Domain: mozilla.org
Stories and comments across the archive that link to mozilla.org.
Comments · 17,579
-
Re:Does this mean that . . .
-
Re:Does this mean that . . .
-
Re:MAC OSX ComplainsIf you're looking for a Mac browser, how about Camino 0.8? Same rendering engine as Firefox, but a Cocoa native frontend.
Yes, there are some things in Firefox that have no UI equivalent in Camino, and that irks me at times. But I use Camino as my main web browser, and I'm very happy with it, thank you very much.
-
Re:Does this mean that . . .
Trying to download a 4.0 MB file after it's linked to on the front page of Slashdot is never an easy thing, dude.
I'm mirroring a couple of the files. Please verify the md5sums yourself, though. -
Re:MAC OSX Complains
Well, Firefox 1.0 on OS X will be delayed a bit from the other platforms to clean up some issues such as this. The Expose thing you mentioned has been written up in Bugzilla (copy & paste the URL to see the bug.)
-
Re:MAC OSX Complains
Well, Firefox 1.0 on OS X will be delayed a bit from the other platforms to clean up some issues such as this. The Expose thing you mentioned has been written up in Bugzilla (copy & paste the URL to see the bug.)
-
Re:Grumble Grumble
While all of these people say to just install over your old version, they would be wrong. Over time, old files start sifting through. One of the most common problems of not-uninstalling is your UA string stays on the old version, but your browser is definately the new version.
You'll want to take a look at bug 237727* to see that they are going to clear out some of the old files if you choose to reinstall over your old version. They have already done some good work on that bug for the next versions (FX 1.0PR and TB 0.8), but they just need to widdle down which files need to be wiped. I have faith that this'll be fixed by FX 1.0.
One solution was to automatically delete the entire install directory right before reinstall. This actually backfired when stupid users tried to install to "C:\Program Files\" and it wiped that folder clean. Oops.
* Bugzilla hates slashdot; copy and paste. -
Re:Both GNOME and KDE has miles to go
While Mozilla (and especially Firefox) is not strictly GNOME application, you really can't say it isn't one either, not any more.
It didn't use the file selector, because the consensus was that the old one sucked, FF1.0 will probably, now that the new one is here. It follows the GTK theme in looks, follows GNOME button order, it can even pull some things from gconf, like proxy settings.
See the done and in-the-works gtk and gnome integration tracker bugs here http://bugzilla.mozilla.org/show_bug.cgi?id=92033 and here http://bugzilla.mozilla.org/show_bug.cgi?id=233462 -
Re:Both GNOME and KDE has miles to go
While Mozilla (and especially Firefox) is not strictly GNOME application, you really can't say it isn't one either, not any more.
It didn't use the file selector, because the consensus was that the old one sucked, FF1.0 will probably, now that the new one is here. It follows the GTK theme in looks, follows GNOME button order, it can even pull some things from gconf, like proxy settings.
See the done and in-the-works gtk and gnome integration tracker bugs here http://bugzilla.mozilla.org/show_bug.cgi?id=92033 and here http://bugzilla.mozilla.org/show_bug.cgi?id=233462 -
Linux installer bug
I downloaded the linux installer version (firefox-0.9.3-i686-linux-gtk2+xft-installer.tar.
g z)ked from the Firefox page and itself seems to have a little bug:
** (firefox-installer-bin:3120): WARNING **: Invalid UTF8 string passed to pango_layout_set_text()
It winds up with an incomplete installation. However, if you just download the gzipped tarball without the installer from here and untar it over your old firefox directory you should be just fine. -
Link on Firefox page is incorrect
Use this link instead: http://ftp.mozilla.org/pub/mozilla.org/firefox/re
l eases/0.9.3/ -
Re:Grumble Grumble
I grabbed this from the Troubleshooting Mozilla guide.
From Point 14:
If Nautilus has been configured to use the Mozilla Gecko rendering engine, installing a mozilla.org binary on top of that may cause odd problems and conflicts. You should use the package of Mozilla supplied by your Unix or GNU/Linux distribution, as their version should work properly with their package of GNOME.
I have personally experienced problems where Mozilla refused to render anything secure (https) because I had overwritten previous Mozilla installations. There could have been other problems but I never noticed. I'd reccommend you just do a clean install (which means, an uninstall, then reinstall). There is no reason to tapdance in minefields unless you're a windows user. like me. :)
Good luck! -
Re:It does this already
First, for these preview releases it is strongly recommended that you uninstall any previous version of Firefox first [emphasis not added]. Installing over the top of an older version may cause unpredictable problems. If you install over the top of an older version and want to file bugs, please do a clean install into a fresh directory before doing so.
