modified distribution?. It'll totally won't be a problem for you guys, we're cool with you. Love your work!
• Debianz: Graaaaaaaaaaaaaah!
• Mozilla: Errr....?
• Debianz: RAAAAAAH GRAAARRRRRR! AAAARRGH! RRRAAAAAAAAAAAAAAARRRRR!

You know, just so we're clear.

I've switched to using

• http://ixquick.com

It's a meta search engine that focusses on privacy by not logging your IP address and your searches. On the technical side, it's nearly as good as the big name search engine I used previously.

Here's a plugin for GNU IceCat / IceWeasel / Firefox: Ixquick, or the https version (which I haven't tried, but I guess is the same to users).

One hiccup: their ads system uses Google ads. Maybe they've implemented this in an anonymous way. I hope they have, but either way, at least with ixquick there a hope of privacy, unlike Google.

I've switched to using

• http://ixquick.com

It's a meta search engine that focusses on privacy by not logging your IP address and your searches. On the technical side, it's nearly as good as the big name search engine I used previously.

Here's a plugin for GNU IceCat / IceWeasel / Firefox: Ixquick, or the https version (which I haven't tried, but I guess is the same to users).

One hiccup: their ads system uses Google ads. Maybe they've implemented this in an anonymous way. I hope they have, but either way, at least with ixquick there a hope of privacy, unlike Google.

I've switched to using

• http://ixquick.com

It's a meta search engine that focusses on privacy by not logging your IP address and your searches. On the technical side, it's nearly as good as the big name search engine I used previously.

Here's a plugin for GNU IceCat / IceWeasel / Firefox: Ixquick, or the https version (which I haven't tried, but I guess is the same to users).

I've switched to using

• http://ixquick.com

It's a meta search engine that focusses on privacy by not logging your IP address and your searches. On the technical side, it's nearly as good as the big name search engine I used previously.

Here's a plugin for GNU IceCat / IceWeasel / Firefox: Ixquick, or the https version (which I haven't tried, but I guess is the same to users).

For those who just need to switch between a proxy and direct connection - try QuickProxy, https://addons.mozilla.org/en-US/firefox/addon/1557

Even pure Javascript extensions aren't "secure". They can access all the usual XPCOM interfaces to do nasty things like overwrite all your files, and in later versions, they can use the Javascript foreign function interface to call any code C++ could.

It is essential to look at Javascript extensions as having the same security properties as native code ones.

However, plugins can be safer because their more clearly delineated NPAPI interface allows them to be run out of process, where in principle, they can be sandboxed.

It's certainly possible to create a Firefox extension (Addon) that uses native code. It's even possible to create a "fat xpi" (if you will) that will work across all supported architectures, though the build process is a little hairy.

Plugins also contain native code, but talk to Mozilla using a different API. In theory, this API works across multiple browsers.

Extensions can do everything plugins can, and a whole lot more. The only advantage a plugin has is a stable, cross-browser ABI.

Actually, if you compile it yourself, cant you turn off most of the bloat?

You or I could probably piece together an understanding of how to do that inside a working week or so via this list of fragmented documentation:
https://developer.mozilla.org/Special:Tags?tag=Build+documentation&language=en
but I don't think the rest of their intended audience of hundreds of millions of users should need to do that in order to use an efficient browser. (In the face of mobile phones and other light devices which provide fully capable browsers, pointing out that Firefox uses 200 MB less memory than any other browser is an indictment of both.)

I'd like to use a lited Gecko in a minimal skin, but not enough for me to want to spend the next 5+ years lobbying for it in their Bugzilla. (For reference, it took 10 years for the threaded document windows feature to get looked at, even though it was the standard everywhere else. Bug #40848.)

That's okay, the UI you hate is coming to Firefox. Whatever is hot right now must be better, right?

Except that Firefox is not licensed under the GPL

Sorry, but yes it is.

Core Mozilla project source code is licensed under a disjunctive tri-license giving you the choice of one of the three following sets of free software/open source licensing terms:

• Mozilla Public License, version 1.1 or later
• GNU General Public License, version 2.0 or later
• GNU Lesser General Public License, version 2.1 or later

This allows the use of our code in as wide a variety of software projects as possible, while still maintaining copyleft on code we wrote.

Except that Firefox is not licensed under the GPL

Sorry, but yes it is.

Core Mozilla project source code is licensed under a disjunctive tri-license giving you the choice of one of the three following sets of free software/open source licensing terms:

• Mozilla Public License, version 1.1 or later
• GNU General Public License, version 2.0 or later
• GNU Lesser General Public License, version 2.1 or later

This allows the use of our code in as wide a variety of software projects as possible, while still maintaining copyleft on code we wrote.

