Slashdot Mirror
Mozilla Uncooperative With OSS Groups on Security?
An anonymous reader writes "In response to Firefox lead developer Ben Goodger's claim that "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla", Christopher Aillon of Red Hat says that this is only because Mozilla doesn't play by the same rules as other OSS projects. He says that while other OSS projects work with vendors to achieve simeltaneous releases of patched software, Mozilla does no such thing unless compelled to do so."
Sounds like the alleged rules involve keeping bugs secret until users of the code have updated it and/or changing their release cycle to accomodate this.
Priorities are not the same all over, and Mozilla should be focused on supporting their users. Those several days of warning are extra days of end-user vulnerability. As a Firefox user, I would feel my trust was misplaced if they did something else..
One other comment:
indirectly -- it still displays their branding
Correct me if I'm wrong, but other builds are not supposed to use Mozilla's branding anyway. The PowerPC G4-optimized build of Firefox contains only compiler/linker changes, and apparently can not use the same icon.
I read the above quote may times over and the person from RedHat's response. I kept asking myself over and over again...WHY? Because if Mozilla operated the same way other OSS projects do by default, I can only see good things out of this. I wonder why they choose to do things this way.
Where's the article?? It's just two short blog entries between two guys arguing over an issue. How is that news or "stuff that matters"? It's almost like reading two headlines. This has a feel of high school.
High school girl A: So Ben Goodger's claim that "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla"
High school girl B: "Christopher Aillon of Red Hat says that this is only because Mozilla doesn't play by the same rules as other OSS projects"
High school girl A: No. He didn't.
[cat fight]
Except there would be no cat fight here....
EvilCON - Made Famous by
I am saying that if Red Hat expects OSS projects to sit on security updates until Red Hat has a new package ready, that is just plain rude.
Are all users not equal in the eyes of Free software? We should all be able to have a crack at the security update as soon as it is ready. Some of us do in fact maintain our own packages. Why should we be forced to wait?
Ask Slashdot: Where bad ideas meet poor googling skills.
Those links seemed almost like the biggest non-articles ever to hit Slashdot. I asked myself... "is that it?" Links to some petty blog nonsense, basically.
Mozilla's problems aside, Aillon's point is stupid. Stupid as that picture of him imitating the Matrix, or whatever the hell he is doing. Basically, there doesn't seem to be any meat here, any story. Good work saving Slashdotters the time of RTFA-ing, because in this case, reading the article wouldn't have made any difference.
This may sound like the tail whinning that the dog doesn't wag, but the vendors may have a legitimate complaint.
The potential for harm is if Mozilla releases a security fix, and the distros don't right away. There's a period of time in which Mozilla version x.y is vulnerable on FooDistLinux, and there's no reasonable expectation for the fix to happen for some period. Since the fix has been released, attackers are on notice that there is are vulnerable systems out there, and they're running Mozilla x.y on FooDistLinux.
Now, mind you, I don't think that's such a big fat hairy deal. But the situation does put minor distros (anything not supported by the official Mozilla site) at a disadvantage. The perception is that the major players are "more secure", since you can get your fix straight from Mozilla.org.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
I suspect that the vast majority of Firefox users are on Windows (simply because the majority of computer users are). They don't have the luxury of up2date or an apt-get repository and have to go to each non-Windows vendor to obtain updates. Why should Mozilla wait for someone maintaining a repository for a minority of their users before releasing an update for the majority?
I'm sure that's the offical position, anyway. And of course they want to drive traffic to their site, and make a big deal about counting downloads.
Why should end users not be offered the same patches as soon as they are ready? If it takes a vendor 24 hours to get a new package out, that sounds reason able to me, but again, why limit access to the update for that 24 hours?
Just speaking to the theory here, once the 'end users' are notified of the hole, it's reasonable to assume that 'someone' is going to reverse engineer an exploit out of the patch.
On very large holes, the coordinated release allows the largest possible user base to have an upgrade path by the time the hole is made public. If all users were notified as soon as a source patch was released, but the source patch didn't apply directly to distribution X because of local changes to the codebase, a malicious user could (and will) create and circulate an exploit before that group can create a patch.
Note that the security community does not agree here. When OpenSSH had a massive hole, Theo went mailing-list to mailing-list telling people a workaround, and coordinated a very large release of information on a specific day. When DJB's students come out with their list of new exploits every year, they release them all on a webpage with zero notice to ANYONE, including the software vendors involved.
It's a matter of philosophy - are you in the game to protect the most people, or are you managing your software and letting other people worry about their users? I personally don't have a problem with Mozilla's practices - they still beat some other vendors, even if they're not as 'responsible' as the OpenSSH crowd.
Video Phone Blogs send video messages straight to the web.
Holding back by a few hours until vendors can merge the fixes with any customizations they have done actually equalizes the users, in that all end users have access to the fixes for their particular build at the same time, regardless of where they get their builds from.
1. Why make them all equal to the worst?
2. So Mozilla wait for Red Hat, I guess Red Hat have to wait for White Box? Does White Box have to wait for anyone who bases their product off of White Box? Seems to me we could all be waiting forever.
"simeltaneous releases of patched software"
This is OSS took to the extreme. One for all and all for one doesn't apply when people are at risk. If you don't release a fix ASAP then you're knowingly risking the security of peoples computers. Like it or not this is a ridiclous idea from the ground up.
Work together for the greater good, don't force others to work together so you all look good.
I like muppets.
I don't see how Mozilla is in the wrong. It is upto the various linux distributions to manage said distribution, not mozilla.
