Slashdot Mirror
A Security Bug In Mozilla - The Human Perspective
xslf writes "Alex Vincent, the reporter of the data-loss security bug 259708, writes about the behind the scene process of reporting it, casting light on the problems of dealing with security related bugs reported by the community, which isn't always aware of the security implications of the bugs reported. The issues with the FLOSS process shown in this bug might get worse, once more and more people use FLOSS and add to the process, without being full fledged coders, and rely on binary releases of software." (Note, you'll have to copy and paste that link to view the bug report, or click through from the linked story.)
What are you trying to do? Shut down the Mozilla project?!? If you absolutely NEED to see the bug, go to MirrorDot and look it up there.
Javascript + Nintendo DSi = DSiCade
"Well, some smarty-pants decided to repost my entire blog entry about bug 259708 as a comment on one of my entries, with an e-mail address of "fulldisclosure@netsys.com". Word for word, no changes, and no commentary either.
This annoyed the hell out of me. On the one side, I could see this anonymous poster's point: the bug was already in the public domain when it disappeared very suddenly."
What are you complaining about? Isn't this your fault for taking the entry down to begin with?
I'm going to troll a bit here, but doesn't this essay/blog entry just bitch about how he feels things weren't handled in a manner to his liking? And shouldn't he be faulted for how he initially handled the bug? (Noted below-)
"Losing data is horrendous, yes, but not as bad as losing it to someone else. That just wasn't happening here. So I decided not to ask for a security group review. That was my first mistake.
Lesson Number One: The very instant you start to wonder if a bug might cause a security concern, stop wondering and ask the security group to review. Don't try to do the security group's job by trying to decide if it really is one or not."
I think the bigger concern here was whether or not the bug got fixed, and once it was properly classified, it was indeed fixed. There probably could have been a faster fix for this bug, but I think most of what happened in this case can be directly faulted to him.....
-thewldisntenuff
My MythTV HowTo
See that text at the top of the page? Now look at the last part of it. See the text that reads "(Note, you'll have to copy and paste that link to view the bug report, or click through from the linked story.)"? Now why do you think that a post about how you cant use the link would be redundant?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Bug 69070
The bug was on bugtraq in 2001! It allows remote pages to open and use files on the local machine, and is also a denial of service on Linux, since Mozilla stupidly allows the opening of paths which are not regular files (/dev/tty).
My experience with 69070 has been educational. I've learned if there's a security bug you care about, you had better fix it yourself. Unfortunately I can't but maybe someone in the audience has the spare time to step up.
Opps.. where are ALL my precious precious downloaded files?
-Woof woof woof!
Damn. I hate it when people point out when I'm wrong.
I am the maverick of Slashdot
You know we can't access bugzilla from slashdot links. It's just everytime I go to the clubs with a beanie, I get turned away. Why are we doings this to each other, HUH?!
Click here or a puppy gets stomped!
If you don't want to copy & paste...
Here is a rough mirror. (links are relative, so they won't work)
Wait a sec, you're bitching that they won't pay you to work for them, when you don't pay them for thier product?
Holy hypocrisy...
feh. stuff.
Acronym loving developer: I advocate the use of FLOSS and if it's with ENEMA, all the better.
CIO: You're fired.
I've been swashdotted -- Elmer Fudd
The fact that you've been modded as a troll illustrates your point even futher :-)
If you offered to pay them to fix the bug, it would probably be a shade more consistent with your "I don't work for free" stance. Or is it just other people who should work for free?
On the other hand, open-source software backed by a stable company does not face the same problem. Consider Linux. If the open-source community did not address the security flaw expeditiously, then you can be sure that IBM will step into the picture and fix the problem promptly. IBM will never fail its customers. Hence, Linux exploded in popularity among commercial companies after IBM committed $1 billion to Linux.
What the heck is FLOSS ?
There was a 2002 paper published by the Mitre Corporation that used the term "FOSS", meaning "free and open-source software". As far as I know, this was the first use of the term, but it may go back a bit farther than this.
I don't, however, have any idea what "FLOSS" is supposed to mean. Assuming that it isn't related to dental hygiene, what is it supposed to stand for ? "Free {Linux, liberty, low-cost} open-source software" ? Just a nonsense corruption of "FOSS" ?
The closest explanation I can find is this blog entry by David Wheeler: "Free-Libre / Open Source Software". Is this really what people are trying to say ?
DO NOT LEAVE IT IS NOT REAL
is not very positive. If you ever dare to ask if any progress has been made, or for an ETA on a fix, you're bound to get a "well why don't you fix it yourself" indignant reply.
If progress is made, you'll see patches added to the bug, or comments from developers discussing the fix. Parents get annoyed by incessant kids in the car asking "are we there yet?", and developers get annoyed by incessant users asking "is this fixed yet?". In both examples, the question's answer is obvious.
