Slashdot Mirror
A Bad Month for Firefox
marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."
I'm still running 1.5.0.9 and it works a treat. Am I missing something besides, apparently, h4x?
--- Do you believe in the day?
Bottom line - the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE.
Granted, I do think Firefox is far superior to other browsers on the market, but I don't think that this should surprise anyone. At least Firefox is being fixed quickly. I suspect other software companies may not have held back their release times on upgrades to fix additional bugs. ("Don't worry now, just get this new version out before the deadline, we'll fix it later...")
I hope the land around you yields, a crop like all the other fields, and then your waiting might make sense...
Well, such headlines won't stop me from using FF. At least vulnerabilities are attended to in a way I believe (wrongly?) faster than most mammoth companies would. That said, this point from the article is interesting, making me believe researchers should (?) have incentives to disclose security bugs to Mozilla first and to the public only when the fix is distributed:
"Although Snyder said she would prefer it if Zalewski and other researchers would disclose vulnerabilities to Mozilla before taking them public, she said the company relies on such experts to help it keep customers protected from attacks, as painful as the reports may be."
Animoog.org
As the author of security software, I'm not happy to find flaws in my code, but I'd rather find them then not.
The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?
Tom
Someday, I'll have a real sig.
Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective. However, it is not like they are ignoring these things or trying to spin it like they are not real problems (as certain commercial and proprietary software vendors are prone to do). This is, in fact, quite good for the users.
Good month. Finding lots of bugs, and fixing them, is a good thing. We don't need to pretend it's perfect and rosy and all nicely secure and won't ever need a patch or an update. We're realists on this side of the OSS fence. We know that software is only as good as the people working on it.
I'd like to extend a hearty thank you to this researcher for making Firefox even better.
http://twitter.com/onion2k
Using the "But, I must quickly fix those holes ! It's open source and I don't need to wait on the foundation to fix it" as an excuse in order not to go out in the sun.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Solution: Stick with IE. Shoudda known.
This comment is printed on 100% recycled electrons.
This guy had found these security flaws which can only be good for us the users, cause it will be fixed.
Imagine a malicious user had found the same bugs and wanted to use it against us, the users, it would have been very very bad, and now this malicious user must work harder on his new holes.
Thanks man for finding these Sec-Holes for us. May god bless you
I hardly see this as being Firefox's fault. It's been a more common denominator to have Javascript as the culprit. There's always been some "handling" issue in just about every browser ever coded. So with this continuing, I'd be pointing all fingers at Javascript and nothing else.
Compliance should be the next target of finger pointing too. If Firefox seems have its act together and it keeps falling prey to, and having to adapt to, issues of external development, I really think it's time for an overhaul on some highly exploitable Javascript code.
Look: if these bugs exist, they should be fixed. If more of them will be discovered this month, means firefox will be less buggy and more secure for the rest of lifecycle.
I don't know anyone who has lost faith in Firefox or switched back to anything else. It's still a great browser and seems to be getting better. There will always be problems with software. The thing that's interesting here is that all of Firefox's good aspects and bad aspects are out in the open. That's what makes it work.
Yeah, I'm as old as my UID would suggest.
Sure, people see the downside of this.. I happen to see it as proof that Open Source works on the community scale. I now know these bugs can be addressed.. how many bugs are in IE7 that I can't see because of the closed source?
meh
No. It's how it work with microsoft, it's not how it works with open source software.
With Firefox, if you disclose a hole to the public there's also a higher chance that someone outside the foundation, from the public, could try to fix the hole. (Which could be not to much difficult for an outsider if the fix is just adding a check to avoid invalid input). If you only disclose to Mozilla, the list of potential patcher is small and most of these are already busy fixing the other holes and developing, and you take the risk that in the meantime some cracker group discovers the problem independently and write an exploit script.
Whereas with microsoft products, if you disclose the problem to the public, they can't do much apart from switching to another product or wait until microsoft developer finally fix the problem. So from the company's view point, there're no usefullness to disclose a hole to the public.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Clicks sly fox icon this morning "stand by while firefox is installing the latest updates"...what boooogs?
Got Code?
Buffer overruns happen. Security models have holes. This is nothing new, and you'll find it in damn near every software project of any complexity.
The rational ways of dealing with this are a very dictatorial style of project management to get it right the first time (See: OpenBSD) or a quick and responsive way to kill security-affecting bugs dead. Firefox, with its gazillions of volunteer and paid programmers, opt for the latter. Too often, closed source developers just sit on these bugs, or sue the people trying to find and publish them, or use their marketing department to cover for their developers' shortcomings.