I want Firefox security updates as soon as they are available on my Micro$oft box, why should I have to wait for distribution X to play catchup. It is said distributions job to maintain that distribution, not Mozilla.
Should I, the user, have to wait for important security updates because some distribution wants to repackage them? The answer is no.
If the exploit is public knowledge, or is known as being used to exploit by blackhats, then releasing the fix as soon as it is finished is best. If the exploit is not publically known, and there are no signs it is being used, then a coordinated release is best. Not coordinating ends up leaving a window for blackhats to find out about the exploit and use the vulnerability on those systems that are not yet patched.
Holding back by a few hours until vendors can merge the fixes with any customizations they have done actually equalizes the users. . .
No, it egalitarianises the users. You can try to make a case for that if you want, but if that's what I wanted I likely wouldn't be running Linux in the first place.
KFG
Mozilla isn't obligated to offer you support. You are an idiot for firing an employee simply over a small software issue. Plus, any reasonable IT person would give users a CHOICE of IE or FireFox for quite a while, until people adjusted to the new software and the IT staff were certain that it would not conflict with existing systems (such as your intranet).
However, I'd like to note that Mr. Goodger should really learn how to develop websites for cross-browser compatibility. It looks like crap here at work, where we use IE. Being the lead-developer of a competing browser is no excuse for not having a website that looks good on ALL platforms.
Redhat makes it's own modificatoins to Mozilla and Firefox maybe.
Linspire surely does but they at least work with the company to get them into the main tree so it's not so much of a problem.
Along with any number of big distros that do something to the original package.
All which could of been avoided if said companies just used the plugin infrastructure to make their modifications and repackaged it that way.
How long can it take for package maintainers to update the source and run the package-assembly scripts.
I mean, it is automated, isn't it?
Mozilla guys are not obligated to wait until the slowest of the crowd gets its job done. And they shouldn't treat any OS/distro differently from one another.
If Red Hat feels having up-to-the-minute RPMs is all that important, they should compensate Mozilla Foundation for the additional hassle. If not, they should wait in line just like everyone else.
http://www.dieblinkenlights.com
This article rips Ben Gooder's words so far out of context that it is not even funny...
Here's the original sentence with the quoted portion bolded:
If security is important to you, this demonstration should show that browsers that are redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla will itself for its supported products.
The context of Ben's blog post was the final release of the Netscape 8.0 browser which was based on top of the Firefox 1.0.3 source code. Ben was merely pointing out that this left the Netscape users open to attack. Netscape promptly released 8.0.1 built on the Firefox 1.0.4 code.
Mozilla is fulfilling its obligation to its users by producing quality secure products, not pandering to an OSS "community" which seem more intent on arguing about every minute detail rather than change the way things are done.
To that end, Go Mozilla!
Mozilla is doing the right thing to release to users ASAP.
methinks you are in the wrong business if you design web-interface development apps that allow corruption of the source files due to a simple browser crash...
sum.zero
I have used Mozilla for over a year now and have been VERY satisfied with the release schedule especially as it comes to security releases. I get alerted with the little icon, I press icon, I download update, restart Mozilla, done. When it comes to security updates I do not want to see the release hampered because the distros haven't built it yet because quite frankly most of the exploits out there are for Windows anyway. No, I will not be transitioning to Linux anytime soon but I do support it where I can :).
I have no idea what point you're trying to make, but either way you are wrong.
If you're trying to make the point that people would be "screaming bloody murder" if distros released fixed without known exploits, you are wrong. For examples of *tons* of vulnerabilities without known exploits that have been patched by individual distributions, just take a look at this page:
http://lwn.net/security
You'll see that in general there is no coordination whatsoever between the distros. But no-one has screamed bloody murder.
If you're trying to make the point that people would be "screaming bloody murder" if distros released fixed for vulnerabilities *with* known explots without co-ordination, you are also wrong. In fact, just the opposite would happen -- if there is a known vulnerability, people want their distros to fix things ASAP, not sit on their asses until every other distro plus upstream has time to fix.
So, either way you are totally and unequivocally *wrong* about anybody screaming bloody murder about distros doing to Mozilla what Mozilla is doing here. Both happen routinely, and your stupid +5 comment is only misleading people.
Suck it up, admit that you are WRONG, that what you said HAS NOT A GRAIN OF TRUTH TO IT. Instead of trying to save face by playing word games, you need publicly correct your mistake instead of trying to cover things. You are being an asshole.
The real problem here is not that Mozilla is releasing security fixes too quickly, or that the distros aren't keeping up.
The real problem is that a Linux application needs to be modified in some way by the operating system vendor before end-users of that operating system can use it. Think about that for a minute. When's the last time you had to go through Microsoft to download the latest copy of a 3rd-party application?
One of the selling points of OSS development has always been its decentralized nature. But here we are creating a centralized, artificial bottleneck by requiring that applications be customized by the operating system vendor before it can be used on that system. Talk about inefficient.
There's no reason why the application vendor should be exposed to differences in distributions. It's poor encapsulation, from a software engineering perspective, and essentially means that "Linux" is not a platform you can develop to. RedHat's a platform, SuSE's a platform, and there a million other Linux-based platforms, but no one "Linux platform".
This sort of thing hurts everyone. End-users don't have the ease of use and speed of security updates they could with a common platform. Application vendors have to wait for the OS vendor to repackage their application before it'll work on that platform. Distro vendors have this huge recurring workload of having to repackage applications.
Why don't the distros just provide a common interface that application vendors can use to for installation? Hiding the distribution-specific differences behind an interface would seem to make everyone's jobs easier.