Mozilla Uncooperative With OSS Groups on Security?

An anonymous reader writes "In response to Firefox lead developer Ben Goodger's claim that "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla", Christopher Aillon of Red Hat says that this is only because Mozilla doesn't play by the same rules as other OSS projects. He says that while other OSS projects work with vendors to achieve simeltaneous releases of patched software, Mozilla does no such thing unless compelled to do so."

Secrecy?

[lachlan76]

Sounds like the alleged rules involve keeping bugs secret until users of the code have updated it and/or changing their release cycle to accomodate this.

Re:Secrecy?

[gclef]

Honestly, Mozilla is in a lose/lose situation here.

If they hold on to fixes until all the distros are ready, they get beat up for slow patch times compared to MS. If they release immediately, they get beat up by the distros for not coordinating with them.

I think this is coming up because Moz is one of the first high-profile OSS projects to support both Linux/BSD and Windows. If this were (like most other Linux/BSD apps) an OSS-OS only app, then the lack of coordination would be a real issue. But, for the Windows folks, there isn't a distro to coordinate with, so Moz has to release as soon as possible. I'm with Moz on this, honestly.

Re:Secrecy?

[gclef]

Why cant mozilla stop hiding bugs and marking vulnerabilities as secret in bugzilla? Open indeed...

I shouldn't respond to this troll, but I will.

Marking security-related bugs as secret is entirely appropriate. If the bug notes were public, they would serve as a blueprint to 0-day attacks on Mozilla, which the Moz folks are (rightly) attempting to prevent.

Attacking Mozilla for following standard security procedures for bugs is fucking childish.

Re:Secrecy?

[SpaghettiPattern]

If they hold on to fixes until all the distros are ready, they get beat up for slow patch times compared to MS. If they release immediately, they get beat up by the distros for not coordinating with them.

NO! Mozilla is responsible for its own releases and security updates and not for the distros'. Mozilla isn't there to make the life of Linux distros easy. The Linux distros must make security patches available ASAP.

Re:Secrecy?

[gclef]

I disagree. Completely. It's in the general interest of everyone for the app writers and the distros to work together...the goal, after all, is for the end user to get patches quickly, effectively, and *before* there's an exploit. A lot of the distros have central patch distribution systems...these systems are the best way to get patches to the end user for that distro.

If an app releases a bug fix without working with the distro, it leaves the end user there to get screwed...either they wait for their distro to get the patch put together (running vulnerable code the whole time), or they break their use of the patch distribution system (meaning they have to either re-patch once the vendor releases, or never follow the vendor patch system for that app again). This isn't a choice we want to be giving the users. The best result is *absolutely* a coordinated response, where the authors, the distros and the original reporter of the problem all release simultaneously.

That isn't possible in this case, since there's no distro to work with for Windows. Mozilla is, in this situation, choosing to minimize the risk for their Windows users (who likely far outnumber their OSS users), at the expense of the distro coordination. It's not a fun choice to make, but a sensible one, given their situation.

Re:Secrecy?

[psyon1]

You're assuming the security hole is announced at the same time as the fix. This isnt always the case. In a case where an exploit is already known and possibly in use, it is always best to make a fixed version available, without waiting for the distros.

Re:Secrecy?

[psyon1]

How do you pick what distros to work with? There are so many to choose from, do you just choose those who give you financial backing? Should the release time of distro A be forced to coincide with distro B? Should Red Hat and commercial vendors be in control?

I think they should release fixes as soon as a stable fix is available. Alot of people just use a distro for a base install, and then build apps from source, some even choose to do Linux From Scratch, its their choice. No one should be locked into Vendor/Distro release schedules if their not using their products.

Why is this a bad things?

[afd8856]

They may want to release the updates earlier, without waiting for whatever linux/bsd distro to updated their packages.

And it seems fair to me. If I run fedora, for example, if I'm concerned about security, I can always download and install their binary package. Because, for example, I couldn't find an updated rpm for firefox 1.0.4 (only a spec file)

Nor should it have to.