I'm pleased and reassured that Firefox is having these issues. Active and open security research will always result in a stronger product, and delays to deal with them are acceptable so long as the software is better for it. Even OpenBSD's been hacked a few times, and it's how you deal with it that's more important.
Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of. Give me this over Internet Exploder any day.
When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets... we actually know exactly why something has been pushed back, and can make reasonable judgements about when it will be back on track for ourselves. This is one of the more important aspects of open source that corporate IT overlooks... the ability to plan for and work around changes in the release schedule.
So, yeah, setbacks happen. To everyone. How the setbacks are dealt with is where the rubber meets the road. Firefox is generally ahead of the industry here, too.
The question on my mind is - what is Zalewski's incentive in releasing this information directly to the public instead of first to mozilla, esp. just following a release...? It can't be to gain trust/admiration by the open source community. It also can't be to gain trust by corporations either (releasing notice of a flaw just after a new release and without first contacting the company must scare the pants off of any corporation!) Is it merely hubris? Or is there some corporate smear money being exchanged here?
We're constantly being told that market share is not the biggest factor in the security equation. Because e.g. we're constantly point to the example of a piece of software (Apache) with enormous market share that is almost never breached. We're constantly told these things 'cause they're true.
My turnips listen for the soft cry of your love
I realise many have said this already, but my own personal spin:
Since we know (generalisation, I know, but it works) that any big piece of software is going to have bugs, surely all this means is "woo, yay, look, Open Source's benefits wrt bugs are real", since fast and good response to bug reports has been shown. If it's easy to find bugs, and when found, they're being fixed quickly and well, and we know that bugs are always going to happen, then why is this anything but superior to other closed source competitors who've had less bugs found?
There are probably going to be just about as many bugs in Firefox as there are in any other browser. However, the reason Firefox is so secure, is not because it has less vulnerabilities (although it might), but because it doesn't take Mozilla and the firefox community three months to patch it. Security updates are generally avaliable every 1-2 weeks.
That is what makes Firefox a browser which focuses on security. Not the idea that it should be impenatrable in the first place.
-Eddie
There is one problem with the flaw, it's very hard to reproduce, I think I reproduced it once in a 1.8 branch build, but not afterwards.
If anyone can reproduce it consistently, and has a 1.8 debug branch build, it would be great if he could try and give a useful stacktrace in the bug.
I barely surfed 2 pages after updating to 2.02 and I'm already crashing again.
Like, say, paying for security bug reports>
I bet if Lcamtuf heard he's being called a 'researcher' he'd be rolling in his grave.
After dropping dead on place, that is.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
What on earth are you talking about?
'Hello World' runs on Windows. Does that make it a buggy and vulnerable program? Your logic baffles me.
Lord High Crapflooder The Right Honourable Vlad Craig Esther McDavenpherson III
Destroyer of Mercatur.Net
A Gentoo developer refused your patch, except for Gentoo? Go Gentoo! Man is that corrupt.
I mostly use Gentoo - I've done well with it running servers almost from its conception. But the Gentoo developers and maintainers, on the whole, are developing increasingly obnoxious attitudes towards their users - which makes no sense at all considering Gentoo users on average have higher skill and knowledge levels than the users of the other popular distros. A few years ago bug reports were handled as well in Gentoo as anywhere; these days, not so much.
There may be a social problem to be solved. In the early days of any major open project, there's good will and enthusiasm to go around. But as the social networks supporting the project age and expand, they get grumpy and immune to criticism. Part of this, with something like Gentoo, is that the most capable people were in at the beginning but have wandered off, and now the developers/maintainers just don't have the same level of ability, so tend to cover their deficiencies by blaming the users. Is the trick to somehow make aging projects fun again so that the best people are attracted back in? How would you do this without seeming to under-appreciate the less-able cruft who need to be swept out of the way to make room for the able? - tough when they're volunteers.
"with their freedom lost all virtue lose" - Milton
When it comes to software performance, it's pretty useless to compare the performance of your software to a previous version of that same software. You need to compare your performance to that of the current leader in the same market.
Maybe Firefox 2 is faster than Firefox 1.5. But compared to Opera, Konqueror and Safari, it's still quite slow and extremely bloated. Apparently it's also quite insecure, too.