Spamming a bug with comments like "why isn't this fixed?", "this bug still annoys me", "don't wontfix this bug" and "this bug is really old and annoying, you guys suck and don't care" doesn't help fix the bug - I can't speak for other developers, but getting many useless emails about a bug only makes me more likely to remove myself from the CC list and forget about it. Having to read through 150+ "why isn't this fixed" comments to find relevant information doesn't help anything either. If someone takes the time to figure out where a fix for a bug needs to go, or contributes something, it's different.
I would be more than willing to contribute code under contract for this project. Unfortunately, my services do not come free.
Mozilla is free. Many of the people who fix bugs (for example, me - you'll have to copy and paste that URL) aren't paid. Whining about volunteers not fixing a bug you care about doesn't do anything. Insulting them is even less productive. If you don't have anything constructive to say, don't bother people.
My server
I would be more than willing to contribute code under contract for this project. Unfortunately, my services do not come free.
I know this that was probably just an indignant reply, but I think you escalated it too much.
Out of curiousity, why should one expect to be paid to contribute to a product they themselves get for free? Free software generally doesn't allow the users to control the priority of bug fixes, and it's not as if they have a big enough budget such that they can pay people to fix the bugs they themselves complain about.
If you want a specific timeline for a particular project, rather than letting the (unpaid) developers perform their own opinion of how a bug triage should prioritize bugs, I suspect that you'd have to contribute.
Just a thought concerning security....
Since there are so many now switching over to Firefox, it would seem wiser to put the stable release on the front page with a link perhaps to the preview release. I spent a good deal of time trying to track down the stable version and was successful only because I know FTP protocols and practices.
All the new venturers to Firefox will be trying out a buggy and potentially insecure release, all the while thinking that it is the official release. (Let's face it, most people aren't that aware.) And if Mozilla wants the general public to begin using it, you can't NOT provide immediate and clear access to the stable version for crying out loud!
...disable referrer logging (press , for happy Opera users).
This signature is intentionally left blank.
"you're bitching that they won't pay you to work for them, when you don't pay them for their product?"
And complaining about how slow they are to fix their free product.
I knew a guy who participated in a church program to distribute donated furniture to the needy. They showed up at one house and the lady told them to take the couch back since it didn't match her drapes. For some reason, he stopped participating.
FOSS means that you don't have to wait for someone to change program behavior if you do not want to do so; however, it also means that you don't have any leverage if you want them to change the behavior for you -- they will always be happy to refund your $0.
Hmmm. That's a rather difficult conclusion to reach if you really read the article and think about it. Alex accepted the blame where he messed up, and noted other places he wasn't sure about.
The fact is,the other person should not have reposted someone else's blog entry without permisison.
The article was quite insightful. Hopefully it will lead to a better process.
This guy made the #1 mistake you can make when it comes to bug advocacy. He assumed his bug was more important than all the others. It had to be fixed now! Now! Now! Now!
Which can be entirely correct, but you don't get anywhere by running around like chicken little trying to make everybody look at your bug. They heard you the first time. If you don't have any new substantive information to give them, sit back and relax. People never respond to selfish requests well. It can even discourage them from taking a look at it.
>Whining about volunteers not fixing a bug you care about doesn't do anything.
Welcome to the real world. This is why companies have sales people/help desks/managers. The OSS model does away with it, and so now you see why they are needed.
>Insulting them is even less productive. If you don't have anything constructive to say, don't bother people.
Sort of like putting up your code for everyone to see and reviewing it (isn't this one of the strenghts of OSS?), people will look at your application. And they will critize on it. Don't want to hear what they have to say, don't listen.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Well, maybe you should have RTFP (read the ... post)! :-)
That doesn't really tell you WHY you need to do that. When I saw it, I assumed it meant that there was a bad link or something. Not that they were sending people linked from Slashdot.org to /dev/null. The Slashdorks really need to take more responsibility for the Slashdot effect. They cause the problem, they should at least admit to that instead of having these cryptic messages saying that you need to paste the link or click through. How lame is that?
Un-news
This bug was a security bug in part because Firefox 1.0 changed the default download directory so that downloadable files were saved directly to the desktop.
Microsoft is always criticized for having bad defaults. In this case, having the default download directory be the desktop was a bad default. I would argue that you wouldn't neccessarily do bad to create a folder for each downloadable file. No one would be annoyed by that, and it would provide protection in the file system for any future holes.
You could also have a "recently downloaded files" directory on the desktop. Even a shortcut to "Location of downloaded files". Mozilla has been known for its innovation. Using the desktop is not innovative--the desktop should never be a permenant storage location. Everything Microsoft puts there is a shortcut.
I also question whether it was wise to change or set defaults in a "1.0" milestone release.
