Slashdot Mirror
Mozilla Uncooperative With OSS Groups on Security?
An anonymous reader writes "In response to Firefox lead developer Ben Goodger's claim that "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla", Christopher Aillon of Red Hat says that this is only because Mozilla doesn't play by the same rules as other OSS projects. He says that while other OSS projects work with vendors to achieve simeltaneous releases of patched software, Mozilla does no such thing unless compelled to do so."
Sounds like the alleged rules involve keeping bugs secret until users of the code have updated it and/or changing their release cycle to accomodate this.
They may want to release the updates earlier, without waiting for whatever linux/bsd distro to updated their packages.
And it seems fair to me. If I run fedora, for example, if I'm concerned about security, I can always download and install their binary package. Because, for example, I couldn't find an updated rpm for firefox 1.0.4 (only a spec file)
I'll do the stupid thing first and then you shy people follow...
Priorities are not the same all over, and Mozilla should be focused on supporting their users. Those several days of warning are extra days of end-user vulnerability. As a Firefox user, I would feel my trust was misplaced if they did something else..
One other comment:
indirectly -- it still displays their branding
Correct me if I'm wrong, but other builds are not supposed to use Mozilla's branding anyway. The PowerPC G4-optimized build of Firefox contains only compiler/linker changes, and apparently can not use the same icon.
Ok, I do agree that OSS projects should supply security patches when they have them, and new releases as well, but what good does it do to let the vendors at them first?
Why should end users not be offered the same patches as soon as they are ready? If it takes a vendor 24 hours to get a new package out, that sounds reason able to me, but again, why limit access to the update for that 24 hours?
Ask Slashdot: Where bad ideas meet poor googling skills.
I read the above quote may times over and the person from RedHat's response. I kept asking myself over and over again...WHY? Because if Mozilla operated the same way other OSS projects do by default, I can only see good things out of this. I wonder why they choose to do things this way.
What's worse is the way the mozilla projects rarely seem to manage to put out an actual working source tarball. For the past dozen or so releases they've always released incomplete or unworking sources. Screwing up once is understandable, but to repeatedly omit things strongly implies that they're not interested in anyone using anything except their official binaries.
Where's the article?? It's just two short blog entries between two guys arguing over an issue. How is that news or "stuff that matters"? It's almost like reading two headlines. This has a feel of high school.
High school girl A: So Ben Goodger's claim that "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla"
High school girl B: "Christopher Aillon of Red Hat says that this is only because Mozilla doesn't play by the same rules as other OSS projects"
High school girl A: No. He didn't.
[cat fight]
Except there would be no cat fight here....
EvilCON - Made Famous by
Those links seemed almost like the biggest non-articles ever to hit Slashdot. I asked myself... "is that it?" Links to some petty blog nonsense, basically.
Mozilla's problems aside, Aillon's point is stupid. Stupid as that picture of him imitating the Matrix, or whatever the hell he is doing. Basically, there doesn't seem to be any meat here, any story. Good work saving Slashdotters the time of RTFA-ing, because in this case, reading the article wouldn't have made any difference.
This may sound like the tail whinning that the dog doesn't wag, but the vendors may have a legitimate complaint.
The potential for harm is if Mozilla releases a security fix, and the distros don't right away. There's a period of time in which Mozilla version x.y is vulnerable on FooDistLinux, and there's no reasonable expectation for the fix to happen for some period. Since the fix has been released, attackers are on notice that there is are vulnerable systems out there, and they're running Mozilla x.y on FooDistLinux.
Now, mind you, I don't think that's such a big fat hairy deal. But the situation does put minor distros (anything not supported by the official Mozilla site) at a disadvantage. The perception is that the major players are "more secure", since you can get your fix straight from Mozilla.org.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
I suspect that the vast majority of Firefox users are on Windows (simply because the majority of computer users are). They don't have the luxury of up2date or an apt-get repository and have to go to each non-Windows vendor to obtain updates. Why should Mozilla wait for someone maintaining a repository for a minority of their users before releasing an update for the majority?