See https://bugzilla.mozilla.org/show_bug.cgi?id=422540 you might have to copy and paste the URL as mozilla doesn't like being linked from slashdot.

Mozilla is going to implement gstreamer backend for html5 video element. See Bug 422540.

Also, Opera developers are going the same way. See this blog post.

Using gstreamer as a backend will eliminate ALL the problems with codecs. Forever. It will be able to play just the same as a usual desktop players, and that means, it will be able to play Ogg Theora, H.264, DivX, whatever you like - it's only a matter of plugins installed.

How about this: with a commercial software vendor - heck, lets just use Microsoft - you have a vendor that has the funds and qualified staff to fix problems quickly; Seucrity and regular bugs alike. You likely have a support contract that requires this. Things are found and fixed quickly and reliably. There are people whos job it is to respond to email and answer the telephone. Heck, they will even fly out to your site if they need to. If you are in a moderately big city there is likely support people already there.

Ok, with Redhat someone can get the same thing, becuase they pay $800 a year for support.

Here is another way to look at it: you suspect you have a bug in some OSS software... .Lets say its a major one like Firefox. You send the security email alias a mail (there is no phone number). Its a good group of people, but hey, they are busy and you dont have any kind of business relationship with them. No money changed hands, you have no support contract. They are under no obligationto help you at all - the license agreemetn even says so. You downloaded Firefox for free remember? You are dependant upon their largese and good repuation (and with Mozial, it is good).

So you hope they can get around to it - they have some people you can exchange email with, and a bug you can watch. Thats groovy, but there are no solid expectations? They fix bugs and are generally reliable about getting patches out. They have a schedule and everything, but are not under any obligation to do so for you in particular. They are good honest folks so Im sure they will get to it sooner or later.

Like I just mentioned to X0563511, I dont by the argument that "its open so anybody can look at it and fix bugs". Thats just bogus. Yes, of course its open. I saw a hilariously appropriate post on Slashdot a while back (paraphrasing):

The ratio of people that comment on security problems to the people actualy qualifed to fix them is about 1000000:1.

Its a myth that for any given open source project there are legions of devleopers with the skills, knowledge and expertise to correctly fix complex security bugs and issue a patch as you say "fixed tomorrow". Its not even a good myth. The Myth Busters wont be interested.

All the major OSS projects have teams that own the code - just like Microsoft. They dont let just anybody fix bugs - let alone security bugs. The have bug triage and code review processes - just like Microsoft. They also have test, QA and releases processes too. Note there is at least one guy thinks security bugs in OSS code can be fixed with no QA (read this golden post...) and no, hes not being subtly humorous, just naive.

All major OSS projects have a vetting and qualification process just like we do. For example, I can fix security bugs in code I own, but not in the Windows kernel. Even for changes in my code I get a seucrity dude to do a code review.

Ill ask you this - how many security code reviews on other peoples code have you done? How many bugs have been fixed as a result? How many did you fix? Can you link to the bugs and change lists in a repository somwhere?

Fixing security bugs is hard - harder than regular bugs and those can be hard. You really think that just any old developer can just dive right in and triage and fix security bugs? Really? Do you think the owning teams would let you? If so, then go read some of polices of major OSS projects, like the Mozilla pages here. "Virtually anyone" is most certainly not allowed to just dive in and fix security bugs in Firefox - hey wont let you unless you are qualifed and vetted.

So look, I really do love open source software. The fact that it is open

Im not on the IE team so I cant speak to specifics. But here is what I know. Finding and fixing security bugs is the highest priority on every developers plate. When we learn about one in code we own things stop, we triage it, and we come up with a plan to fix it.

Often that plan is executed pretty quickly (sometimes even days...). Other times it takes longer. The reason is that almost none of these issues are easy to fix. Many of them must be done carefully so as not to break things or cause other security bugs. There is also some pretty extensive regression testing and review involved before we ship a fix.

Note, this isnt any different from Linux, Apache, Firefox or other widely used FOSS software. Even Linux has latent bugs that have been there a long time and only recently fixed. Here is one. The maintainers of these products are diligent, responsible and work hard to fix security bugs - just like Microsoft teams.

Did you actually look at the Microsoft Security Bulletin Page? Its really easy to find. We go to great lengths to get these out. You can get them on an RSS feed, via instant messaging, texts to your cell phone, and via email. What more do you want?

