Another Look At Mozilla's BugFix Rate

An anonymous reader writes "Washingtonpost.com's Security Fix blog has published the results of a look back at three years worth of critical patches from Mozilla, and found that Mozilla typically ships updates for critical flaws in about three weeks, though in more than a third of the cases it pushed out a fix in ten days or less. The data comes just a few weeks after The Post published data from a similar study that found Microsoft averaged 130+ days to fix critical flaws. Slashdot also covered that study in a previous post."

Let's work on preventing bugs.

[CyricZ]

While it's important to fix bugs quickly and correctly, perhaps the Mozilla project should take some initiative within the open source community to work on preventing security issues in the first place. They could partner with the OpenBSD project on such an initiative, for instance.

Together they could come up with a development system that focuses on writing solid code. Such a methodology won't prevent all security bugs by any means, but it could go a long way towards vastly increasing the quality of the Mozilla project's software.

So much for "fixed within hours"

[man_of_mr_e]

Ok, I guess three weeks can be counted in hours, but that's a LOT of hours.

"from the must-go-faster dept."

[Cutriss]

Funny. IMHO, the speed of the browser peaked a long time ago (0.8 IIRC), and now it's just getting progressively slower over time.

They might be fixing critical security bugs, but they certainly don't seem to be fixing memleaks and such.

Re:"from the must-go-faster dept."

[CyricZ]

There was a very interesting post here earlier regarding the attitude of the Firefox developers towards memory consumption. I invite you to read it for yourself:

http://it.slashdot.org/comments.pl?sid=176459&cid= 14655214

The last paragraph is perhaps the most telling. It is apparently felt that issues such as memory consumption just don't matter to the average user. Of course, that's a very incorrect assertion to make. When even a normal user finds that Firefox has consumed 400+ MB of their 512 MB of RAM, and thus severely degraded their system's performance, they won't be too pleased.

Such a carelessness towards memory consumption would also suggest a similar lack of interest in writing code that is secure. When it comes to an Internet-enabled product, especially a web browser, security is paramount.

Re:"from the must-go-faster dept."

[bdaehlie]

The Mozilla developers spend quite a bit of time on reducing memory usage and leaks. The issue is taken very seriously. All I said was that leaks exist, and that they don't indicate that Mozilla's entire codebase is sloppy. That doesn't mean Mozilla developers aren't doing anything about them or they think they are OK.

CyricZ, please stop trying to get attention by being dramatic and twisting words. Your criticism is not contructive, just uninformed and inflamatory.

P.S. Re: "the attitude of the Firefox developers" - I am only one Firefox developer. I am not speaking for any other devs.

MS Release Cycle

[Azarael]

In fairness, everything that I've read about MS's patch cycle indicates that it is a pretty huge undertaking. Joel from http://joelonsoftware.com/ is always going on about have every single code fix/feature addition has to go through a whole bunch of people (several testers, documentation team, etc) before it can be released. If anything maybe Microsoft is a bit too thorough with their patches, in some ways at least.

It's just numerology.

[Ancient_Hacker]

Kinda reminds me of story about the Soviet shovel factory that was given a quota to ship 500 tons of shovels per month.

No problem, they just made the shovels REALLY HEAVY, so they only had to make a few of them.

Software metrics are very slippery things.

Be Fair

[XMilkProject]

To be fair, Microsoft's flaws are alot more serious, so it's only logical they will take longer to fix.

<laugh\>

A bug ignored?

[WhatAmIDoingHere]

I'd love if Firefox didn't take up 256 megs of ram with 5 tabs open. Is that something we can get fixed soon? That'd be great. All I want is for Firefox to take less memory than Azureus. I only have adblock and bugmenot, so it's not extensions causing the problem.

That's a result of their past decisions.

[khasim]

Because they chose to weld IE to the OS, they have more difficulty with patching (and the vulnerabilities become OS vulnerabilities).

If they had maintained a rigid distinction between OS & apps, they wouldn't have those problems.

This was predicted back when MS first "integrated" their browser.

Don't just rely on averages

[PIPBoy3000]

I'm not a statistician, but the average is sometimes a poor way to describe data. It's often useful to look at modes, standard deviations, and so on.

For example, the standard deviation for 2005 had Microsoft with a 80.87 stdev and Firefox with a 97.5 stdev.

Firefox had one flaw that took 674 days to fix, nearly twice the max of Microsoft's 357 days. Does that make up for such a larger average? Dunno. I suppose you could look at the issue and decide for yourself.

