A Bad Month for Firefox

marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."

Geek dream

[DrYak]

Am I missing something

Using the "But, I must quickly fix those holes ! It's open source and I don't need to wait on the foundation to fix it" as an excuse in order not to go out in the sun.

Re:What's worse?

[tomstdenis]

JLC's /dev/random patches replaced the ad hoc poorly designed PRNG with one based on Fortuna, a real PRNG.

I suggest you look at the /dev/random source for a bit. For starters, what the fuck is TwoThirdsMD4? Why is it used? etc... The design may work, but we can certainly do better, with cleaner code, that makes use of the existing crypto in the kernel (instead of including multiple copies). Last I looked their SHA1 code wasn't even compliant [didn't do byte ordering swapping, which doesn't affect the security just compliance]. /dev/random can easily be cleaned up, improved, and made to use standard crypto primitives. It just means we have to dissolve Ted T'so ego and beat him with a clue stick.

In the case of my patches, they were against [iirc] 2.6.18.2 not 2.6.19-rc2 or something. The last "." is supposed to be for incremental changes to reduce the time between major releases. It gives users a chance to try a work-in-progress kernel that has been through at least some testing. Otherwise, why even have the fourth level of releases?

I'm hardly the only person on earth disillusioned by the Linux kernel process. Sure it works, but the code is hardly ideal and pushing away contributors is NOT the way to make things better.

Tom