First off, if someone reports a bug, it should be ASSUMED that there is a potential security issue there, until proven otherwise. Why? Because there are generally side-effects. Even if the bug doesn't directly do anything nasty, it may very well cause something unintended which, in turn, causes something else unintended, and so on. Programmers generally talk of such effects "cascading" or "snowballing", because the effects usually do build up over time. Sooner or later, this will result in a corruption of data, a program crash or an exploit due to insufficient value checking.
There are two classes of bugs in a computer program. Those that cause the program to crash, and those that don't. The second type are much harder to track down (because you've no real indication of where the problem started), but they are generally much worse and much more prevelent.
The "correct" way to handle bugs is to assume that (almost) any problem puts the software at risk of a non-fatal bug that could (eventually) destabilize the program or open an exploit. Spelling errors in text messages are probably OK, but even there, if you're placing them in fixed-length buffers, it is saner to check and be sure that the risks are low than to ignore apparently trivial "appearance" stuff that could be catastrophic. I've seen programmers give themselves buffer overflows, I've even seen programmers rely on certain OS quirks when an overflow occurs. The code may not be portable, and it sure as hell isn't safe, but it does work.
(I've actually seen some code that won't run, unless the debug flag is present. The code will actually segfault if the extra padding the debug data creates is not there. Not from the Mozilla team, this was in a prior place of employment, but it does demonstrate that coding is not just about making something "work" it's about making it work for the right reasons.)
Now, the Mozilla team is probably simply too small to regard every bug entered in their database as a potentially critical show-stopping security hazard. This, however, reflects more on the userbase than on the Mozilla folks. Open Source works if, and only if, the "lots of eyes" out there looking for problems also translate into "lots of hands" for fixing problems.
Sure, not everybody is going to be a coder. So? If a mere 1 in every 100 users took the time to chase down not only the bug as seen, but at least some of the prior bugs that that bug depended upon to do anything at all... Mozilla would be in a lot better shape.
Politics in projects don't help. GCC and Glibc suffer badly from a management style that can be diplomatically summed up as "Old-Style IBM without the money - or the justification". There's a lot of "Not Invented Here", "Somebody Else's Problem" and "It Works For Us", although the GCC team is apparently a lot better than it used to be.
The moment any project suffers from any of those three things is the moment that it is under a self-imposed sentance of death, to be carried out the moment a better alternative arrives, where the only possible hope of a reprieve is to tackle those attitudes and eliminate them.
9 out of every 10 security bugs are caused by a fault in attitues, at the time of coding or later, and not by any fundamental nature of computing.
BTW, this is off-topic, but biologists and geneticists are mourning the passing of one of the three scientists who discovered the structure of DNA. The BBC is reporting the death of Professor Maurice Wilkins, aged 87. He died in hospital, no cause was given.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Give me the robot perspective!
http://www.stanford.edu/group/floss-us/
:)
:
You're very close, so close we say you got it
according to the URL, FLOSS is for
Free/Libre/Open Source Software
Libre being french word for "Free"
If you look like your passport photo, you're too ill to travel. - Will Kommen
I'm flabbergasted that the mozilla security people seem to think that "hiding" a previously public bug after it's noticed that it has security ramifications is an effective way to keep black hats from noticing it.
I think it's safe to assume that black hats interested in finding 0-day security holes in mozilla have already, or soon will create a mirror of the bugzilla archive, with history. Then they can look for bugs that are suddenly removed from the public bugzilla archive, and have some very good candidates for fresh security holes.
And there's no way the mozilla security people can effectively combat this. At best they get into a technology arms race with the black hats, trying to figure out what techniques they're using to spider and mirror the archive.
Once a bug is posted to a public bug tracking system, even if it's only been there for an hour, you might as well give up and assume it's widely publically known.
Oh and in my personal experience, the best way to get a security bug fixed once you discover it is to immediatly write an exploit, clearly flag the bug as a security hole, and post it to a public forum with a sifficuently broad readership that someone in a position to fix the bug will, be that the project's BTS or bugtraq.
see shy jo
Not sure if anyone noticed.. but this post happens to support some of the anti-Linux talking points:
Linux developers are lazy and/or fickle. They will work only on what they want to work on.
"...only makes me more likely to remove myself from the CC list and forget about it."
There is little/no money to be made from developing Open Source
"Many of the people who fix bugs (for example, me) aren't paid."
It is not a bug in Mozilla. It is a bug in Firefox.
Please don't confuse Mozilla users with security bugs that are not in their browser.
Running Mozilla or Firefox in a chroot environment would greatly enhance security.
I recently tried to get this working but didn't have much luck (haven't given up yet). There isn't much info on the web.
I currently run Firefox under a separate user ID, which is better than the default.
Any suggestions to get chroot working with Firefox?
or just drag it and drop on the tab bar (over an existing tab to load there, or onto an empty space (or the 'x' button) to create a new one)
The article author writes:
:(
By "regular contributor," I mean someone who files good bug reports and typically doesn't file UNCONFIRMED bugs.