From here
Last time I tried to install over an existing installation i seriously regretted it. Took me 3x as long to get everything worked out. So now I uninstall first. -
Try again if 0.9.3 for Windows didn't work earlier
The timestamps in the 0.9.3 release directory show that the Windows binary has been updated.
Got the supposed 0.9.3 for Windows earlier today, which didn't work. Process appeared in task list, but no window came up. Also, any place the version number appeared, it was still listed as 0.9.2. With the caveat that I don't know how those folks do their releases, I'll say that with the proper automation, that oops-i-forgot-to-increase-the-version-number snafu should never happen.
-
Re:FYI: Reg free links
The registration is intermittent -- just hit reload a few times and it'll go away. Or you can use the Firefox BugMeNot extension.
-
Re:An alternative to registering...
There's also a Firefox Extension. Very handy.
-
Re:Yes, they work.
Using yesterdays Firefox branch build the config.trim_on_minimize pref works again (it prevents Firefox to swap out on minimize).
To enable this go to URL: about:config
Rightclick -> New -> Boolean -> config.trim_on_minimize -> false -
Re:"Significant"From the faq:
What types of security bugs do you consider to be "critical"?
In general we consider critical security bugs to be those that allow execution of arbitrary code on users' systems or that otherwise allow access to users' confidential information. In the latter case we consider bugs to be critical only if they potentially expose high-value personal information (e.g., passwords, credit card numbers, and the like); in the context of the bug bounty program we do not consider bugs to be critical if they potentially expose only lower-value information (e.g., browsing history) or information that would be useful primarily for other exploits (e.g., the names of files or directories on the user's system).
Finally, in general we do not consider bugs that allow denial of service attacks to be critical in the sense described above. -
Re:We will probably never get to see them
So what, you'd rather give the black hats every courtesy to help them come up with an exploit before the developers can come up with a fix?
Quoting from the Mozilla Security Bug Bounty FAQ,
If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?
No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling Mozilla security bugs. Under this policy security-sensitive bug reports in our Bugzilla system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).
So, yes, the Mozilla Organization would prefer that the developers get a reasonable chance to fix security bugs before anyone else, you know, like black hats, learns about them. They are also realists: the reporter could have told the world to begin with, so there's nothing to stop them from doing the same later. Knowing that, it only makes sense to plan on keeping confidentiality only for a limited time. If you read handling Mozilla security bugs it is clear that they grok.
-
Re:We will probably never get to see them
So what, you'd rather give the black hats every courtesy to help them come up with an exploit before the developers can come up with a fix?
Quoting from the Mozilla Security Bug Bounty FAQ,
If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?
No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling Mozilla security bugs. Under this policy security-sensitive bug reports in our Bugzilla system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).
So, yes, the Mozilla Organization would prefer that the developers get a reasonable chance to fix security bugs before anyone else, you know, like black hats, learns about them. They are also realists: the reporter could have told the world to begin with, so there's nothing to stop them from doing the same later. Knowing that, it only makes sense to plan on keeping confidentiality only for a limited time. If you read handling Mozilla security bugs it is clear that they grok.
-
Re:We will probably never get to see them
So what, you'd rather give the black hats every courtesy to help them come up with an exploit before the developers can come up with a fix?
Quoting from the Mozilla Security Bug Bounty FAQ,
If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?
No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling Mozilla security bugs. Under this policy security-sensitive bug reports in our Bugzilla system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).
So, yes, the Mozilla Organization would prefer that the developers get a reasonable chance to fix security bugs before anyone else, you know, like black hats, learns about them. They are also realists: the reporter could have told the world to begin with, so there's nothing to stop them from doing the same later. Knowing that, it only makes sense to plan on keeping confidentiality only for a limited time. If you read handling Mozilla security bugs it is clear that they grok.
-
Re:We will probably never get to see them
Some security through obscurity is a reasonable precaution here IMHO, as part of a wider security policy. Principally, it may protect people using the browser from the scriptkiddies which full disclosure might bring (as others have noted).
One of the main arguments for full disclosure is that, if a vendor isn't fixing a bug (in a reasonable period after you have notified them of it), you can force the issue by making it public.
If security by obscurity was the core of the security policy then I wouldn't be happy about it. However, if you have a look at Mozilla's security bug policy, you will see that the bug reporter can open up their bug if they are not happy with how things are progressing.
Seems like a good comprimise to me...
