Slashdot Mirror
Mozilla Uncooperative With OSS Groups on Security?
An anonymous reader writes "In response to Firefox lead developer Ben Goodger's claim that "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla", Christopher Aillon of Red Hat says that this is only because Mozilla doesn't play by the same rules as other OSS projects. He says that while other OSS projects work with vendors to achieve simeltaneous releases of patched software, Mozilla does no such thing unless compelled to do so."
Sounds like the alleged rules involve keeping bugs secret until users of the code have updated it and/or changing their release cycle to accomodate this.
They may want to release the updates earlier, without waiting for whatever linux/bsd distro to updated their packages.
And it seems fair to me. If I run fedora, for example, if I'm concerned about security, I can always download and install their binary package. Because, for example, I couldn't find an updated rpm for firefox 1.0.4 (only a spec file)
I'll do the stupid thing first and then you shy people follow...
Priorities are not the same all over, and Mozilla should be focused on supporting their users. Those several days of warning are extra days of end-user vulnerability. As a Firefox user, I would feel my trust was misplaced if they did something else..
One other comment:
indirectly -- it still displays their branding
Correct me if I'm wrong, but other builds are not supposed to use Mozilla's branding anyway. The PowerPC G4-optimized build of Firefox contains only compiler/linker changes, and apparently can not use the same icon.
Ok, I do agree that OSS projects should supply security patches when they have them, and new releases as well, but what good does it do to let the vendors at them first?
Why should end users not be offered the same patches as soon as they are ready? If it takes a vendor 24 hours to get a new package out, that sounds reason able to me, but again, why limit access to the update for that 24 hours?
Ask Slashdot: Where bad ideas meet poor googling skills.
I read the above quote may times over and the person from RedHat's response. I kept asking myself over and over again...WHY? Because if Mozilla operated the same way other OSS projects do by default, I can only see good things out of this. I wonder why they choose to do things this way.
What's worse is the way the mozilla projects rarely seem to manage to put out an actual working source tarball. For the past dozen or so releases they've always released incomplete or unworking sources. Screwing up once is understandable, but to repeatedly omit things strongly implies that they're not interested in anyone using anything except their official binaries.
Where's the article?? It's just two short blog entries between two guys arguing over an issue. How is that news or "stuff that matters"? It's almost like reading two headlines. This has a feel of high school.
High school girl A: So Ben Goodger's claim that "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla"
High school girl B: "Christopher Aillon of Red Hat says that this is only because Mozilla doesn't play by the same rules as other OSS projects"
High school girl A: No. He didn't.
[cat fight]
Except there would be no cat fight here....
EvilCON - Made Famous by
Those links seemed almost like the biggest non-articles ever to hit Slashdot. I asked myself... "is that it?" Links to some petty blog nonsense, basically.
Mozilla's problems aside, Aillon's point is stupid. Stupid as that picture of him imitating the Matrix, or whatever the hell he is doing. Basically, there doesn't seem to be any meat here, any story. Good work saving Slashdotters the time of RTFA-ing, because in this case, reading the article wouldn't have made any difference.
This may sound like the tail whinning that the dog doesn't wag, but the vendors may have a legitimate complaint.
The potential for harm is if Mozilla releases a security fix, and the distros don't right away. There's a period of time in which Mozilla version x.y is vulnerable on FooDistLinux, and there's no reasonable expectation for the fix to happen for some period. Since the fix has been released, attackers are on notice that there is are vulnerable systems out there, and they're running Mozilla x.y on FooDistLinux.
Now, mind you, I don't think that's such a big fat hairy deal. But the situation does put minor distros (anything not supported by the official Mozilla site) at a disadvantage. The perception is that the major players are "more secure", since you can get your fix straight from Mozilla.org.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
I suspect that the vast majority of Firefox users are on Windows (simply because the majority of computer users are). They don't have the luxury of up2date or an apt-get repository and have to go to each non-Windows vendor to obtain updates. Why should Mozilla wait for someone maintaining a repository for a minority of their users before releasing an update for the majority?
I'm sure that's the offical position, anyway. And of course they want to drive traffic to their site, and make a big deal about counting downloads.
"simeltaneous releases of patched software"
This is OSS took to the extreme. One for all and all for one doesn't apply when people are at risk. If you don't release a fix ASAP then you're knowingly risking the security of peoples computers. Like it or not this is a ridiclous idea from the ground up.
Work together for the greater good, don't force others to work together so you all look good.
I like muppets.
I don't see how Mozilla is in the wrong. It is upto the various linux distributions to manage said distribution, not mozilla.
I want Firefox security updates as soon as they are available on my Micro$oft box, why should I have to wait for distribution X to play catchup. It is said distributions job to maintain that distribution, not Mozilla.
Should I, the user, have to wait for important security updates because some distribution wants to repackage them? The answer is no.
If the exploit is public knowledge, or is known as being used to exploit by blackhats, then releasing the fix as soon as it is finished is best. If the exploit is not publically known, and there are no signs it is being used, then a coordinated release is best. Not coordinating ends up leaving a window for blackhats to find out about the exploit and use the vulnerability on those systems that are not yet patched.