[Trillan]

Priorities are not the same all over, and Mozilla should be focused on supporting their users. Those several days of warning are extra days of end-user vulnerability. As a Firefox user, I would feel my trust was misplaced if they did something else..

One other comment:

indirectly -- it still displays their branding

Correct me if I'm wrong, but other builds are not supposed to use Mozilla's branding anyway. The PowerPC G4-optimized build of Firefox contains only compiler/linker changes, and apparently can not use the same icon.

Re:Nor should it have to.

[cuntzilla]

it would certainly be great to let these other projects know about the vulnerability and make the update available to them

If its a 0day vulnerability letting other distros know in advance would be putting the vulnerability into the wild for any script kiddie to play with.

waiting to update their own product is bad for their own users

Exactly. If someone forks or uses open source code its a lot to ask the people who made the original trunk to take care for all. Share knowledge yes, but to do the job of someone else who took it apon themselves to branch... no.

I'm not sure I agree with this...

[Rantastic]

Other projects make sure that the vendors know of a security vulnerability, supply the patch and new tarball (if applicable, which it is in mozilla.org's case), give a brief period of time for the vendors to catch up, and then do a synchronous release with them at a planned time.

Ok, I do agree that OSS projects should supply security patches when they have them, and new releases as well, but what good does it do to let the vendors at them first?

Why should end users not be offered the same patches as soon as they are ready? If it takes a vendor 24 hours to get a new package out, that sounds reason able to me, but again, why limit access to the update for that 24 hours?

Re:I'm not sure I agree with this...

[Rantastic]

Just to clarify:

I am saying that if Red Hat expects OSS projects to sit on security updates until Red Hat has a new package ready, that is just plain rude.

Are all users not equal in the eyes of Free software? We should all be able to have a crack at the security update as soon as it is ready. Some of us do in fact maintain our own packages. Why should we be forced to wait?

Re:I'm not sure I agree with this...

[Husgaard]

I understand why Mozilla does not want to delay security updates. Of course Redhat would like that at it would look like they are less behind on security updates.

Unfortunately it looks like Redhat has persuaded other Open Source projects to delay their security updates.

And now Redhat is using these other Open Source projects to attempt to pressure Mozilla into also delaying their security updates by claiming that Mozilla doesn't play by the rules.

Shame on Redhat.

Re:I'm not sure I agree with this...

[ProfaneBaby]

Why should end users not be offered the same patches as soon as they are ready? If it takes a vendor 24 hours to get a new package out, that sounds reason able to me, but again, why limit access to the update for that 24 hours?


Just speaking to the theory here, once the 'end users' are notified of the hole, it's reasonable to assume that 'someone' is going to reverse engineer an exploit out of the patch.

On very large holes, the coordinated release allows the largest possible user base to have an upgrade path by the time the hole is made public. If all users were notified as soon as a source patch was released, but the source patch didn't apply directly to distribution X because of local changes to the codebase, a malicious user could (and will) create and circulate an exploit before that group can create a patch.

Note that the security community does not agree here. When OpenSSH had a massive hole, Theo went mailing-list to mailing-list telling people a workaround, and coordinated a very large release of information on a specific day. When DJB's students come out with their list of new exploits every year, they release them all on a webpage with zero notice to ANYONE, including the software vendors involved.

It's a matter of philosophy - are you in the game to protect the most people, or are you managing your software and letting other people worry about their users? I personally don't have a problem with Mozilla's practices - they still beat some other vendors, even if they're not as 'responsible' as the OpenSSH crowd.

The question is "WHY?"

[bogaboga]

Quote: "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla".

I read the above quote may times over and the person from RedHat's response. I kept asking myself over and over again...WHY? Because if Mozilla operated the same way other OSS projects do by default, I can only see good things out of this. I wonder why they choose to do things this way.

Re:The question is "WHY?"

[ProfaneBaby]

There's really two scenarios here:

1) A hole is made known to Mozilla before it's made known to the public.