Averages are important, but it's not always the single most important thing to consider.

Not really fair...

[RyoShin]

Skimming through the previous Slashdot story, it looks like the Microsoft vulnerabilities covered both the OS and IE, not just IE. Mozzilla, afaik, only does the browsing and mail programs.

Granted, that's no small task, but it still isn't on the level of fixing an O.S., in my opinion. It's like comparing apples and pumpkins.

It would be better to compare Windows patch release time with Linux patch release time, which I believe has been done before (and then covered on Slashdot- Linux probably had the shorter time.)

Regardless, how much does market share factor into this? With Linux, if a patch breaks a program, most people can just shrug it off and rewrite the program to work with the patch. So mass testing isn't as big of an issue. With Windows, if a patch breaks a program, a user doesn't have a lot they can do except to sit there and weep until Company X releases their own patch or next version.

The eyes are looking at the edges

[Weaselmancer]

I used to think it was just poor management, but now you have open source projects with thousands of eyes looking at every line of code.

IMHO, I believe that the reason why is because most of the developers are looking "at the edges" - where new functionality is being added. For example, how many of those developers are looking at the JPEG decompress routine? Turns out that wound up being important exploit-wise recently. And there it sat for years, unnoticed.

from what I remember in taking computer science, if you follow some simple procedures, the code is robust.

Well, robust doesn't just come from simple procedures. It's also design and style. You can't come up with excellent procedures and guarantee good software. You have to design well, communicate well, and implement ideas correctly. A lot is also owed to experience - sometimes, the only way to find out you've screwed up is after the fact. A good example is strcpy(). We know unbounded copy is a bad idea now, but how many years went by before we did?

Re:It is just your imagination.

[plover]

Yes, and we all know that the dawn of time occurred precisely at midnight (GMT) on January 1, 1970. While it's rumored that time existed prior to then, there is no evidence for it in the syslogs.

Difficult bugs simply aren't fixed.

[Futurepower(R)]

It does seem that security bugs in Mozilla and Firefox are fixed promptly.

However, other bugs simply aren't fixed. For about 3 years many, many people have reported the CPU hogging bug which is unique to Firefox and Mozilla browsers. For a small example of the reports of problems see Firefox is the most unstable program in common use.

Now the problems are beginning to be reported in technical magazines, newsletters, bloggers, and even the mainstream media.

Under the conditions mentioned in the bug reports, I'm not able to make the CPU hogging bug fail; it is always there. I've tried Linux, Windows XP SP2, and Windows 98 SE. I've tried Intel and Via chipset motherboards. For about 3 years, in all versions, the CPU and memory hogging bug has always been there. Firefox version 1.5.0.1 is worse than Firefox version 1.5, and those versions are worse than earlier ones. This is with a clean profile and no extensions except DOM Inspector, which is a menu choice on the installation program.

In 3 years, I've never had any evidence that any Firefox or Mozilla developer has reproduced the conditions that cause the problem.

The problem with Firefox and Mozilla developers not fixing difficult bugs seems to be a social one, not primarily a technical one. The developers keep asking for the problem to be made easier, but it appears to me that there is already plenty of evidence that would allow further investigation.

Perhaps the developers do not understand that there is a class of bugs that can only be found using the methods of scientific research. Many people like programming, but only people who accept the biggest challenges truly have programming in their hearts and minds:

Three biggest challenges of programming

Here are programming's three biggest challenges. Coding is relatively easy. It is these challenges which separate a true professional from an average programmer:

1. Being a scientist -- Often the most difficult programming is easier than the most difficult debugging. Often debugging requires creative scientific thinking. First, it is necessary to gather information. Second, make a theory that fits the facts. Third, design an experiment that tests the theory. Fourth, perform that experiment and analyze the results. Fifth, using the information that was learned, design a new theory, and repeat the steps above. The information that has been provided about Firefox instability is plenty to begin making theories.
2. Skill in social interaction -- Often the social interaction necessary to understanding what is needed and wanted is more difficult than any coding challenge. Social skills can be learned, and are part of being a good programmer.
3. Designing the user interface -- Only someone who has habits of caring for others can have the necessary detailed insight and creativity to discover how to do everything possible for the user.

