Slashdot Mirror
Mozilla Uncooperative With OSS Groups on Security?
An anonymous reader writes "In response to Firefox lead developer Ben Goodger's claim that "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla", Christopher Aillon of Red Hat says that this is only because Mozilla doesn't play by the same rules as other OSS projects. He says that while other OSS projects work with vendors to achieve simeltaneous releases of patched software, Mozilla does no such thing unless compelled to do so."
They may want to release the updates earlier, without waiting for whatever linux/bsd distro to updated their packages.
And it seems fair to me. If I run fedora, for example, if I'm concerned about security, I can always download and install their binary package. Because, for example, I couldn't find an updated rpm for firefox 1.0.4 (only a spec file)
I'll do the stupid thing first and then you shy people follow...
Ok, I do agree that OSS projects should supply security patches when they have them, and new releases as well, but what good does it do to let the vendors at them first?
Why should end users not be offered the same patches as soon as they are ready? If it takes a vendor 24 hours to get a new package out, that sounds reason able to me, but again, why limit access to the update for that 24 hours?
Ask Slashdot: Where bad ideas meet poor googling skills.
What's worse is the way the mozilla projects rarely seem to manage to put out an actual working source tarball. For the past dozen or so releases they've always released incomplete or unworking sources. Screwing up once is understandable, but to repeatedly omit things strongly implies that they're not interested in anyone using anything except their official binaries.
There's really two scenarios here:
1) A hole is made known to Mozilla before it's made known to the public.
2) A hole is made known to Mozilla and the public at the same time.
In (1), it's reasonable to ask that the software developer at least make a token notification to various vendor's security contacts. Most of the vendors are reasonably private - they won't post the matter to a mailing list - and responsible. The software developer certainly doesn't HAVE to do this, but it would benefit a larger portion of its end users.
In (2), it doesn't make any sense to notify each distribution, because the whole world already knows, and each hour wasted on notification could mean people who are damaged by the hole.
I think the difference between (1) and (2) is significant, and it's important to realize that the case we're talking about here is (2). The hole was made public in Bugzilla, and Mozilla had to rush to create a patch. Holding that patch to give the distributions time to update is silly - people already knew there was a hole, and users were already waiting on the fix. If the initial bug was private, this would be an entirely different story.
Video Phone Blogs send video messages straight to the web.
I don't understand why a 1-2 days latency is such a problem for a distro. It's like someone complaining that cvs users get the fixes before they appear on mozilla.org.
/.
Summary:
- you're paranoid about security, get cvs updates every hour.
- you're seriously concerned about security, get the new binary as soon as you read it on
- you're lazy and you like it: apt-get install, 1-2 days after.