2) A hole is made known to Mozilla and the public at the same time.

In (1), it's reasonable to ask that the software developer at least make a token notification to various vendor's security contacts. Most of the vendors are reasonably private - they won't post the matter to a mailing list - and responsible. The software developer certainly doesn't HAVE to do this, but it would benefit a larger portion of its end users.

In (2), it doesn't make any sense to notify each distribution, because the whole world already knows, and each hour wasted on notification could mean people who are damaged by the hole.

I think the difference between (1) and (2) is significant, and it's important to realize that the case we're talking about here is (2). The hole was made public in Bugzilla, and Mozilla had to rush to create a patch. Holding that patch to give the distributions time to update is silly - people already knew there was a hole, and users were already waiting on the fix. If the initial bug was private, this would be an entirely different story.

Re:The question is "WHY?"

[digidave]

So Mozilla should give RedHat preferential treatment? If they hold back a patch to wait for RedHat, don't they also have to wait for Suse? Debian? Everybody else?

Holding back patches is nonsense and is something Slashdotters regularly blast Microsoft for doing.

What's worse

[keesh]

What's worse is the way the mozilla projects rarely seem to manage to put out an actual working source tarball. For the past dozen or so releases they've always released incomplete or unworking sources. Screwing up once is understandable, but to repeatedly omit things strongly implies that they're not interested in anyone using anything except their official binaries.

Re:What's worse

But mozilla/firefox from the mozilla foundation is released under the MPL with the logos trademarked (You can't use the firefox logo. In your custom version, you have to use the globe icon or something new)

You can freely download the tri-license source code (MPL/GPL/LGPL I believe) from the CVS. If the tarball isn't working it's probably because an automated script is busted and perhaps the person complaining should file a bug.

Making a story that isn't there.

Those links seemed almost like the biggest non-articles ever to hit Slashdot. I asked myself... "is that it?" Links to some petty blog nonsense, basically.

Mozilla's problems aside, Aillon's point is stupid. Stupid as that picture of him imitating the Matrix, or whatever the hell he is doing. Basically, there doesn't seem to be any meat here, any story. Good work saving Slashdotters the time of RTFA-ing, because in this case, reading the article wouldn't have made any difference.

Whiny RedHat, or lazy Mozilla?

[lheal]

This may sound like the tail whinning that the dog doesn't wag, but the vendors may have a legitimate complaint.

The potential for harm is if Mozilla releases a security fix, and the distros don't right away. There's a period of time in which Mozilla version x.y is vulnerable on FooDistLinux, and there's no reasonable expectation for the fix to happen for some period. Since the fix has been released, attackers are on notice that there is are vulnerable systems out there, and they're running Mozilla x.y on FooDistLinux.

Now, mind you, I don't think that's such a big fat hairy deal. But the situation does put minor distros (anything not supported by the official Mozilla site) at a disadvantage. The perception is that the major players are "more secure", since you can get your fix straight from Mozilla.org.

But Mozilla IS the vendor for most people

[Curmudgeonlyoldbloke]

I suspect that the vast majority of Firefox users are on Windows (simply because the majority of computer users are). They don't have the luxury of up2date or an apt-get repository and have to go to each non-Windows vendor to obtain updates. Why should Mozilla wait for someone maintaining a repository for a minority of their users before releasing an update for the majority?

I'm sure that's the offical position, anyway. And of course they want to drive traffic to their site, and make a big deal about counting downloads.

fuck off

[Turn-X+Alphonse]

"simeltaneous releases of patched software"

This is OSS took to the extreme. One for all and all for one doesn't apply when people are at risk. If you don't release a fix ASAP then you're knowingly risking the security of peoples computers. Like it or not this is a ridiclous idea from the ground up.

Work together for the greater good, don't force others to work together so you all look good.

How is this Mozilla's problem?

[Emetophobe]

I don't see how Mozilla is in the wrong. It is upto the various linux distributions to manage said distribution, not mozilla.