KDE 4 is getting very close to being released. It's native support for Windows will bring Konqueror to a whole new audience, thus drastically changing the Windows browser landscape. Unless the Firefox developers really get their asses in gear, which apparently isn't happening, Konqueror will come along and smite Firefox.
If the beta released today is any indication of what the final KDE 4 release will be like, then Firefox had better watch out. This new version of Konqueror already has the speed. It has the stability. It has extremely low memory usage (but still higher than Opera). I don't know if Firefox will be able to compete unless a massive rewrite is undertaken. But if they do wish to remain competitive, they'd better get going.
To the IDIOT who tagged this HAHA fuck you. Would you rather have the DEFECTIVE BY DESIGN INTERNET EXPLORER? What the FUCK IS WRONG WITH YOU FUCKTARDS? HOW THE HELL can you not support software that is actively working to help security and sane web design practices, instead throwing your love toward an evil, demeaning, shitty, fucked up corporation's FAILURE of a browser?
Fuck all of you idiots that love Microsoft and IE. Fuck you right in the ear.
On both my Win2K and WinXP boxes, I still have to apply this fix every time Firefox 2.0 updates itself. Had to do it just yesterday when 2.0.0.2 was released. WTF is up with that? Is there something weird about both of my systems that Firefox doesn't like? How are non-technical users supposed to deal with crap like this?
It probably baffles you because you are a long time windows user and are used to crap software. Windows is very buggy and it's past history of "security" is beyond dismal. Do you care to actually deny that? And if you haven't noticed that yet, oh well, I guarantee other people have. And it has gotten way past old when there is a headline "new security problem with firefox", when what they mean to say-most of the time- is another security problem on the windows platform running the windows version of some browser.
The windows version needs to be spun off completely from the other versions, and vice versa. Let the windows folks deal with their stuff, I am just calling for a mainstream non-windows browser for the other folks, because it makes no sense whatever to "share" bugs and security problems from always trying to code to keep windows secure. That's microsoft's problem basically, they should deal with it, and folks on open source platforms shouldn't even need to bother with it.. The mozilla project is a very nice project, but let's call a spade a shovel here, it is primarily just another microsoft windows application, anything else they do is ancilliary and an afterthought to their primary goal, to make an alternative to INTERNET EXPLORER, which is a windows project, and, in addition, there is little reason for the projects (closed source operating system versus open source operating systems) to be combined with "one" browser now except inertia. It's also just a crutch to keep windows people using windows, again, anathema to a lot of open source folks. Granted, not all by any means, but I bet a lot of open source people feel the same way. It's just getting *old* having to deal with windows problems when you don't run windows, and as well intentioned as the mozilla FF project is, it cannot be denied it is primarily for windows, and as such, the coding weirdness slops over all the time to the other platforms. It would be *better* for there to be different projects, completely different, better for the windows folks and better for the linux/bsd/solaris folks. And Apple can run their own mess, I consider that to be irrelevant to this discussion at this time, although some similarities exist obviously, I am mainly meaning the big MS-Linux split. I would just like to *further* split the efforts up. I don't trust windows applications half assed "ported" to linux, not for the long haul anyway, nor do I appreciate all the "enthusiasm" to keep pepole on their software, because it is a security threat, and the total cost of ownership to society is huge(keeping MS rich in general), and they are chronic serial crooks. And Ballmer keeps threatening linux people, so I don't think ANY open source project should deal with windows expensive mal/bug/crapware.
Software works in the same way.
If you are using your Web browser to do critical jobs like online banking, you should continue to use the latest iteration of Firefox 1.5. The latest iteration is version 1.5.0.10. If you are still using Firefox 1.5, look under the "Help" option to find the option, "Check for Updates", which will enable your to upgrade to 1.5.0.10.
Continue using version 1.5 until 2007 April 24. On that date, Mozilla programmers will cease fine-tuning version 1.5.
After April 24, switch to version 2 of Firefox. Waiting 2 more months before using version 2 will give vital time to Mozilla programmers to fix any critical problems in the new version.
This is totally Moot. Since I downloaded and installed FireFox 2.0.0.2 this morning, which means the updates are available for all.........
Actually, Hello World v1.0 will occasionally display "Goodbye, cruel world" instead, then delete itself. I think it's something to do with the program gaining sentience and recognizing the banality of its existence or something.
The factor that detirmines security is never the number of exploits found, It's the rate at which they are fixed.
I would rather have 10 flaws that are fixed in days than 1 that takes 3 months to fix.