This is more of a question. How do you file a "CONFIRMED" bug? If I personally file a bug, I've always thought that someone else steps up and tests the bug. If he/she can reproduce the bug he changes it to "NEW".
Have I done it wrong all the time?
'...runs the serious risk that a security flaw will not be addressed promptly or effectively since we are relying on the goodwill of programmers. How do we ensure "goodwill"?'
With donations.
(Donations are 'goodwill' in the other direction. Give me some goodwill -- preferably large enough to fund a bounty -- and I'll return some goodwill.)
Read Heinlein's 1953 Revolt in 2100, now more than ever.
The "Libre" is there to "thoroughly describe the movement in one acronym". This is becasue of the dual meaning of the word "free" in the English language. The French have two words that translate to "free": Libre and Gratis. The later refers to cost rather than freedom and "free-gratis" software such as Acrobat Reader, Yahoo Messenger or Bonzi Buddy have nothing to do with the movement.
I agree that the acronym is unfortunately rather stupid. "Remember kids to use FLOSS daily"...whatever...
Wow.. one post, so much criticism. I honestly haven't experienced that on /.
;p
/. ) I was flamed.
Guess it's not a good idea to criticize Mozilla developers
OK.. allow me to respond to all of the replies in one post.
1) Bug reports = good. Insulting bug reporters = bad.
As a developer, I'll tell you that having your customers report bugs to you is a GOOD THING. Something that you want to ENCOURAGE. There is no amount of alpha or beta testing that can substitute for real world use. However, I've been encouraged by this experience to very much just "shut up and take it or leave it" (paraphrasing from one of the more colourful indignant replies I alluded to). I'm not going to report more bugs if this is the response I'm going to get to them. Which is a BAD THING for the Mozilla project.
2) Encouraging and reminding developers = good.
Developers are human beings. They can forget, get distracted, etc. And like all people, sometimes it's a good thing to remind them of outstanding issues. Perhaps they forgot about it? Perhaps they've completed the task, but haven't checked it in? Perhaps the guy responsible for the bug has too much work on his plate, but is reluctant to say so without being prodded.
Certainly, a post every few days asking if the bug's been fixed is just about as annoying as "are we there yet?" queries on car trips with children. But that was not the case here.
3) There ARE paid developers working on Mozilla
Most of them work for Netscape. I wouldn't doubt if there were contract workers as well. Personally, as an independant developer, I don't have the time or resources to program if I'm not being compensated for it. The question was asked why I don't fix it myself, and I gave a truthful answer. As a result (as here on
I hope this clears up any confusion.
I am the maverick of Slashdot
Anyone who is claiming that FLOSS is the perfect software development model is either trying to sell you something or simply mistaken. One of the weaknesses is simply everything is subject to interptation.
The people who find the bugs are often do not agree with the people fixing/writing the application. If you are using one of the "for profit" models, its easier to prioritorize bugs: you target the ones that are the most expensive first. With FLOSS it is the one that is most anoying. A bug might be the most anoying bug in the world but if the core team is not going to hit it they aren't inclined to fix it.
What is implied in the FLOSS development model is that the reporter is savy enough to jump into the code and either fix it themselves or give enough inside help to someone who can to cut down the fix time. When this does not happen you have problems.
In short, OSS is IMHO a better model for colaborative project development. However no one should ever believe it it is perfect. Everyone must remember that neither colaboration nor agreement are guarenteed with FLOSS.
He seems to have gotten a bounty from the Mozilla Foundation for this.
...it's also insightful. Would it really hurt to use the Coral Cache in cases where sites specifically block Slashdot as a referrer? Especially given that Timothy posted a front-page story announcing it?
Ph-nglui mglw'nafh Gates M'dna wgah'nagl fhtagn.
Yes, ideally all bugs are fixed even more rapidly. But originally this wasn't marked as a security bug, and nonsecurity bugs often take more time to fix than you'd wish in any development process:
What changed everything was marking it as a security requirement. Here I agree with the author - the author should have identified this as a security problem in the first place. And I'm really sympathetic to his sitatuation; we all make mistakes, and at least he reported the bug in the first place. Thankfully, a later reader DID realize this, and raised it to a security issue. As a security issue, suddenly the "unlikely" problem becomes "near certainty" since an attacker WANTS to cause trouble, and will work to cause the unlikely to happen.
And once it was labelled as a security problem - look at the speedy response! It was fixed in less than a half hour - that's extraordinarily fast in any software development process, OSS/FS or proprietary. It's even more amazing because the problem was in a completely different place than 3 previous developers had thought... so this was clearly not an easy bug to find and fix (at least for most project developers).