Did you read the page on how we monitor and manage vulnerabilities? Mmm... seems pretty professional to me.

Note that Mozilla guys dont publicize every security bug either. On their very professional security policy page they say this (excerpted, read the page for the full context...):

Full information about security bugs will be restricted to a known group of people, using the Bugzilla access control restrictions described above. However that group can and will be expanded as necessary and appropriate.

As noted above, information about security bugs can be held confidential for some period of time; there is no pre-determined limit on how long that time period might be. However this is offset by the fact that the person reporting a bug has visibility into the activities (if any) being taken to address the bug, and has the power to open the bug report for public scrutiny.

... The Mozilla security bug group will have a private mailing list, security-group@mozilla.org, to which everyone in the security bug group will be subscribed. ...

he security module owner, peers, and other members of the Mozilla security bug group will not be asked to sign formal nondisclosure agreements or other legal paperwork. However we do expect members of the group

... not to disclose security bug information to others who are not members of the Mozilla security bug group or are not otherwise involved in resolving the bug, except that if a member of the Mozilla security bug group is employed by a distributor of Mozilla-based products, then that member may share such information within that distributor, provided that this information is shared only with those who have a need to know, only to the extent they need to know, and such information is labeled and treated as the organization generally treats confidential material ...

... not to post descriptions of exploits in public forums like newsgroups, and to be careful in whom they add to the CC field of a bug (since all those CCd on a security bug potentially have access to the complete buzg report). .

.. to be careful in whom they add to the CC field of a

http://www.mozilla.org/security/known-vulnerabilities/firefox35.html
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

Firefox works with user's permissions on current systems - at least Google Chrome and IE are sandboxed.

http://www.mozilla.org/security/known-vulnerabilities/firefox35.html
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

Firefox works with user's permissions on current systems - at least Google Chrome and IE are sandboxed.

Much better to use the Add-on Compatibility Reporter https://addons.mozilla.org/en-US/firefox/addon/15003

It will enable all your officially incompatible addons just like the pref, and you can help by reporting your add-ons as working fine or not compatible (reporting is completely optional).

Others have commented on the problems mozilla have with licensing H.264 decoder distribution. Maybe that could be worked round by relying on a system codec (which licensed or not is the distro/user's responsibility), but there's more to it than that.

The Mozilla foundation's mission is to help the Internet remain an open and accessible global public resource, not to create the browser with the greatest market share at all cost. The MPEG-LA's mission is to extract as much revenue for their member IP "right's holders" as possible, not to further open video on the web.

The MPEG-LA charge software suppliers an IP license to distribute a decoder, but they also have a price sheet for the people providing the content.

  - distribute an encoding application they want payment
  - use that application to encode and they want a payment (yep two different licenses for both the supplier and user)
  - charge for your streamed content they want a per stream payment

Now, as is sensible strategy, they aren't enforcing their charges for internet streaming at the moment. But the current licensing period ends 31st Dec 2010, and the rights holders will want more next time round.

If H.264 works everywhere and becomes the only standard for video on the web, then the web becomes less open and accessible for everyone publishing content.

Now I've no idea what Google pay in licensing for streaming youtube, and what their view is of what they'd have to pay in the future, but they have recently acquired the company responsible for the VP7 and VP8 codecs, so it looks like they do value access to a codec not controlled by the MPEG-LA.

Google (youtube) probably support only H.264 right now on technical merits, they (Chrome) are quite happy to support ogg/theora playback. I'd not be surprised to something new come out from them using the codecs (and people) they got from On2 this year.

Apple are MPEG-LA rights owners; they have no interest in any open AV formats on the web and will probably not implement anything else unless market forces mean they have to.

Mozilla avoid H.264 on licensing cost and support for openness.

Opera avoid H.264 on licensing cost grounds.

Microsoft just wish HTML5 would go away and you'd start using Silverlight (and upgrade to Windows 7 too, please).

There are good arguments for not supporting H.264, at least not until a viable open alternative is widely supported too.

They're working on it: https://wiki.mozilla.org/Gecko:Layers

You guys are forgetting that Mozilla owns the copyright to the code, and none of the 3rd-party code they use is GPL. As owner, they are the licensor, and the licensor is not bound to the same conditions as the licensees. Ultimately, they will have to include h.264 support in their official binaries just like Google has done with Chrome. The rights won't extend to those who build custom binaries like Ubuntu, but that's what the distinction between free and non-free is for.

Naw, there's obviously a way to get it done, and it's not that difficult either. It's not really an issue that's very different from distributions allowing users to install "non-free" packages.