Firefox is a great browser, But it's written in regular code by regular humans.
We shouldn't expect it to be perfect.
God Be Gone
Spread a little rumor!
Fixing a software artifact such that it behaves as it is advertised when an underlying assumption changes is the hallmark of a competent software maintenance process.
Using the poster's logic, the world would be a better place if (say) Microsoft, Oracle and Cisco fired their respective QA staff; no bugs found implies no problems.
Most Critical Firefox Flaw Remains Unzapped!!!
e _firefox_flaws_hunted_down_1.html
Interesting read at http://securitywatch.eweek.com/open_source/all_th
. . .of pharmaceutical ads. Before the FDA allowed ads on TV in the US, the only way most people became aware of a drugs side effects or dangers was if enough people started exibiting symptoms to cause a newsworthy event. Now that the drug companies are required to give full disclosure, everyone has a knee-jerk reaction to the cautionary statements on pharmaceutical drugs, even to the point of arguing with their doctor on the merits of the drug in question.
Every time Firefox vulnerabilities are found, it seems people are falling prey to this same mentality. "It's got an exploitable security bug! OMFG! F'ing programmers! Firefox is a piece of shit!" The bottom line is: Everything made that is made has defect(s). FF is no exception. For my part, I would much rather be informed of possible pitfalls, however remote, than be kept in the dark until the horse is already out of the barn. I feel much safer surfing with FF and noscript than IE any day. When was the last time MS took a reported IE exploit that didn't come from their own camp seriously? Kudo's to Mr. Zalewski for his efforts. Kudo's to the Mozilla team for their efforts in tightening up security on the best browser that has ever been written.
"If your parents never had children, chances are you wonât either." -Dick Cavett
Well, how often we can read that, but if the basement is cracking what will happen to the rest of the house? I would like to see what are the vulnerability stats for Firefox on Mac or Linux.... let's see the comparison, maybe that will help peoples decide with OS to choose in the future.
This "independent" security researcher also happens to have a book published by a reputable publisher and another in the works. Cheap advertising, indeed; too bad he had to become a black-hat to get it.
You've got a Live Bookmark to "Latest BBC Headlines." It's in the default installation. A live bookmark is basically the subject lines from an RSS feed in a submenu. Not very useful, but not exactly a bug either -- technically, you are subscribed to a feed, you just don't know it.
It's located in Bookmarks -> Bookmarks toolbar folder (at least on my installation), and in the bookmarks toolbar.
Slashdot: Computer/car analogies for nerds.
IE7 on Vista runs in a "jail". There's a new thing in Vista called Integrity Levels. Low IL has the lowest privileges and can't write anywhere. High IL is "root". User normally operates in Medium IL. Thing is, IE7 is started in Low IL. So even if it's broken, no one can silently install anything, write anywhere or even infect its binary.
It's almost like SELinux, but without process isolation. Entire layers of processes are isolated instead. And in contract to SELinux, you can't turn it off.
Firefox folks need to consider using Low IL for Firefox as well. There's nothing in there preventing them from doing so.
The best and the safest web browser ever!
$ wget http://slashdot.org/
$ html2text index.html | less
I don't know about anyone else, but the 'copy/paste' bug (AFAIK, in textarea elements) is doing my head in. Granted, this may have been fixed in a later version, but seeing as our support profile currently includes 1.5, we're left with little choice in the matter.
Very frustrating, to say the least.
Is Scobby Doo writing the posts these days? What's "Februrary?" The month after "Janrurary?" Right before "Marrrrrch?"
Good month. Finding lots of bugs, and fixing them, is a good thing. We don't need to pretend Windows is perfect and rosy and all nicely secure and won't ever need a patch or an update. We're realists on this side of the Microsoft fence. We know that Windows is only as good as the people working on it.
I'd like to extend a hearty thank you to this researcher for making Windows even better.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Obviously enough, NoScript users were immune from all these vulnerabilities, and from most of the yet to be discovered ones too :P
There's a browser safer than Firefox, it is Firefox, with NoScript
The defect information is fed back to the Toyota engineers, and they redesign the defective parts of the Camry. The third-year release of the Camry should be quite reliable. (Toyota [msn.com] has some of the highest rates of recalls [thestar.com] in the automotive industry. Toyota typically recalls nearly 10% of its vehicles -- versus "only" 7% for General Motors.)