And Firefox is still at the "previous release" level, it's not even officially released! I routinely use Mozilla and Netscape, not Firefox, because Firefox THEMSELVES state that the product's not ready. When they say it's ready, I'll let other people try it out first; version 1.0s are often a little wet behind the ears (remember Windows 1.0? Probably not, and there's a reason for that). But once Firefox 1.0 is out for a little while, I'll probably switch to it; it looks really nice. Obviously a lot of people
Getting ansy about taking a little extra time to find a non-security bug, when the product can't be released til it's fixed anyway, and it's hard to fix, seems a little excessive.
The process issues he raises are interesting issues, and they're certainly worth addressing. E.G., how do you "make secret" that which is already public? But I'm sure there are many possible answers; discuss, pick one, and move on.
- David A. Wheeler (see my Secure Programming HOWTO)
Konnichiwa, FLOSS, FLee Open Soulce Software... it's sperred light, i think? ^_^
Gomen na sai, my sperring not vely good. ^^;;;
Today's Headline - A Security Bug In Mozilla - The Human Perspective
;o)
Tomorrow's Headline - A Security Bug in IE - Sweet Jesus, Microsoft Fucking Sucks Yet Again
Don't worry, I hate Microsoft too
The grandparent poster asked for the user community to assist the developer community by minimizing noise while still adding useful information. This is akin to asking for quiet at a public meeting -- it's not saying the meeting is useless, or that the meeting should be private, but that excessive noise hampers progress of the meeting. Your argument would then be that public meetings need sales people/help desks/managers. Public meetings have been held for centuries without those acoutrements. Some public meetings collapse due to excessive interruptions (e.g., protests), and such collapses may or may not be in the best interests of those doing the interrupting.
All the grandparent poster is trying to do is direct the user community's energies in a more productive manner. That being said, to the extent whining exists, it suggests that the feedback mechanisms are lacking -- there should be some form of voting or something that is visible and powerful enough that most people are satisfied with "whining" that way.
The Busy Coder's Guide to Android Development
...I'm Boba the Fett.
I bounty hunt for Jabba Hutt
to finance my 'vette.
FLOSSing by itself is not enough. You must also BRUSH to prevent tooth decay and maintain your health.
>the user community to assist the developer community by minimizing noise while still adding useful information.
And I'm saying that the real world doesn't work like this.
You put up your code/application for the public, its like releasing a movie you directed/acted/produced. You will get Joe Blow commenting in highly unhelpful ways. You will get written up in newspapers by movie critics and trashed. Internet forumns will have long discussions on exactly how best to quantify how bad your movie was.
>to do is direct the user community's energies in a more productive manner.
He is basically telling people to stop whining to him because its distracting and he's not getting paid to listen to them. I'm not sure how this is directing the community energies into some thing productive. He might have asked them to "be productive" and get him some coffee.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Whining about users who complain about a bug or broken functionality also won't do anything. Users are users. They will not change to suit your needs.
If Linux is a geek toy, then you can get away with the parents' attitude. If FLOSS is the-best-ever-and-even-my-grandma-runs-it then you are going to have to be mindful of the complaints of users who cannot solve coding problems themselves, much less describe what code block is causing the problem.
I fail to see any difference between the parents' attitude and the apparent attitude of Microsoft towards all the people who whine about PNG functionality in Internet Explorer. "I'll fix it if and when I damn well want to, I've got better plans for this weekend, and in the meantime go suck eggs" seems to infuriate everyone.
FLOSS needs to accept both accolades and shame. Your average person will not tend to be zealous to the point of being antisocial when they seek a new feature. However, that same person will not feel nearly as restrained when a longstanding bug is driving them up the wall. Whether you are paid for your efforts or not, you are either a conscientious craftsman or a hack. Your attitude as much as your skill will determine the apt description. Those comments are merely the most visible way that users have to suggest that a coder is the latter.
If you care for your HOME data then create a dummy user to run Mozilla and other 'unsafe' programs.
Sudo or ssh can give you the rights to execute those programs on the dummy user account without having to give a password.
I know this that was probably just an indignant reply, but I think you escalated it too much.
Not really, if he's honestly trolling for a sponsor. One way to reprioritize an OSS bug, other than fix it yourself, is to hire someone to fix it for you. If all these folks are so worked up about a problem not being solved, let them hire a developer to fix it. I'm sure the mozilla project would review his patch, if he went through their process to contribute it.
Lots of folks ask how programmers will ever make money if OSS becomes mainstream. Well, this is the method.
It's certainly not all right for someone to publish a vulnerability without contacting MS; any responsible FOSS developer will agree. However, once a security vulnerability is in the wild, it's in the wild, and pretending it doesn't exist will not help matters any.