Dave.
-
Re:Lousy deal
I don't like the wording in the press release either. The Bug Bounty FAQ makes it more clear, but still leaves a lot of information out.
Bugs that will get the bounty:
* Arbitrary code execution without user interaction.
* Reading files with known names from the user's hard drive without user interaction.
* Reading cookies or stored passwords for other sites without user interaction.
For bugs that require some user interaction to exploit, human judgement is required, hence contest judges.
Bugs that will not get the bounty:
* Temporary DoS, such as crashing or hanging the browser.
* Exposure of browsing history.
* Local file detection.
I don't know what would happen with a bug whose severity is between those listed as ineligible and those listed as eligible.
For what it's worth, about half of the security holes I've reported in Mozilla had the necessary severity (code execution, cookie read, file read). Many of those holes those required user interaction, though. It might be interesting to ask the judges which of my security holes would have been eligible had I reported them after 2004-08-02, to get a better idea of what they consider eligible. -
Why?
Maybe it's just me, but I really am wondering why they're doing this. Mozilla is *full* of bugs already, many of them significant (albeit not security-related), that aren't fixed; and users that encounter security issues are likely to report them anyway, I think, no matter whether they get paid for it or not.
-
The difference between mozilla.org and Microsoft
mozilla.org offers a $500 bounty for discovering "critical" security holes, while Mircosoft offers a $250,000 bounty for catching virus authors.
-
Re:too bad, Mozilla suite suckers!
In seriousness, that's probably just an artifact of Firefox-specific XUL in the example, and could be fixed by a dedicated black hat.
BZZZT WRONG!!!
You just haven't RTFA.
Check the "original" vulnerability in the secunia report.
http://bugzilla.mozilla.org/show_bug.cgi?id=244965
In the first message post there is a PoC that "steals" your master password with a similar trick, and it works ok in mozilla classic 1.2.1.
It is definitely NOT firefox specific.
The PoC:
http://bugzilla.mozilla.org/attachment.cgi?id=1495 00&action=view
WARNING: It fscks up the keyboard controllability of mozilla.
-
Re:too bad, Mozilla suite suckers!
In seriousness, that's probably just an artifact of Firefox-specific XUL in the example, and could be fixed by a dedicated black hat.
BZZZT WRONG!!!
You just haven't RTFA.
Check the "original" vulnerability in the secunia report.
http://bugzilla.mozilla.org/show_bug.cgi?id=244965
In the first message post there is a PoC that "steals" your master password with a similar trick, and it works ok in mozilla classic 1.2.1.
It is definitely NOT firefox specific.
The PoC:
http://bugzilla.mozilla.org/attachment.cgi?id=1495 00&action=view
WARNING: It fscks up the keyboard controllability of mozilla.
-
Re:This is nothing...
-
Re:What the hell?
I think if you compare the MyIE features to what's available here, it will definitely not be Firefox that gets blown away. I also disagree with the parent--Mozilla actually reacts to bugs more quickly, and has a stricter notion of what qualifies as a security bug than the developers of Internet Explorer. (this one doesn't count--Mozilla, IE, and Opera all have this problem. You've seen all the banner ads that look like they have IE widgets.)
-
Make that 5 years and two days.The only point of concern in this whole matter is... why has this bug been lurking for five years?
I have every confidence the Mozilla team will address it, but this doesn't make open source appear any better than closed source (re: Microsoft's timetable for fixing IE flaws).
-
Re:There's something rotten in Firefox.
Either a reporter can mark his own bug confidential or a member from the security group can mark it confidential (or remove that flag). The members can be found here. Those are either members of the Mozilla Foundation, people who have done coding for Mozilla for many years now or were in any other way involved for a long time in the security of Mozilla. Or earlier (like one year ago) it were also people from Netscape, but i don't know how many people from Netscape actually had access to those bugs.
-
Re:Javascript window "features"
According to this comment in another bug, DOM events can still change the status bar text despite those config changes:
http://bugzilla.mozilla.org/show_bug.cgi?id=252811 #c9
(you may need to copy & paste the link, as they block slashdot referrer URIs) -
Re:This is pretty bad... but...I've every faith we'll see a fix fairly soon...
Perhaps not. It's been five years since this vulnerability's been known by the Mozilla devs. That disturbs me. Methinks there might be something fundamentally flawed with the XUL architecture.
-
Re:This is nothing...
-
Its a Known Vulnerability in MozillaThis issue appears to be the same as Mozilla Bug 244965
.