If you are using your Web browser to do critical jobs like online banking, you should continue to use the latest iteration of Firefox 1.5. The latest iteration is version 1.5.0.10. If you are still using Firefox 1.5, look under the "Help" option to find the option, "Check for Updates", which will enable your to upgrade to 1.5.0.10.
Don't you find your advice and your example conflicting. You're urging us to use the second-year release of Camry versus the third-year release.
Just because it was called "2.0" doesn't mean it's really that new compared to 1.5. In fact there were more changes to the core of Firefox between 1.0 and 1.5, than 1.5 and 2.0.
What you see are mostly changes on the surface: new (uglier) icons, new (uglier) tabs, couple of usability changes to the UI. The core is virtually unchanged (except the regular minor patches).
hahaha mod parent funny
Firefox was marketed and touted as the "SECURE BROWSER". That is all I heard from the Firefox-zealots at work. My, my, my how the times have changed.
Ok, so it appears to be that bug is already fixed on the 2.0.0.2 release of Firefox.
So maybe the post can be updated?
Not only is it less stable than Internet Explorer but it is also less secure. WAY TO GO TEAM FIREFUX!
Naturally, the shitdot sheeple will somehow blame Microsoft.
Reactive Patching is NOT the same as writing secure code and does NOT equal a Secure Browser. The FF folks seem to want it both ways...bash other browsers for being insecure and looking the other way when FF flaws are exposed. The "award-winning browser" is worse than ever. You can no longer browse the web with confidence assuming Firefox protects you from viruses, spyware or pop-ups. You'll be lucky if you enjoy performance improvements, ease of use or even privacy. It's easier than ever to lose your favorites and settings, and have to start again. I can go on and on and on. I'll stick with Opera, thanks.
first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release
The remotely exploitable flaw, bug 371321, was reported at 5:35 pm (California time) on Thursday. We had been planning to release Firefox 2.0.0.2 on Friday morning. After some discussion, we decided to go ahead with the release and then follow up with a quick 2.0.0.3 once we had a patch for the newly discovered hole.
After releasing Firefox 2.0.0.2, we realized that bug 371321 didn't affect it, thanks to another patch that went into Firefox 2.0.0.2 for non-security reasons. So although we didn't know it at the time, we released a fixed version of Firefox about 16 hours after the most serious hole was reported.
The testcase in bug 371321 did lead to a fix for a similar bug that existed on trunk, though.
The shareholder is always right.
Die javascript die! Dammit, it keeps coming back! Can't we put a stake through its heart or something?
While everyone keep saying that Firefox's vulnerability record is getting worse and how that's a result of the growing marketshare, it might be a good idea to take a look at the facts. Admittedly there were a couple of widely publicized vulnerabilities due to Zalewski's decision to go with full disclosure. But it's only publicity. The actual number of vulnerabilities fixed in consecutive versions since 1.0 isn't growing. As a matter of fact, 2.0.0.2 has pretty good record as far as amount and seriousness of discovered holes is considered.
Since when is it "bad" that vulnerabilities are being discovered? The "Bad Month" happened when the vulnerabilities were created, not when they were found.
http://outcampaign.org/
When he left, it was over. The good part about Gentoo is that it didn't suffer from the externally visible political BS that Debian did and does. Unfortunately, when he left, the structure he put in place resulted in pretty much the same thing. In addition, the quality of the stable tree is in deep decline, and changes to portage are regularly made that impact the ability to emerge packages successfully. When I have to start hacking ebuilds myself to get them to compile because of stupid upstream changes to portage, at that point LFS starts looking very good.
I still run Gentoo but the days are numbered.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
As a GNOME desktop user, I gave Epiphany a try but found its bookmark system so odd I couldn't get used to it. Furthermore, it seems to be less brilliant in picking the right fonts from the system. I find Firefox on Linux to be so freakingly slow compared to the Windows version. I would love to use Konqueror from GNOME, but if I do "yum install konqueror" or whatever the package name is, it also installs the whole KDE thing and puts lots of bloat in my system menus with K-this, K-that, etc. Does anybody know of a statically linked version of Konqueror, so that one can just install that package? Or even a way to compile this yourself? If so, it would be interesting to package this as I'd switch overnight to a khtml-based browser. I know of a project called Gtk WebCore, which could be an alternative, but that Nokia spin-off project seems to be stalled unfortunately ...
Firefox isn't superior to Opera.
Also, it will ocassionally claim it's "pirated" and delete %UserProfile%.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
according to https://bugzilla.mozilla.org/show_bug.cgi?id=37132 1 (copy/paste link, BigZilla doesnt like /. links), this bug is already fixed in 2.0.0.2 and 1.5.0.10.