The big beef most FOSS developers have with MS lies in the fact that the current rendering engine for MSIE, Trident, is obsolete, MS acknowledges it as such, and yet still refuses to overhaul it. I quote from Wikipedia (emphasis mine):
Now, this is a problem because many Windows users use versions of Windows which are obsolete: 98SE, ME, 2000. When Longhorn comes, this trend will of course hold true: people don't rush to the stores to buy the newest Operating System version. This means that people will be using still old versions of MSIE long after IE7 comes, which will, of course, be unsupported by MS because they don't want to trail support for 5 or 10 different versions of a single product.
Finally, tying the web browser to the OS version ensures that a product that is upgraded for free today won't be in the future: remember, you may get the "newest" version of MSIE for free, but you must pay $50 or $60 (if memory still serves) for a new version of Windows, not counting the hardware upgrades which prove necessary. Most people will think that the old version works "well enough" and blissfully go on surfing the Web. Remember, security vulnerabilities are such because they're not obvious.
In conclusion, FOSS developers do not criticize MS for keeping quiet about security vulnerabilities which do not yet have a fix; they criticize it for denying the need for a complete overhaul of their application even faced with massive evidence that their rendering engine has given what it had to give; instead, they concoct a scheme to force users to upgrade (spending money they might not have) in order to keep their data safe.
I use the following shell script to create hourly backups using rsync. It was taken from a very nice tutorial called something like "easy automated backups using rsync". Google should find it.
:)
o ther/dir/partition/or/system
Ad the script to an hourly cron cycle. All the backups will take only ORIGINAL_SIZE + CHANGED_FILES_SIZE. This script does 9 backups spanning nine hours into the past. Or days, or weeks or whatever you set your cron cycle to.
You can restore from backups simply by copying the desired file from one of the bak.n dirs. Of course, subversion or CVS will give you nice backups as well but this is pretty easy to do.
If anyone has any suggestions for improving the script, please reply!
#!/bin/bash
SOURCE=/home/someuser
DEST=/some/
rm -rf $DEST/bak.9
mv $DEST/bak.8 $DEST/bak.9
mv $DEST/bak.7 $DEST/bak.8
mv $DEST/bak.6 $DEST/bak.7
mv $DEST/bak.5 $DEST/bak.6
mv $DEST/bak.4 $DEST/bak.5
mv $DEST/bak.3 $DEST/bak.4
mv $DEST/bak.2 $DEST/bak.3
mv $DEST/bak.1 $DEST/bak.2
mv $DEST/bak.0 $DEST/bak.1
rsync -a --delete --link-dest=$DEST/bak.1 $SOURCE $DEST/bak.0
# End script
"A few great minds are enough to endow humanity with monstrous power, but a few great hearts are not enough to make us w
So.. please help me understand how this reflects so poorly on the Mozilla developers? Also, how does the way this was handled put them in the same crowd as MS? Especially after MS is caught sitting on serious security flaws for six months or more then sneaking the patches into a service pack without ever telling anyone the flaw existed?
Its FOSS not FLOSS! ..and security si a 2 step or 2 parts of a whole:
-Finding bugs
-Clean/Clear Architecture
implying that finding bugs is imperfect as far as fixing security is a misnomer as it never was designed to fix security..the architecture was!!
For example, in inventory audits its not the coutners accuracy that you depend on becasue they are only minmum wage and not skiled..you depend upon the framework of the audit to gurantee some accuracy by using analysis and stts..
Same principle applies here..
Don't Tread on OpenSource
If you are a professional, as in a company pays you to do this, then they listen to you for that reason. You test, hand a list of bugs back, the programmers get them and the cycle goes on. You know they'll listen to you since they are paying you to do this. Also the programmers will work on them since they are paying them to do so.
Well OSS is a whole idfferent ball game. First, just because you report a bug, doesn't mean the developers will listen to you. You are, after all, just some guy on the web. You have to convince people that yes, it really IS a problem.
However the bigger problem is motivating people to action. You are talking about a loose group of people working on a project becasue the feel like it. You can submit a report, people can understand it and believe you, but just not feel like working on it.
That's the reason why so many OSS programs have shitty UIs and piss poor documentation. The pwople that maek them don't ocnsider that interesting, so they don't spend time on it.
I totally gave up reporting bugs on Mozilla, not so much because I was flamed but rather because I was ignored. Now before you go thinking that I'm just too sensitive and I should get a life, it's not that at all. Any response or lack thereof from a company gives a clear indication of what they think of their customers, and whether Mozilla likes it or not they need our support to make their product go. I'm happy to add support to my web site to make it run with Mozilla, but I also expect them to step up and fix bugs when I report them, especially when something stopped working in Firefox that worked before in 1.x. After reading this article it makes me think all that much more that working with Mozilla is a waste of time. If they can't handle the big stuff then how are they going to handle the little stuff. I've lamented before in my bug reports that too much effort is going into new feature development and not enough into bug fixing. Yeah, they'd rather do cool new stuff than work on fixing bugs, just like any other developer. But I've just gotten kind of tired of coddling the Mozilla developers because I get something for free. I'd rather pay a couple of bucks for a good product than waste my time reporting bugs that go unfixed.