I'm sure that's the offical position, anyway. And of course they want to drive traffic to their site, and make a big deal about counting downloads.
How is the parent comment offtopic? If anything, it's interesting. Mods on crack...
"simeltaneous releases of patched software"
This is OSS took to the extreme. One for all and all for one doesn't apply when people are at risk. If you don't release a fix ASAP then you're knowingly risking the security of peoples computers. Like it or not this is a ridiclous idea from the ground up.
Work together for the greater good, don't force others to work together so you all look good.
I like muppets.
Cute troll, but nobody that stupid would be able to figure out how to get a slashdot account nor would they be a reader of an OSS bigoted site. Sadly I do believe things like this happen in our IT world.
You can't divide by zero. It's illegal.
It's a common troll. Replace the software in question with whatever is being discussed. The tagline is the giveaway, "Needless to say, the $SOFTWARE_PACKAGE team offered no support whatsoever. I made the employee uninstall $SOFTWARE_PACKAGE from the machines and lets just say he's not with us anymore."
I don't see how Mozilla is in the wrong. It is upto the various linux distributions to manage said distribution, not mozilla.
I want Firefox security updates as soon as they are available on my Micro$oft box, why should I have to wait for distribution X to play catchup. It is said distributions job to maintain that distribution, not Mozilla.
Should I, the user, have to wait for important security updates because some distribution wants to repackage them? The answer is no.
It is "simultaneous", not "simeltaneous".
:o
No editor caught this?
Promote freedom; fight fascism.
If the exploit is public knowledge, or is known as being used to exploit by blackhats, then releasing the fix as soon as it is finished is best. If the exploit is not publically known, and there are no signs it is being used, then a coordinated release is best. Not coordinating ends up leaving a window for blackhats to find out about the exploit and use the vulnerability on those systems that are not yet patched.
Sounds like the whole vendor-sec debate again...
There are 2 extreme ways of doing security fixes.
The full disclosure method is to immediatly tell the world that you have a bug, even before you actually have a bug that fixes it.
The up side of this is that it informs sys-admins to stay away from certain programs or certain features in programs. Perhaps disable it until the bug is resolved.
The down side is that it creates 0day exploits, used widely by skript ciddies to pester those sys-admins who are not as observent.
The other method is to hide the bug, at least until it is fixed, possibly indefinatly.
The up side of this, is that it you can't exploit the bug just by reading bugtraq or something.
The down side, is that you may not have been the first to find that bug. Someone out there could be exploiting it, and you are not telling people their systems are vunrenable.
Mozilla does something in the middle, nearer the full disclosure side. They keep the bugs secret until they have a fix and they made a new release.
vendor-sec (To which Red Hat belongs) believes that the security hole should not be published for a period of time after the fix, to let it's members package the new release, and therefore make sure (smart) users will already be protected by the time the skript ciddies have a premade exploit.
Do you post on Chronicals of George?
Funny that someone from _Red Hat_ is complaining about an OSS not playing by the rules.
Nope. He is obviously an overclocker running SMP and he is referring to the rare condition where all of his CPU's melt at once.
We don't see the world as it is, we see it as we are.
-- Anais Nin
Is that a beer belly sticking out in that guy's Matrix imitation, or just the way his shirt hangs? Distinctly less Matrix-stylee if the former.
Mozilla isn't obligated to offer you support. You are an idiot for firing an employee simply over a small software issue. Plus, any reasonable IT person would give users a CHOICE of IE or FireFox for quite a while, until people adjusted to the new software and the IT staff were certain that it would not conflict with existing systems (such as your intranet).
However, I'd like to note that Mr. Goodger should really learn how to develop websites for cross-browser compatibility. It looks like crap here at work, where we use IE. Being the lead-developer of a competing browser is no excuse for not having a website that looks good on ALL platforms.
I do not see what the big deal is. The same day Mozilla releases an update for Firefox/Mozilla for Windows they release the tarball version for Linux. It seems to me it is up to the individual distros to put out the repackaged versions. The newest version of Firefox was in the Debain Sid repository 2 days after the "official" Mozilla update was released. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)
Debian Sid LXDE Firefox 3.6.4
GNU/Linux and Firefox, surfing the internet safely.