Instead there are excuses:

Mozilla Top 12 Excuses

Top 12 things Firefox and Mozilla developers say about those who report difficult bugs, collected during the last 3 years:

1. Maybe this bug is fixed in the nightly build.
2. Yes, this bug exists, but other things are more important.
3. No one has posted a TalkBack report. [If they had read the bug report, they would know that there is never a TalkBack report, because the bug crashes TalkBack, too, or a TalkBack report is not generated.]
4. If you would just give us more information, we would fix this bug.
5. This bug report is a composite of other bugs, so this bug report is invalid. [The other bugs aren't specified.]
6. You are using Firefox in a way that would cras

Re:Difficult bugs simply aren't fixed.

[The+One+KEA]

> 1. Maybe this bug is fixed in the nightly build.

It usually is. The yahoo.com crashes in 1.5 were one prime example - they were already fixed on both the MOZILLA_1_8_BRANCH and the MOZILLA_1_8_0_BRANCH.

> 2. Yes, this bug exists, but other things are more important.

While this is a rather contentious thing to say, it's usually true - there often _are_ bugs that are more important, and very little (except getting more people to hack Firefox and fix the unglamourous bugs) is going to change that.

> 3. No one has posted a TalkBack report. [If they had read the bug report, they would know that there is never a TalkBack report, because the bug crashes TalkBack, too, or a TalkBack report is not generated.]

This is rare - TalkBack usually runs for most crashes, and for ones that don't generate a report, someone can usually apply some debugger-fu to make it happen.

> 4. If you would just give us more information, we would fix this bug.

This is an excuse?

> 5. This bug report is a composite of other bugs, so this bug report is invalid. [The other bugs aren't specified.]

So? If you're reporting more than one bug in a single report, then it gets much harder to fix each of them. Separate bugs, separate reports - that's the way Bugzilla works.

> 6. You are using Firefox in a way that would crash any software. [But the same use does not crash Opera.]

Can you give an example?

> 7. I don't like the way you worded your report. (So, I didn't read it or think about it.)

If the bug report is crap, who's going to read it? Bugs don't get fixed if you can't properly explain what the bug is.

> 8. You should run a debugger and find what causes this problem yourself. (Then when you have done most of the work, tell us what causes the problem, and we may fix it.)

Why is this a Bad Thing? Some users are more than happy to do this - I personally haven't seen more than a few bugs in Bugzilla where this was even requested.

> 9. Many bugs that are filed aren't important to 99.99% of the users.

Sad, but sometimes, true.

> 10. If you are saying bad things about Mozilla and Firefox, you must be trolling. [They say this even though Firefox and Mozilla instability is beginning to be reported in media such as Information Week.]

This sort of thing is subjective.

> 11. Your problem is probably caused by using extensions. [These are extensions advertised on the Firefox and Mozilla web site.]

Advertisement on website != Well-written.

> 12. Your problem is probably caused a corrupt profile.

This is almost always the primary, major source of just about all of the problems experienced by most users. That's why there's been so much effort with mechanisms like the Extension Manager modifications, the extension versioning mechanism, the bookmarks-backup code, and the general depreciation of profiles in order to prevent users from misusing them and potentially breaking their Firefox installation.

Re:Difficult bugs simply aren't fixed.

[pavera]

I am a programmer of the type you describe, I actually love debugging, its alot of fun to apply the scientific method to code...
And I was intrigued by the bug you mentioned, as it seems like it would be great fun to figure out. I have never had any stability issues with firefox (any version), and I am a pretty heavy user, 8 tabs open right now, and thats really light usage for me. Normally I'll have 2-3 windows with 10-15 tabs each... I tried to use the gnu libc page, I opened 20 tabs of it, and yeah firefox was using quite a bit of RAM (about 35MB per tab), but I opened 10 windows if IE to that page and each IE window was using 45MB of RAM... so firefox was 10MB per page better as far as RAM usage is concerned... Firefox used more CPU each time I opened a new tab, but also rendered each new page faster than IE, which used less CPU for a longer period of time... I am running Win XP SP2 all patches applied, Firefox 1.5...

The only time I've seen firefox die has been on pages with that really annoying smiley face animated GIF or flash I don't know which banner ad. However, that is not the bug you are describing, so they are most likely not related... and I haven't had that bug crash FF since 1.5 came out. In fact I haven't had FF crash at all since 1.5 was released...

In short if you are having a problem, and people can't recreate it, the only option really is to attach a debugger and get to the bottom of the problem that way. As I explained above I tried to recreate your bug, I'm actually trying it on a 3rd computer right now (Dell latitude d810 512mb ram, white box winxp sp2 1gb ram, mac os 10.3 512MB ram powerbook) none of these computers exhibit the problem.. I would love to help, show me how to recreate it, and I'll gladly try to figure it out.