I want Firefox security updates as soon as they are available on my Micro$oft box, why should I have to wait for distribution X to play catchup. It is said distributions job to maintain that distribution, not Mozilla.

Should I, the user, have to wait for important security updates because some distribution wants to repackage them? The answer is no.

Re:How is this Mozilla's problem?

[Chris+Snook]

It's the project's problem if they want the continued support of the vendors. A completely plausible example of how a vendor could be justifiably furious:

1) Vendor gets bug reports from their customers.
2) Vendor examines the code and discovers that the bug is exploitable.
3) Vendor's developers write a patch and send it to the project's security team.
4) Project security team realizes that they do a similar bad thing in other parts of their code, and the fix will need to be a much larger patch.
5) Project publishes the larger patch with full disclosure of vulnerabilities.
6) Vendor's QA and distribution people stay up all night verifying this much larger patch, to minimize the amount of time their customers are vulnerable to the exploit they discovered in the first place.

No, it doesn't always happen like this, but it can and has. This is why the vendors have set up coordinated disclosure agreements, where they all say "We're going to publish this whole thing at exactly this time." and if any vendor can't QA it and push it out to their customers in time, that's their problem.

For the millions of dollars in development effort that the various commercial distributors put into the various F/OSS projects they use, you'd think they deserve a level playing field on security. If your project doesn't think the vendors deserve this level playing field, don't be surprised when your project gets forked, or those millions of dollars in development effort get redirected to someone else's project.

Depends

[zerbot]

If the exploit is public knowledge, or is known as being used to exploit by blackhats, then releasing the fix as soon as it is finished is best. If the exploit is not publically known, and there are no signs it is being used, then a coordinated release is best. Not coordinating ends up leaving a window for blackhats to find out about the exploit and use the vulnerability on those systems that are not yet patched.

Re:We tried working with Mozilla...

[jleq]

Mozilla isn't obligated to offer you support. You are an idiot for firing an employee simply over a small software issue. Plus, any reasonable IT person would give users a CHOICE of IE or FireFox for quite a while, until people adjusted to the new software and the IT staff were certain that it would not conflict with existing systems (such as your intranet).

However, I'd like to note that Mr. Goodger should really learn how to develop websites for cross-browser compatibility. It looks like crap here at work, where we use IE. Being the lead-developer of a competing browser is no excuse for not having a website that looks good on ALL platforms.

Why is latency such a problem?

[vagabond_gr]

I don't understand why a 1-2 days latency is such a problem for a distro. It's like someone complaining that cvs users get the fixes before they appear on mozilla.org.

Summary:
- you're paranoid about security, get cvs updates every hour.
- you're seriously concerned about security, get the new binary as soon as you read it on /.
- you're lazy and you like it: apt-get install, 1-2 days after.

Honestly

[rbanffy]

How long can it take for package maintainers to update the source and run the package-assembly scripts.

I mean, it is automated, isn't it?

Mozilla guys are not obligated to wait until the slowest of the crowd gets its job done. And they shouldn't treat any OS/distro differently from one another.

If Red Hat feels having up-to-the-minute RPMs is all that important, they should compensate Mozilla Foundation for the additional hassle. If not, they should wait in line just like everyone else.

Context... Context... Context...

[TigerX]

This article rips Ben Gooder's words so far out of context that it is not even funny...

Here's the original sentence with the quoted portion bolded:
If security is important to you, this demonstration should show that browsers that are redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla will itself for its supported products.

The context of Ben's blog post was the final release of the Netscape 8.0 browser which was based on top of the Firefox 1.0.3 source code. Ben was merely pointing out that this left the Netscape users open to attack. Netscape promptly released 8.0.1 built on the Firefox 1.0.4 code.

Mozilla is fulfilling its obligation to its users by producing quality secure products, not pandering to an OSS "community" which seem more intent on arguing about every minute detail rather than change the way things are done.

To that end, Go Mozilla!