I don't understand why a 1-2 days latency is such a problem for a distro. It's like someone complaining that cvs users get the fixes before they appear on mozilla.org.
/.
Summary:
- you're paranoid about security, get cvs updates every hour.
- you're seriously concerned about security, get the new binary as soon as you read it on
- you're lazy and you like it: apt-get install, 1-2 days after.
Redhat makes it's own modificatoins to Mozilla and Firefox maybe.
Linspire surely does but they at least work with the company to get them into the main tree so it's not so much of a problem.
Along with any number of big distros that do something to the original package.
All which could of been avoided if said companies just used the plugin infrastructure to make their modifications and repackaged it that way.
And that's good why? If a fix is out and I'm running something mission-critical, I want it now. If your distro is slow, get another distro - or better yet - install it your f**king self using the version Mozilla puts out. It's really not hard. Sometimes, I swear, I think some people would be incapable of installing software if they didn't have a package from their distro. Of course I imagine it's obvious what distro I use. ;)
No.
If you really need it that quick just use the release made available from mozilla.org and run it locally. Can we have some common sense please?
Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
So if a comment is critical of Mozilla it's automatically a 'common troll?' Give me a break, dude.
How long can it take for package maintainers to update the source and run the package-assembly scripts.
I mean, it is automated, isn't it?
Mozilla guys are not obligated to wait until the slowest of the crowd gets its job done. And they shouldn't treat any OS/distro differently from one another.
If Red Hat feels having up-to-the-minute RPMs is all that important, they should compensate Mozilla Foundation for the additional hassle. If not, they should wait in line just like everyone else.
http://www.dieblinkenlights.com
This article rips Ben Gooder's words so far out of context that it is not even funny...
Here's the original sentence with the quoted portion bolded:
If security is important to you, this demonstration should show that browsers that are redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla will itself for its supported products.
The context of Ben's blog post was the final release of the Netscape 8.0 browser which was based on top of the Firefox 1.0.3 source code. Ben was merely pointing out that this left the Netscape users open to attack. Netscape promptly released 8.0.1 built on the Firefox 1.0.4 code.
Mozilla is fulfilling its obligation to its users by producing quality secure products, not pandering to an OSS "community" which seem more intent on arguing about every minute detail rather than change the way things are done.
To that end, Go Mozilla!
To me the project management of Mozilla looks messy if not broken. They make it extremely hard for people to contribute because their policies resemble those of a closed source company much more than those of open source projects. Just look at the patch review debacle that happened a while ago. If it's that hard to get code in there why would a developer even bother to waste his free time on this?
Now if that kind of tight control would allow Mozilla to keep their deadlines it would at least be explainable but given the performance in the months after the first release of Firefox I think their way of doing things needs to be changed quite a bit.
First there was the Aviary branch "crash landing" which caused a lot of bugs that weren't fixed even months after the merge. Then there was the planned 1.1 release which was originally planned for March then moved to June and I'm willing to bet they are not going to make that date either. At least the Deer Park developer release is really imminent now (Monday?).
Next is the whole Mozilla-as-a-platform thing which is something that was hyped *years* ago and yet we still don't have anything close to resembling a runtime environment. Hopefully there will be a XULRunner release soon but apparently neither Firefox nor Thunderbird will be put on top of it soon. I think most of these issues are a direct result of Mozillas bizarre desire to tightly control everything and keep the open source community pretty much locked out.
The irony is that Firefox has some exciting stuff coming up (<canvas>, svg, better extensions manager and update system) and it really hurts to imagine just how much more could be achieved if Mozilla would just open up a little more...
Something that has irked me is that I can no longer use the official firefox extension type pages.
I'm running ubuntu with firefox 1.0.2 and the later security patches are applied, but their pages still tell me I should be running 1.0.4.
Pretty stupid imo.
Chris "Ng" Jones
cmsj@tenshu.net
www.tenshu.net
Mozilla is doing the right thing to release to users ASAP.