Google licenses h.264 for use in Chrome. Obviously that doesn't extend to Chromium, but it doesn't really need to. It's clear that if you want h.264 support, you'll need to run the Google binary since they've paid the royalties. There's no reason Mozilla couldn't license h.264 for their officials builds. Ubuntu/etc can continue to include their own completely free, pseudo-branded Firefox build and simply put up a "non-free Firefox" package in a repository. It's been done many times for other useful, non-free packages... it's not like this is some new process we're figuring out for the first time.

Furthermore, the GPL isn't an issue here because Mozilla is the copyright holder of the codebase. That means they can build and distribute a binary mixed with patented/proprietary code, though distributing that source code would clearly be at odds with both the GPL and the h.264 license conditions. However, as the copyright holder, they are not bound by the restrictions of the GPL, including the restriction of binary distribution. The GPL is a license and licenses are for licensees. They are not required to release all the source code they link with their GPL-licensed code. Indeed, Mozilla doesn't even release their binaries under GPL conditions, but rather under their own MPL (see bottom).

None of this may be convenient, but it is abundantly clear to most of us (for better or worse) that h.264 has won for now. Mozilla may think they have some clout because of their market share, but at the end of the day, it's the likes of YouTube and other online content providers that really have the last word, and they have chosen h.264.

https://bugzilla.mozilla.org/show_bug.cgi?id=422540
They are working on a Gstreamer backend for the video tag, and that will provide support for h264. From skimming the comments, it seems that there is a working but slow patch for 3.5, which is yet to be updated for 3.6.

But until it's as simple as hitting a button in Firefox to use Tor, of course it's only going to be the enthusiasts and scumbag fringes that'll put the time into researching and securing their privacy online.

Duh!

A.k.a. "Minefield." Despite the name, it's been completely stable for me. In fact, I'm using it right now. Works fine. I sometimes miss the History function, though it remembers the sites I've visited. So I have no complaints. The speed gain over 3.5 is phenomenal. Between Mac OS X 10.6 and Minefield, I'm a happy camper.

The Firefox team is aware of the problem and they're working on eliminating as many of these as possible.

The first fruit of the Electrolysis project is supposed to be pushed out as Fx3.6.2 (codename "Lorentz"). Plugins are going to be moved into their own process, kind of like what Safari already does with Flash.

You do realize addons exist to change the functionality of the scroll wheel?
I have been using this addon for quite a while now to modify FF scrolling functionality.

And Firefox kicks Chrome's tail at Arrays (6 times faster) and Strings (2 times faster) in Dromaeo.
Your point?

There are bits they are working on that are specifically test-related.
https://bugzilla.mozilla.org/show_bug.cgi?id=523497
https://bugzilla.mozilla.org/show_bug.cgi?id=516264

And other general bits too. Overall, the differences are not as wide as you make them out to be.

And Firefox kicks Chrome's tail at Arrays (6 times faster) and Strings (2 times faster) in Dromaeo.
Your point?

There are bits they are working on that are specifically test-related.
https://bugzilla.mozilla.org/show_bug.cgi?id=523497
https://bugzilla.mozilla.org/show_bug.cgi?id=516264

And other general bits too. Overall, the differences are not as wide as you make them out to be.

Stop wasting time on making the browser look different than the fucking OS you idiots.

Hear, hear, goddamnit, HEAR! Consistency is an essential quality of a good user interface. That's why I could never really stand Opera: you can make it look like anything, but good luck making it look like it belongs. And that's why I love Safari on the Mac, yet hate it on Windows: it looks alien to the system around it.

Here's a tip -- go to the themes page and look for something that fits your OS. Looks like custom themes are immune to this Persona shit.

This is being investigated, in fact. Work is being done to use Direct2D for hardware acceleration in Vista and 7. https://bugzilla.mozilla.org/show_bug.cgi?id=527707

Use a password generator like Password Hasher to generate a unique password for that site (you can give the hasher the same password for every site, it generates a password for you based on your password and a key for that site like the domain name), or use a throw away password that you don't care if anyone gets it.

Pick a large, active open-source project and try to help with the problems its developers have. You will be loved.

Here are some of the problems I'm aware of within the Mozilla project.

Speed of development

'make' doesn't scale. An incremental build, even with no changes, takes at least a minute. (In contrast, just checking whether any files have changed takes 'hg' less than 10 seconds.) Maybe help us move to 'scons', or help improve 'pymake', or just help us get our dependency generation right.