-
Yes, truly.Google's got a golden brand. It's making its way as a verb into our dictionaries. People won't forget that it was the first engine not to be stuffed with clutter. People appreciate that their ads have been relatively tolerable and pretty well targeted, and I believe they will continue to associate these things with the Google brand despite what MS does so long as it's [barely] legal in regards to IP and antitrust territory.
Also, Linux *caugh Debian* is gaining enough marketshare that it is a very real threat on Microsoft's radar. As that continues to ascend, there will be a lot of people w/o MS search integrations. Moreover, IE has begun to go south in marketshare. People are realizing that there are some badass alternatives to IE and even without being marketed to use them by any form other than word of mouth. People may extend this logic to software beyond the web market, and who knows, maybe one day people will be comfortable with the
.swx format. -
Re:Firefox
The W3C Markup Validation Service lists 141 errors in the HTML of the slashdot homepage. Interestingly, the Firefox website fails to give a doctype and has 8 errors (if it's meant to be HTML 4.01 Transitional).
-
New Antiphishing Features In Mozilla Firefox
Mozilla Firefox recently added some nice anti-phishing features to the 1.0 branch. Some features include:
-Display of the site domain name in the status bar while in secure mode. (Bug #245406)
-A warning box that displays when a site is using unnecessary http authentication in the URL (ex. http://example.net@example.com/ ) (Bug #232567)
I believe it is a good thing that Firefox is starting to implement some anti-phish features and hope that other browsers will start doing the same.
[NOTE: You will have to cut and paste the above links due to bugzilla.mozilla.org rejecting slashdot.org referrers.] -
New Antiphishing Features In Mozilla Firefox
Mozilla Firefox recently added some nice anti-phishing features to the 1.0 branch. Some features include:
-Display of the site domain name in the status bar while in secure mode. (Bug #245406)
-A warning box that displays when a site is using unnecessary http authentication in the URL (ex. http://example.net@example.com/ ) (Bug #232567)
I believe it is a good thing that Firefox is starting to implement some anti-phish features and hope that other browsers will start doing the same.
[NOTE: You will have to cut and paste the above links due to bugzilla.mozilla.org rejecting slashdot.org referrers.] -
Re:I want to write docs
Mozilla and OpenOffice are always seeking documentation help and seeing as these two products are the windows worlds's first glimpses of open source, they need all the help they can get.
GIMP could also use some documentation help to bridge the gap for Photoshop and PSP users. -
This is good news
This is brilliant news there's still some web sites I know that say they support Netscape and not Firefox, if this can get the Netscape marketshare up until Firefox becomes a household name (and it's on its way - there's a lot of marketing planned around the 1.0 release) then it'll encourage webmasters to fix their bugs.
Also it means there's a recent secure browser that people can switch to from IE if the pre-1.0 version number puts people off Firefox (I know the Mozilla suite is 1.7 but they never really did aim that one at end users and doesn't have the new extension management stuff Firefox will have).
If you look at the copyright notice in the Netscape Store article linked to in the story you'll also notice that the store is run by MozSource which is the retail arm of the Mozilla Foundation. -
Re:Glad to hear it
Had that problem with firefox then got user agent switcher and use that when I need to lie about my brower type.
You can mess around with the message that is send, so for instance you can report that you are internet explorer running on a commodore-64. -
Adblock for FireFox
Just get AdBlock for FireFox. After a week or so of tuning it you'll almost never see an ad again.
-
Re:Gnome Usability
-
Re:Gnome Usability
-
In Soviet Russia...
-
Re:Which browser to use?You say you've used "Firebird", so I guess you've installed an older version of Mozilla's excellent Firefox product. You should try the latest version: they've made huge enhancements to stability and reliability in the past few releases. I use it as my only browser under Linux and the occasions where it doesn't function properly are becoming rare.
-
Re:Displaying XHTML
About layout scaling: The reason your pages do not scale with font size is probably that you are still thinking in the "old" table way of layout and giving things pixel sizes. Using ems, instead of pixels, as this article from A List Apart (a great website for web designers, and probably the best place to learn how to properly put new standards, like XHTML and CSS, into place without sacrificing flexibility) explains, has a benefit:
...you can use ems to define the dimensions of your entire layout, which will then scale in proportion to the text.This makes it much easier to lay out pages. Take a look at my blog, where I use this technique.
Oh yeah, when you say "So much for accessibility!", you are slightly missing the point. The point of accessibility is that your content be accessible (not necessarily pretty) without problems. Tables used for layout, for example, present a problem, because screen readers do not know whether to ignore them and just follow the page in order or whether to treat them as an actual listing of information and denote the rows and columns. Look at my blog, change the font. Nothing breaks.