Read the comment. It's obviously a troll. What could Mozilla do to corrupt an entire project? (Maybe IE with the wrong ActiveX control)
And it's not the first time it trolls /.t hreshold=1&commentsort=0&tid=109&tid=106&mode=thre ad&cid=12598860
Look at:
http://linux.slashdot.org/comments.pl?sid=150270&
Open-source companies will sometimes play games and be uncooperative.
But Mozilla is a foundation, so why should it care whether users get its code directly from it, or through Netscape, RedHat, etc., as long the user's code is properly patched.
So, instead of encouraging users to only get the code from them, they should work with others to setup good patch processes that work for everybody.
No, I don't think you understand. This is just a piece of text that contains fill in the blanks for whatever software is being discussed. I saw this exact same piece, but with Linux instead of FireFox. That's how it's a common troll.
For Mozilla to wait to release security updates would increase the amount of time it takes to deliver security fixes. Mozilla's advantage is that it doesn't wait to deliver updates, so security holes can be filled quickly, unlike the competition.
methinks you are in the wrong business if you design web-interface development apps that allow corruption of the source files due to a simple browser crash...
sum.zero
I have used Mozilla for over a year now and have been VERY satisfied with the release schedule especially as it comes to security releases. I get alerted with the little icon, I press icon, I download update, restart Mozilla, done. When it comes to security updates I do not want to see the release hampered because the distros haven't built it yet because quite frankly most of the exploits out there are for Windows anyway. No, I will not be transitioning to Linux anytime soon but I do support it where I can :).
(Of course if the problem is out to the public, it should be patched as soon as possible, because paching won't aid the 'bad people' in finding out.)
Would you rather have a rushed patch or have them spend some time to do it right?
The same thing was posted a few stories down with "OpenBSD 3.7".
0 323&cid=12602399
http://developers.slashdot.org/comments.pl?sid=15
It's been done to death.
see subject.
I see the need for everyone to release server type updates at the same time, but not client things like web browsers. If there is a bug for Mozilla announced and your distribution doesn't have an immediate fix, don't use it. Ta-da! Use one of the many other browsers in the meanwhile.
Bwaaaaa they're uncooperative... Mozilla doesn't wait those extra days to release their patches so we can have them first... bwaaaaaaaaaaaaaa mommy!!!!
JESUS Christ PPl. Use a spellchecker!!!
We will start using spellcheckers once you other types of "PPl" stop using those fucking annoying acroyms and shortcuts because you're too lazy to type the entire word in!
He says there is need to: 'give a brief period of time for the vendors to catch up' A browser is a critical application for the end user - the update needs to come out ASAP or else the flaw will be exploited. There is no time to waste.
Makes you wonder. Are the programmers of mozilla totally incompetent? Is this a fault of C and everybody should switch to garbage collected languages? How hard would it be to watch those damn buffer overflows?
I think the big problem people should realize, is that "javascript is a can of worms". Literally. And if you disable it hotmail doesn't work.
I WANT MY BROWSER to be a simple VIEWER. I DON'T WANT it to be an ENTIRE PLATFORM. God Damn stupendus inventions.
What's wrong with mozilla source tarballs? Gentoo seems to be able to get every source release working on their distro within a day or so of mozilla.org releasing the code. Maybe the problem is between your keyboard and chair...
0 1 - just my two bits
This is not new, persay... however, it is getting very annoying.
The cow goes "tink"
If you look deeper, the real problem is that distributions like Redhat are messing with software they didn't write or maintain. What you get in a distribution is not the real Firefox - or the real glibc or apache. It's a slightly modified version, allways behind and never working the same with the original or with same software in a different distro.
I think Mozilla is doing a great thing of taking responsibility for their binary distribution for linux, just like they do for Windows and Mac.
A plugin that has a native component will probably not work the same if a distro uses different compiler or flags, or if the layout is different.