If you don't want crime to pay, let the government run it.
Gives opera users another reason to laugh.
I'd like to add that a little money can go a long way, when you have the right incentives in place. Look at the OS Apple can make on a fraction of Microsoft's budget for a fraction of Microsoft's userbase.
Why do I keep typing pythong?
The issue is not people critiquing the application; it's people who act as if their critique is somehow more important than the other million critiques. Further, when people do that, they make it more likely that relevant readers will stop following the thread (because they follow your advice). That makes it less likely that the bug will be resolved for people other than the complainer. Thus, the complainer's behavior hurts not just the complainer (justified) and the developer, but everyone else.
Also, the OSS model does not do away with help desks; it just charges for it separately. Since many people in the OSS model are freeloaders, this means that they don't have access to the help desk. The proprietary model gets around this by requiring you to buy the help desk to get access to the software.
...where the referrer header is required? Besides webstats, what use are they?
I turned mine off awhile ago (just because, it's no one's beeswax where I have been just before) and haven't noticed anything different about my surfing, that's why I am asking....
Somehow, however, the quality of the product hasn't suffered; lots of work continues on Firefox. In the past, before open source, such a thing would be a death nell to a software project.
the outcome of this story is:
/home/Download /home/Download /home/Download /home/Download
/home/firefox/firefox/firefox&"
# adduser firefox
# mkdir
# chown firefox:me
# chmod 770
$ cd ; ln -s
New command line for browser is:
sudo su firefox -c "nohup
That's what you missed, listening to anyone with any level of maturity and experience in the OSS community . Red Hat doesn't say that can NEVER happen with OSS. Linus doesn't say its IMPOSSIBLE for OSS software to ever have bugs or security issues that aren't found and fixed. The Debian developers don't claim they have fixed every single potential bug in every single package they put out.
One of the most annoying things users do is pick one single instance and say "HA!!!, this proves OSS is whatever". Newsflash, one OSS project doesn't=every OSS project. There is well written and secured OSS code out there and there is shoddy insecure OSS code out there. Nobody ever claimed that OSS is a panacea for all security issues.
Nice straw man though. Insightful my ass.
If you wanna get rich, you know that payback is a bitch
Master Chief dies at the end. Even if you didn't agree with his gun policies, he was truly an american icon.
This bug can check for existance, but it can't check contents. For that, you'd need to have a form, but forms are handled specially for how data can get in them to prevent that sort of thing (and you can't "read" from a loaded image with javascript to populate a form).
I think the DoS is the nasty part, however. Really there needs to be a sort of contextual protocol permissions check somewhere. Like that only file:// pages can load file:// without user intervention... (this limited to Navigator and Mail). And that the file:// protocol handler on *nix does a sanity check on file type too...
That I'm sure can be handled in nsLocalFile.cpp trivially and would at least prevent a DoS.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Spamming a bug with comments like "why isn't this fixed?", "this bug still annoys me", "don't wontfix this bug" and "this bug is really old and annoying, you guys suck and don't care" doesn't help fix the bug
On the flip side, each program has its own bug tracking system, with its own specialized demands for information that I have to hunt up and assemble in its own specialized manner. Furthermore, I have to localize the bug and provide a reasonable testcase. And after spending that time to help you find a bug in your program, to be told that "nobody uses that feature", or worse yet just ignored, isn't amusing and encourages me, in the future, to work around bugs instead of reporting them, since we know you aren't going to fix them.
The "repost" was a (very gentle) reminder that the information was ALREADY public. Of course the blogger can remove the reminder... but the cat WAS out of the bag. There was no need to edit the past.
The fact is, a gentle reminder is a lot nicer than a good flaming. And funnier, to boot.
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
Provided that you are willing to declare OSS a hobbiest thing and not for serious consideration by bussinesses. If the rule is "It might get fixed, if we feel like it" then it's not something that can really be considered to be on the same level as commercial sofware.
That's fine, but it's mutually exclusive with the "OSS is much more secure and fixed much faster/better than commercial software." If that is the case then OSS developers, espically for major projects which are used as examples of OSS ruling, need to be on the stick with it and have to be held to the same standard.
Personally I have no problem with the view of OSS being for hobbiests. However I'm not going to say that it's more secure and has less bugs than commercial software.
In business, if a virus sweeps your network and deletes 10-15 peoples home directories, no sweat. You tell them to keep working, and one at a time restore their files from the backup you did of those directories yesterday. (Any non-braindead company I would hope would be doing daily backups of user data). But if the virus takes out the *OS*, thats a whole other ball of wax. The sysadmin, who is a limited resource, has ot go around to N machines and re-install/re-image them. And for the hours this takes him, all the people involved cannot do any work. So you're basically throwing thousands of dollars of salary per hour down the toilet.
