Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Uncooperative With OSS Groups on Security?

Posted by CmdrTaco on from the working-the-bugs-out dept.

An anonymous reader writes "In response to Firefox lead developer Ben Goodger's claim that "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla", Christopher Aillon of Red Hat says that this is only because Mozilla doesn't play by the same rules as other OSS projects. He says that while other OSS projects work with vendors to achieve simeltaneous releases of patched software, Mozilla does no such thing unless compelled to do so."

11 of 239 comments (clear)

  1. Secrecy? by lachlan76 · · Score: 4, Insightful

    Sounds like the alleged rules involve keeping bugs secret until users of the code have updated it and/or changing their release cycle to accomodate this.

    1. Re:Secrecy? by gclef · · Score: 5, Insightful

      Honestly, Mozilla is in a lose/lose situation here.

      If they hold on to fixes until all the distros are ready, they get beat up for slow patch times compared to MS. If they release immediately, they get beat up by the distros for not coordinating with them.

      I think this is coming up because Moz is one of the first high-profile OSS projects to support both Linux/BSD and Windows. If this were (like most other Linux/BSD apps) an OSS-OS only app, then the lack of coordination would be a real issue. But, for the Windows folks, there isn't a distro to coordinate with, so Moz has to release as soon as possible. I'm with Moz on this, honestly.

    2. Re:Secrecy? by gclef · · Score: 4, Insightful

      I disagree. Completely. It's in the general interest of everyone for the app writers and the distros to work together...the goal, after all, is for the end user to get patches quickly, effectively, and *before* there's an exploit. A lot of the distros have central patch distribution systems...these systems are the best way to get patches to the end user for that distro.

      If an app releases a bug fix without working with the distro, it leaves the end user there to get screwed...either they wait for their distro to get the patch put together (running vulnerable code the whole time), or they break their use of the patch distribution system (meaning they have to either re-patch once the vendor releases, or never follow the vendor patch system for that app again). This isn't a choice we want to be giving the users. The best result is *absolutely* a coordinated response, where the authors, the distros and the original reporter of the problem all release simultaneously.

      That isn't possible in this case, since there's no distro to work with for Windows. Mozilla is, in this situation, choosing to minimize the risk for their Windows users (who likely far outnumber their OSS users), at the expense of the distro coordination. It's not a fun choice to make, but a sensible one, given their situation.

  2. Nor should it have to. by Trillan · · Score: 5, Insightful

    Priorities are not the same all over, and Mozilla should be focused on supporting their users. Those several days of warning are extra days of end-user vulnerability. As a Firefox user, I would feel my trust was misplaced if they did something else..

    One other comment:

    indirectly -- it still displays their branding

    Correct me if I'm wrong, but other builds are not supposed to use Mozilla's branding anyway. The PowerPC G4-optimized build of Firefox contains only compiler/linker changes, and apparently can not use the same icon.

  3. Re:I'm not sure I agree with this... by Rantastic · · Score: 4, Insightful
    Just to clarify:

    I am saying that if Red Hat expects OSS projects to sit on security updates until Red Hat has a new package ready, that is just plain rude.

    Are all users not equal in the eyes of Free software? We should all be able to have a crack at the security update as soon as it is ready. Some of us do in fact maintain our own packages. Why should we be forced to wait?

    --
    Ask Slashdot: Where bad ideas meet poor googling skills.
  4. Making a story that isn't there. by Anonymous Coward · · Score: 5, Insightful

    Those links seemed almost like the biggest non-articles ever to hit Slashdot. I asked myself... "is that it?" Links to some petty blog nonsense, basically.

    Mozilla's problems aside, Aillon's point is stupid. Stupid as that picture of him imitating the Matrix, or whatever the hell he is doing. Basically, there doesn't seem to be any meat here, any story. Good work saving Slashdotters the time of RTFA-ing, because in this case, reading the article wouldn't have made any difference.

  5. Whiny RedHat, or lazy Mozilla? by lheal · · Score: 4, Insightful

    This may sound like the tail whinning that the dog doesn't wag, but the vendors may have a legitimate complaint.

    The potential for harm is if Mozilla releases a security fix, and the distros don't right away. There's a period of time in which Mozilla version x.y is vulnerable on FooDistLinux, and there's no reasonable expectation for the fix to happen for some period. Since the fix has been released, attackers are on notice that there is are vulnerable systems out there, and they're running Mozilla x.y on FooDistLinux.

    Now, mind you, I don't think that's such a big fat hairy deal. But the situation does put minor distros (anything not supported by the official Mozilla site) at a disadvantage. The perception is that the major players are "more secure", since you can get your fix straight from Mozilla.org.

    --
    Raise your children as if you were teaching them to raise your grandchildren, because you are.
  6. But Mozilla IS the vendor for most people by Curmudgeonlyoldbloke · · Score: 5, Insightful

    I suspect that the vast majority of Firefox users are on Windows (simply because the majority of computer users are). They don't have the luxury of up2date or an apt-get repository and have to go to each non-Windows vendor to obtain updates. Why should Mozilla wait for someone maintaining a repository for a minority of their users before releasing an update for the majority?

    I'm sure that's the offical position, anyway. And of course they want to drive traffic to their site, and make a big deal about counting downloads.

  7. Depends by zerbot · · Score: 4, Insightful

    If the exploit is public knowledge, or is known as being used to exploit by blackhats, then releasing the fix as soon as it is finished is best. If the exploit is not publically known, and there are no signs it is being used, then a coordinated release is best. Not coordinating ends up leaving a window for blackhats to find out about the exploit and use the vulnerability on those systems that are not yet patched.

  8. Re:The question is "WHY?" by digidave · · Score: 4, Insightful

    So Mozilla should give RedHat preferential treatment? If they hold back a patch to wait for RedHat, don't they also have to wait for Suse? Debian? Everybody else?

    Holding back patches is nonsense and is something Slashdotters regularly blast Microsoft for doing.

    --
    The global economy is a great thing until you feel it locally.
  9. Context... Context... Context... by TigerX · · Score: 5, Insightful

    This article rips Ben Gooder's words so far out of context that it is not even funny...

    Here's the original sentence with the quoted portion bolded:
    If security is important to you, this demonstration should show that browsers that are redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla will itself for its supported products.

    The context of Ben's blog post was the final release of the Netscape 8.0 browser which was based on top of the Firefox 1.0.3 source code. Ben was merely pointing out that this left the Netscape users open to attack. Netscape promptly released 8.0.1 built on the Firefox 1.0.4 code.

    Mozilla is fulfilling its obligation to its users by producing quality secure products, not pandering to an OSS "community" which seem more intent on arguing about every minute detail rather than change the way things are done.

    To that end, Go Mozilla!