It is true that linux lacks the ability to upgrade binary packages from their home sources - you can upgrade consistently only the distro RPMs, so you're forced to manually upgrade anything you get from the project maintainers. This is also a consequence of distributions making people believe they are the center of the universe - and trying to lock in.
mozilla-firefox-1.0.4 hit the Gentoo tree the same day the official 1.0.4 version was released and had been moved to stable on most architectures by the beginning of the next day. The binary packages (mozilla-firefox-bin-1.0.4) was in the stable tree within two days, same timing as Debian.
Sorry, my karma just ran over your dogma.
It's a no-brain-no-headache copy-paste-failure troll you replied to. You'll see a variation of this post on the Slashdot story for OpenBSD 3.7 release.
Red Hat is basically a collection of several hundred separate OSS projects flying in close formation, each maintained by a separate team and integrated into an RPM for the installer to slide into place. Some of them are basically straight copies of the original, some of them are specially configured by Red Hat, some are more or less heavily modified. They are all different versions, and by no means are they all tracking the absolute latest release.
There are three or four major Linux releases like this, along with a dozen variants. All of these are "Vendors" that use OSS, as are the BSDs, commercial UNIX vendors, Microsoft, and Apple.
Most "other OSS projects" don't even know what versions of their software are being repackaged by vandors. In the case of commercial vendors, it's not even easy to find out. As far as I know yu can't even get a look-see into RHN without a license, and that can cost thousands of dollars.
There are really only a few a few high profile OSS projects with the time and money to do more than just stay on top of their own releases, and it's not at all clear that they should be obligated to do so. They're open source! They release code and make security announcements and if YOU care whether you're on top of the security of your software YOU monitor it and if YOU have some kind of security guarantees for your customers it's up to YOU to implement the tools to do it.
In general the assumption I've always made is that if I'm using OSS it's my responsibility to track it and stay on top of its security fixes... and make my own fixes if I think they're being lax. Having the ability to do that is one of the reasons you use OSS in the first place.
So...
If I download the Firefox source and do a G4-optimised build, I don't expect them to give me a heads-up ahead of time for a security fox. I'm not even paying for it: I'm downloading a copy of Firefox and that doesn't obligate them to me. Well, you know, unless Red Hat has explicitly established a tighter relationship with them than that (say, by paying for some kind of update service), they're not obligated to treat Red Hat any differently than any other person or group who's tracking their code base.
Other OSS projects don't. They don't have TIME to.
The program is licensed under the GPL, with all that entails. The logo, however, is not. Thus, I can hack and rerelease Firefox to my heart's content, but I can't use Mozilla's logo on it.
In the same way, RedHat distributes a branded operating system that uses a lot of GPL software. But you or I cannot just make our own "RedHat Linux" based on it - not without feeling the warm breath of lawyers on our necks. There are, nonetheless, repackaged and renamed operating systems based on RedHat, such as CentOS (who were recently enjoined from using trademarks of said "prominent North American Enterprise Linux vendor" on their site).
Although I find it annoying that, for example, Ubuntu's version of Firefox comes with a substandard icon as a result, the concept of the logo as a kind of proof of authenticity seems like a reasonable idea - it makes it clear whether or not a particular version comes from the Mozilla Organization or not.
If your comment title says 'Re: Foo', I'm not likely to read it.
Excellent point. That's where source distros shine. :)
Long live Gentoo.
I don't know about y'all, but I hate commercial linux distros, especially redhat.
I'd prefer to compile software from the source, rather than install some pre-config'ed package.
Mozilla is doing just fine, but I think it has the same overall outlook... 'if you're that stupid to use a package manager, then you gots to wait'.
the only permanence in existence, is the impermanence of existence.
... is that this is not a common spelling error. I wonder where in the English-speaking world "simul" is pronounced "saim'l" instead of "saimool"?
- I release the security change as a patch
- I make sure the patch works against a one-year-old version of my program and the current stable release of my program
- I let people on the mailing list know that a given patch is critical
Now, my project is essentially a one-man project, so I just post patches to the mailing list instead of using CVS. I can't talk about big projects; however it makes life a lot easier for distribution makers to have security updates be a single as small as possible patch that the distro guys can add so that they can fix critical security bugs without doing any other changes.I don't understand why all of the internationaization files need to be updated when a security patch is released in Firefox (I waited a few days before the Latin American Spanish version of Firefox 1.0.4 was released before updating)
Mozilla is doing just fine, but I think it has the same overall outlook... 'if you're that stupid to use a package manager, then you gots to wait'.