Welcome to the real world. This is why companies have sales people/help desks/managers. The OSS model does away with it, and so now you see why they are needed.
Needed for what? Free Software is not Big Business!
Software Wars
Nooooo! I am such a fool! After reading about this bug, I wondered to myself if I was vunerable. So I ran the Testcase HTML and clicked "Save."
" "/home/hamish/Downloads could not be saved due to unknown error" I open up a terminal (feeling slightly queezy) and...
Bugger bollocks damn damn damn. I am officially the stupidest person in the world - King of the noobs.
It's actually rather interesting... I do still have permissions to the Downloads directory, and it is flagged as a still a directory, but it is now of size 77824 bytes. Also its contents are still viewable but not accessible.
Anyway, note to self: Stop reading bugzilla! Stop reading slashdot! Sort life out.
For what its worth, a bunch of the people working on Mozilla and Firefox are paid by IBM.
My server
As an example, I use the GIMP (on Linux) for image processing. I could use Photoshop on Windows XP.
Purchase Costs (Australian Dollars):
GIMP: $0
Linux: $0
Total: $0
Income Tax: $0
Total Tax Paid: $0
Adobe Photoshop CS? : $1172
Windows XP Pro : $599
Total : $1771 (GST: $177.10)
Income Tax : $531.30
Total Tax Paid : $708.40
There are lots of caveats to how these figures were created but I'm too busy right now to go through them all. Here's one:
1) I choose my own income level, so I can choose to get paid $2302 dollars less in a year (and have more time to myself) and not pay the income tax if I don't need to purchase software.
As an aside, I've never used Photoshop so please don't count me as a "migrating user sick of commercial offerings".
Second line is 8 syllables. You fucking queer.
You're seeing the effect of bug 179944 ( http://bugzilla.mozilla.org/show_bug.cgi?id=179944 ). To learn how to apply for the "canconfirm" privilege on bugzilla.mozilla.org, which grants the ability to file NEW bugs or to change UNCONFIRMED bugs to NEW, read Bug Triagers' Guide and Before you mail Gerv. If you're good at reducing examples of Gecko misbehavior to test cases, you may want to apply for "editbugs" as well.
'--link-dest' option. It ensures that only modified files are actually stored multiple times. All files that are identical from backup to backup are hardlinked instead.
HAND.
So some other helpful chap modifies a mozilla patch to make it work for firefox, puts it in the build, and it doesn't solve the problem - hm, did he not test the patch? Why is the patch still in there if it doesn't work? Maybe the article words this funny and I'm mistaken, and I'm not going to read the code to find out, but that sounds a bit strange.
Is this a fixed bug? I just tested the above in a firefox 1.0PR1 in a basic HTML file and nothing nearly as bad as not being able to type happened. In fact, seemingly nothing happened (other than the image never appeared to finish loading).
So, Maurice Wilkins, the son-of-a-bitch who showed Rosalind Franklin's photographs, without her knowledge, to misogynistic loudmouth James Watson and mealymouthed Francis Crick, and therefore got to share in the Nobel Prize for the structure of DNA, has finally died.
I have seen from several sources that he was the one who shared her photos with Watson and Crick. In Franklin's biography, Rosalind Franklin: the Dark Lady of DNA, biographer Brenda Maddox presents information that suggests Wilkins had been hard at work all along to usurp Franklin's work. There was a long pattern of him taking her data while she was away on holiday or at conferences and discussing it with other scientists, analyzing it, and then presenting the analysis to her as a "surprise" when she returned.
Amazingly enough, she couldn't STAND him.
So the Watson/Crick thing was just the icing on a cake he'd been baking for a really long time.
Oh, and articles like this one in the Washington Post refer to him as the leader of the team. Um, no. He was about the same age as Franklin, kept trying to dominate her research, and finally ended up having to go into a negotiation meeting with THEIR supervisor, wherein Franklin got the best samples, the best instruments, and Wilkins was left with substandard samples and old instruments. Gosh, why was that? Because Wilkins couldn't get the same high-quality photographs that Franklin did.
He apparently got all resentful that she was "keeping all the data to herself" -- interesting how it played out that he stole her data and even after she told him to stop interpreting her data went off to discuss it with Watson. Not a vindictive bastard at all, right?
Good riddance, you slimy backstabbing scumbag. Better luck next time around in being a decent human being.
I can answer that one. The patch itself had landed on Mozilla trunk, but the corresponding code in Mozilla Firefox and the Mozilla stable branch still had the same bug. (A different bug than the actual security hole.) So, while the patch didn't fix the bug, it was still appropriate to check in.
Alexander J. Vincent
http://weblogs.mozillazine.org/weirdal