About overlapping text: Have you seen this or many of the other articles explaining how to use margins and floats to keep stuff from running over it. And the way to tell the browser not to run over stuff is this: if you have a sidebar, say "float: left;" (or right) in the CSS style for it. Then it will stay on the left, and the other stuff after it will wrap around it.
If you want to see an example of a page where a sidebar (on the right in this case) floats without covering up the content, visit my blog. If you email me I will give you a copy of the template, which is beautiful--it is absolutely, completely separate content and formatting.
About "will this revision be more precise about display?": No. XHTML does not specify how text is displayed. HTML is the Hyper-Text Markup Language--it is used for 'marking up' (not 'laying out' or 'beautifying') 'hyper-text' (not graphics). The point of HTML, from which it strayed and, with XHTML, is returning to, is to show the structure of text. The <p></p> tag only means "the text inside this element is a paragraph". It does not mean "the text inside this element should be displayed as a wrapped, block-level element with a margin above and below." It simply suggests to the user agent or renderer that the enclosed text should be considered, semantically, a paragraph.
Don't worry--with time, the "ripping apart" of pages into content and formatting becomes natural. The best way, in my opinion, and the one that produces the results most true to the separation of content and formatting, albeit being a bit of a challenge, is to do this: write your entire page using only XHTML--no CSS. What you will end up with is a 1990's-esque HTML page with no formatting. Create all your pages, using common classes of divs and spans everywhere. Then, create a CSS stylesheet that converts this purely semantic set of pages into a beautiful layout. The best tools for this are Firefox (although you should test in IE if you care about idiots) with the EditCSS sidebar. With these, you can load your bare-bones page and edit a stylesheet in real time, watching how styles affect the page. If you are uploading to a remote server as you develop (rather than running Apache somewhere on your LAN) it is much faster to just edit a stylesheet with this.
Just my two cents. (Actually more like a
-
Re:Human nature ...
Most people won't switch, because they have been using Win, Office and IE at home and in the office for five or more years. People are simply USED to this set of applications and are not keen to learn something new - no matter how geeky, secure and cool it is.
And to give my opinion, most people don't have a single reason to change, and most people ARE happy with Microsoft's software. Funny that most of MS bashers here are Linux users who have no experience of Windows whatsoever. "Windows is unsecure and crashes all the time blah blah blah". Bullshit. I have never, _never_ got virus, spy, or adware on my Windows XP installation, and it crashes less than Linux. Last crash was about 6 months ago last time due early Ati drivers.
With Linux, it is not really hard to make system lockup. Just modprobe some broken or wrong driver, X has changes to halt whole machine (happened to me many times) and so on. Sorry Zealots, your Linux is not a perfect solution for computing problems at home.
Securing Windows is seriously not that hard. Few steps and little bit of Common Sense(tm) and you're fine:
1) Firewall on. Yes, it's stupid design to have RPC services listening and you cannot even shut them down. This anyway is fixed with Firewall. Such as Zonealarm. I use both two, XP's builtin along with Zonealarm in case Zonealarm crashes or sumthing.
2) Get the patches. Not that hard. WindowsUpdate is easy to use.
3) Get antivirus, just in case. For example http://www.avast.com has free-for-home-usage virusscanner which does good job.
4) Don't use IE or Outlook :) This alone shuts down most of Windows'es security holes. Get your internet apps from Mozilla.
Also some common sense using pirated software (best thing is to NOT use any, like I don't), most of the spyware comes from Kazaa. Don't download russian-mafia-pirated games. Those are not clean. If you do, blame yourself.
And before all Linux Zealots start once again shouting about MS Office's price blablabla, For Your Information, OpenOffice is available for Windows too. That's right! Amazing, isn't it? No need to pay anything. There is alot of free and open source software for Windows. Alot. ALOT!
Not meant to be troll, I am just sick and tired of hearing FUD from Linux Zealots who have no experience on Windows or they don't know how to use it. Some basics on Windows security are good to know, and what steps to take to secure it. You need to do securing steps on Linux, especially on Linux servers too (Apache on default settings, running as root for example is not wise). Even pretty much any Linux distribution is safer out of box than XP, it doesn't mean Windows is impossible or even hard to secure up. -
Re:WowYou know what's enlightening? Finding the comment that tried to slashdot my extension. Hope you all like it.
Sorry, I should have posted the mozilla update page. I wasn't thinking. I apologize.