Only the sith deal in absolutes!
Can I get an eye poke?
Dog House Forum
and their CVS server is always available to the public. Just pull that instead of a tarball. Get the tag you want if you'd like a build corresponding to their release. It's really quite a bit easier than the tarball anyway. I've never had a problem with a tagged release from CVS not working.
.sig: file not found
The last time Red Hat had notification of a bug at the same time as the Mozilla folks, the packages were updated within 20 minutes (RHEL) to 24 hours (Rawhide).
That ain't a delay in anyone's definition.
If you don't release a fix ASAP then you're knowingly risking the security of peoples computers.
More people used packaged distro software than tarballs. If you don't notify the vendor ASAP you're risking security of people's computers.
The real problem here is not that Mozilla is releasing security fixes too quickly, or that the distros aren't keeping up.
The real problem is that a Linux application needs to be modified in some way by the operating system vendor before end-users of that operating system can use it. Think about that for a minute. When's the last time you had to go through Microsoft to download the latest copy of a 3rd-party application?
One of the selling points of OSS development has always been its decentralized nature. But here we are creating a centralized, artificial bottleneck by requiring that applications be customized by the operating system vendor before it can be used on that system. Talk about inefficient.
There's no reason why the application vendor should be exposed to differences in distributions. It's poor encapsulation, from a software engineering perspective, and essentially means that "Linux" is not a platform you can develop to. RedHat's a platform, SuSE's a platform, and there a million other Linux-based platforms, but no one "Linux platform".
This sort of thing hurts everyone. End-users don't have the ease of use and speed of security updates they could with a common platform. Application vendors have to wait for the OS vendor to repackage their application before it'll work on that platform. Distro vendors have this huge recurring workload of having to repackage applications.
Why don't the distros just provide a common interface that application vendors can use to for installation? Hiding the distribution-specific differences behind an interface would seem to make everyone's jobs easier.
"Click here, a official security patch is available"
Have the program only display that if the message is signed properly by verisign.
Now here's the good part, let ANY site post the security warning in it's metadata. Then if the user doesn't want it to check into mozilla, the user can still get the message.
DON'T PATENT THIS, IT'S NOW PUBLIC DOMAIN by posting it here on slashdot.
Now the big question is, why the hell can't you rocket scientists think this stuff up yourself?
Now it doesn't matter if red hat releases a "old" version or not.
How long can it take for package maintainers to update the source and run the package-assembly scripts. I mean, it is automated, isn't it?
Yes. A good way to reduce even more the "when to notify" problem may be an automated security patch distribution protocol. Vendors sign up for security patches that they can then use to automatically create their own repackaged security updates in minutes. Vendors then vet in a few minutes (if at all) or whatever schedule they want. This should be much faster than a blackhat could get an exploit out and make the window of vulnerability small.
The security patch distribution protocol could be as simple as a defined email body, subject and attributes (priority, impact, affects-binary-directory-structure, may-affect-branding etc.) with OSS project public key signing. What types of patches are distributed this way would be precisely defined so vendors could automate with confidence. Optionally, if the vulnerability/patch isn't in the wild yet the contents could be encrypted so only trusted vendors could read it.
Much better to automate to reduce the need for a delay than to create a deliberate delay.
---
Are you thinking long term? Saving money by buying-of-the-shelf in the short term doesn't necessarily mean you'll save money in the long term.
It's a no-brain-no-headache copy-paste-failure troll you replied to.
Probably not a troll, a marketing parasite. The story's likely to be an outright lie trying to create FUD about using OSS.
---
Modern marketing - a great substitute for a quality product
This is like watching politicians. A never ending stream of complaints about each other. Wa wa IE this, wa wa FF that. If I was your Daddy I'd spank you all and send you to bed with no supper.