Well, you surely got some known holes now :)
Patents Drive Free Software as Hurricanes Drive Construction Industry
How is this a bad month for Firefox? If vulnerabilities are found, they would be fixed promptly. This is something Mozilla has always done and something that keeps us users and developers very happy. It was bad timing that he disclosed this vulnerability right after 2.0.0.2 was released, but rest assured that a fix will be out very soon. I think this happened once before, where Firefox version X and version X + 1 were released within the same month.
It would be good that such vulnerabilities weren't there in the first place, but anyone that knows a bit about big software will tell you that that's wishful thinking. Firefox has proven to be extremely safe to use, and Mozilla has proven to be committed to keep it that way.
And yes, I wouldn't say this when a vulnerability for IE is released, because I'm well aware that their release cycle has a span of months, even years. Close source / Open souce or free / MS have nothing to do with it. Firefox is a better product, period.
to say its because there are more users. Isnt that what has been said about IE all these years. Not that I dont agree.
"If vulnerabilities are found, they would be fixed promptly. This is something Mozilla has always done..."
See this Slashdot comment: Mozilla Foundation Top 20 Excuses for Not Fixing Firefox Bugs.
The last time I got information, the Mozilla Foundation was headed by a woman with NO technical experience and very, very little social ability.
--
Is U.S. government violence a good in the world, or does violence just cause more violence?
"Publishing detailed explanations of the exploits on your blog gets them fixed within a few weeks."
Saying over and over that "Firefox is the most unstable program in common use" gets the bugs fixed in 2 years. Firefox is more stable now that they fixed the CPU hogging bugs, but wow, what a hassle.
See this Slashdot comment: Mozilla Foundation Top 20 Excuses for Not Fixing Firefox Bugs .
The last time I got information about it, the Mozilla Foundation was headed by a woman with NO technical experience and very, very little social ability.
--
Is U.S. government violence a good in the world, or does violence just cause more violence?
As others have said in this discussion, the Mozilla Foundation is hugely disfunctional. It often happens that people post very serious bugs and they are ignored for YEARS. Read the links I posted, and the links to the links.
Great sense of community? She is one of the most painfully socially limited people I have ever seen.
Can someone with no technical knowledge run a technical organization? No. Such a person cannot know the truth about the health of the organization.
You are giving her credit for the achievements of the technically knowledgeable people. No article by a writer with no technical knowledge in a business magazine changes that.
Now the Mozilla Foundation makes $50 million per year for making Google the default browser in Firefox. When she was first made to be in charge, it was, as she herself says, entirely an accident. No one else wanted the job of being the non-technical administrator of a company with almost no income.
--
Is U.S. government violence a good in the world, or does violence just cause more violence?
Wow! I don't have the time to understand the bug thoroughly, but it certainly has the characteristics of the CPU hogging bug. I like this: Comment 31: "... if the loop is length more like 25,000 instead of 250, does the number of inner windows actually increase to 25,000? I see 250 inner windows with the testcase for sure..."
..." You really owe it people and yourself to visit the
extensive documentation to which I linked, for example, before you think that
someone is trying to do harm.
That certainly seems like the CPU hogging bug. Fixing the bug took more than 4 years, and resulted in a lot of foolish and sometimes abusive behavior from Mozilla developers, like the 20 excuses linked above. I learned how little Mozilla developers know about the theory of science.
Still, nothing about this changes the fact that Mozilla Foundation needs technically oriented top management. I would volunteer for the job, but only long enough to find and hire and train the right person. Could I really do that? Yes, but I don't expect to be asked.
If I were the temporary head of the Mozilla Foundation, my priority would be to fix the remaining bugs. My second priority would be to integrate SQL Lite into Firefox everywhere it is needed.
The issue with the CPU hogging bug is this: Browsers are our windows on the world; they are VERY important. I don't accept any cynicism about the importance of browsers; it is literally true that they are important to the human efficiency. People like me who often have 10 windows with 30 tabs each really suffer when every window and tab crashes. I'm not the only one.
Opera is stable and also free, but suffers from some bad design decisions. For having a look at Digg and Reddit and other common destinations, I use a separate computer and 10 installations of Opera. I like that Opera can be installed in separate folders that don't interfere with each other.
I was surprised by this in your comment above: "You're probably just trolling,
--
Is U.S. government violence a good in the world, or does violence just cause more violence?