Nope. He is obviously an overclocker running SMP and he is referring to the rare condition where all of his CPU's melt at once.
We don't see the world as it is, we see it as we are.
-- Anais Nin
Mozilla isn't obligated to offer you support. You are an idiot for firing an employee simply over a small software issue. Plus, any reasonable IT person would give users a CHOICE of IE or FireFox for quite a while, until people adjusted to the new software and the IT staff were certain that it would not conflict with existing systems (such as your intranet).
However, I'd like to note that Mr. Goodger should really learn how to develop websites for cross-browser compatibility. It looks like crap here at work, where we use IE. Being the lead-developer of a competing browser is no excuse for not having a website that looks good on ALL platforms.
I don't understand why a 1-2 days latency is such a problem for a distro. It's like someone complaining that cvs users get the fixes before they appear on mozilla.org.
/.
Summary:
- you're paranoid about security, get cvs updates every hour.
- you're seriously concerned about security, get the new binary as soon as you read it on
- you're lazy and you like it: apt-get install, 1-2 days after.
Redhat makes it's own modificatoins to Mozilla and Firefox maybe.
Linspire surely does but they at least work with the company to get them into the main tree so it's not so much of a problem.
Along with any number of big distros that do something to the original package.
All which could of been avoided if said companies just used the plugin infrastructure to make their modifications and repackaged it that way.
And that's good why? If a fix is out and I'm running something mission-critical, I want it now. If your distro is slow, get another distro - or better yet - install it your f**king self using the version Mozilla puts out. It's really not hard. Sometimes, I swear, I think some people would be incapable of installing software if they didn't have a package from their distro. Of course I imagine it's obvious what distro I use. ;)
How long can it take for package maintainers to update the source and run the package-assembly scripts.
I mean, it is automated, isn't it?
Mozilla guys are not obligated to wait until the slowest of the crowd gets its job done. And they shouldn't treat any OS/distro differently from one another.
If Red Hat feels having up-to-the-minute RPMs is all that important, they should compensate Mozilla Foundation for the additional hassle. If not, they should wait in line just like everyone else.
http://www.dieblinkenlights.com
This article rips Ben Gooder's words so far out of context that it is not even funny...
Here's the original sentence with the quoted portion bolded:
If security is important to you, this demonstration should show that browsers that are redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla will itself for its supported products.
The context of Ben's blog post was the final release of the Netscape 8.0 browser which was based on top of the Firefox 1.0.3 source code. Ben was merely pointing out that this left the Netscape users open to attack. Netscape promptly released 8.0.1 built on the Firefox 1.0.4 code.
Mozilla is fulfilling its obligation to its users by producing quality secure products, not pandering to an OSS "community" which seem more intent on arguing about every minute detail rather than change the way things are done.
To that end, Go Mozilla!
methinks you are in the wrong business if you design web-interface development apps that allow corruption of the source files due to a simple browser crash...
sum.zero
I have used Mozilla for over a year now and have been VERY satisfied with the release schedule especially as it comes to security releases. I get alerted with the little icon, I press icon, I download update, restart Mozilla, done. When it comes to security updates I do not want to see the release hampered because the distros haven't built it yet because quite frankly most of the exploits out there are for Windows anyway. No, I will not be transitioning to Linux anytime soon but I do support it where I can :).
This is not new, persay... however, it is getting very annoying.
The cow goes "tink"
mozilla-firefox-1.0.4 hit the Gentoo tree the same day the official 1.0.4 version was released and had been moved to stable on most architectures by the beginning of the next day. The binary packages (mozilla-firefox-bin-1.0.4) was in the stable tree within two days, same timing as Debian.
Sorry, my karma just ran over your dogma.
The real problem here is not that Mozilla is releasing security fixes too quickly, or that the distros aren't keeping up.
The real problem is that a Linux application needs to be modified in some way by the operating system vendor before end-users of that operating system can use it. Think about that for a minute. When's the last time you had to go through Microsoft to download the latest copy of a 3rd-party application?
One of the selling points of OSS development has always been its decentralized nature. But here we are creating a centralized, artificial bottleneck by requiring that applications be customized by the operating system vendor before it can be used on that system. Talk about inefficient.
There's no reason why the application vendor should be exposed to differences in distributions. It's poor encapsulation, from a software engineering perspective, and essentially means that "Linux" is not a platform you can develop to. RedHat's a platform, SuSE's a platform, and there a million other Linux-based platforms, but no one "Linux platform".
This sort of thing hurts everyone. End-users don't have the ease of use and speed of security updates they could with a common platform. Application vendors have to wait for the OS vendor to repackage their application before it'll work on that platform. Distro vendors have this huge recurring workload of having to repackage applications.
Why don't the distros just provide a common interface that application vendors can use to for installation? Hiding the distribution-specific differences behind an interface would seem to make everyone's jobs easier.