'ld' is slow. Once a developer makes a change to any c++ file, the incremental build is going to take several minutes while the linker uses up all her RAM. Maybe help us move to another linker such as 'gold', and contribute any necessary changes back to the 'gold' project.

'hg' merges are confusing. hg's developer-facing user interface could be improved, both while doing a merge and after doing a merge.

Automated testing

We've built an interesting interface around hg-pushlog (which is itself a Mozilla extension to hg) and buildbot that lets us see which tests failed after each change. I'd love to see these tools generalized to the point where other open-source projects can use it and contribute back to it.

As we require unit and integration tests for more and more components of Firefox, we're finding that a small number of tests failing intermittently can make it difficult to move quickly. We could use better tools for tracking test failures, and for record-and-replay debugging to help us figure out the intermittent failures, and probably for other things we haven't thought of.

Programming languages

We need a decent low-level programming language. Something that lets programmers implement sneaky fast algorithms, but lets programmers do it without constantly shooting themselves in the foot with security holes. Something you'd want to write (difficult parts of) a web browser or OS in.

I don't know if the answer is adding more and more to the type system (like in Cyclone), or integration of assertions with static analysis (like in D), or simply making it easy to integrate low-level code with high-level code (like in C#, or with ctypes or jsctypes).

Mozilla is doing interesting things with custom static analysis of C++ code.

Making collaboration tools support workflow and GTD

We have a crash analysis system and a bug-tracking system with lots of information, but the workflow is poor, so much of the information is not acted upon.

It's hard to come up with a good workflow (and make the tools support that workflow) in a large project where many of the contributors are volunteers who decide themselves what to work on, but I think we can do better.

Pick a large, active open-source project and try to help with the problems its developers have. You will be loved.

Here are some of the problems I'm aware of within the Mozilla project.

Speed of development

'make' doesn't scale. An incremental build, even with no changes, takes at least a minute. (In contrast, just checking whether any files have changed takes 'hg' less than 10 seconds.) Maybe help us move to 'scons', or help improve 'pymake', or just help us get our dependency generation right.

'ld' is slow. Once a developer makes a change to any c++ file, the incremental build is going to take several minutes while the linker uses up all her RAM. Maybe help us move to another linker such as 'gold', and contribute any necessary changes back to the 'gold' project.

'hg' merges are confusing. hg's developer-facing user interface could be improved, both while doing a merge and after doing a merge.

Automated testing

We've built an interesting interface around hg-pushlog (which is itself a Mozilla extension to hg) and buildbot that lets us see which tests failed after each change. I'd love to see these tools generalized to the point where other open-source projects can use it and contribute back to it.

As we require unit and integration tests for more and more components of Firefox, we're finding that a small number of tests failing intermittently can make it difficult to move quickly. We could use better tools for tracking test failures, and for record-and-replay debugging to help us figure out the intermittent failures, and probably for other things we haven't thought of.

Programming languages

We need a decent low-level programming language. Something that lets programmers implement sneaky fast algorithms, but lets programmers do it without constantly shooting themselves in the foot with security holes. Something you'd want to write (difficult parts of) a web browser or OS in.

I don't know if the answer is adding more and more to the type system (like in Cyclone), or integration of assertions with static analysis (like in D), or simply making it easy to integrate low-level code with high-level code (like in C#, or with ctypes or jsctypes).

Mozilla is doing interesting things with custom static analysis of C++ code.

Making collaboration tools support workflow and GTD

We have a crash analysis system and a bug-tracking system with lots of information, but the workflow is poor, so much of the information is not acted upon.

It's hard to come up with a good workflow (and make the tools support that workflow) in a large project where many of the contributors are volunteers who decide themselves what to work on, but I think we can do better.

But only in a frame, inside Firefox. (Just disable the cookie transfer feature. That’s a really stupid idea.)

In summary, for 2008 and based on http://www.mozilla.org/foundation/documents/mf-2008-audited-financial-statement.pdf , something like $17 million taxes, $12 million set aside for future (e.g. if the Google contract doesn't get renewed, say). About $50 million spent, from a total revenue of $80 million or so. That would presumably include salaries+benefits for those 200-ish people, whatever hardware is needed for the developers, the testing infrastructure (see http://atlee.ca/blog/2009/11/02/what-happens-when-you-push/ for example), infrastructure for the various Mozilla web sites (addons.mozilla.org, www.mozilla.org, update servers, etc). Oh, and office space lease, presumably.

How much do you figure it should take to run an organization with about 200 competent (so not necessarily cheap) staff and a fair amount of necessary infrastructure for a year?