Slashdot Mirror
10-Day Patch Guarantee Not Mozilla's Policy
narramissic writes "Mozilla has officially backpedaled from a pledge made at Black Hat by the company's director of ecosystem development, Mike Schaver, to fix any critical security bugs in the browser within 'Ten ****ing Days.' On Friday, Mozilla security chief Window Snyder wrote in a blog posting that the 10-day pledge is not Mozilla's policy, saying 'We do not think security is a game, nor do we issue challenges or ultimatums.' And today, the open source browser maker issued a statement retracting the pledge."
And he's already explained how his comment got out of hand and what he really meant by it.
Oh, c'mon. At most 7 different outlets. You've gotta allow for dupes, after all.
My blog
For me, I always thought that Mozilla was a small and nice open source company. These days, it feels to me as if Mozilla is starting to blend into the corporation scene just like any other evil corporation. The whole Firefox naming debacle on Debian, and now this. Now that they're controlling a big market of the web browsers space, should we continue trusting them? Would it be time to look at Konqueror or other browsers?
The hip way to get your IP. No ads, ever.
Upon hearing the news of this "flip-flopping," President Bush confidently stepped in for the Mozilla group and challenged the black hats to "bring it on."
Your ad here. Ask me how!
See, that's what happens when you drink too much Bawlz (tm!) XD
Making that sort of pledge is rather rash. I am not saying it can't be done, but I don't see it as simple to fix anything anytime.
Questions you have to ask are;
Is it really a bug?
Can it really be reproduced?
etc etc
Being timely in bugs is good. But not all crashes are the result of bad software. You have to be sure your fix doesn't turn another thing into a bug. They would soon end up chasing after every little bit of dust and lose sight of their real work.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Glad you enjoyed the party, Robert. To clarify, I was making a personal commitment, not a Mozilla one, that you could redeem that card if there was a vulnerability that you believed needed to be turned around in 10 days. I didn't consider at the time that it would be taken as a Mozilla policy statement -- even *I* don't make new policy announcements at late-night parties in Vegas
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
M0d 7h15 uP @$ PhuNnY, d00d!!
!#$%@%#^@%#$^@%$^^$%^&&^
It's truly sad to see Mozilla start to take this route. Even making a joke about it would have been good. "Our eco director meant ten Plutonian days. Unfortunately, he was not aware that pluto is no longer a planet and as such should not be used for a timescale in contests."
IOU one (1) signature
My mayor ran on the promising of "fixing any pothole within 24 hours of discovery." Of course the roads are still filled with potholes. Turns out, it was 24 hours of any confirmed pothole, which is trivially easy as the pothole confirmation team is as slow/backed up as the pothole filling team.
Your ad here. Ask me how!
Firefox is not all open source projects. Mozzila may have grown to big to fast by I hardly see the entire foss taking the stance that end users should fix bugs.
I don't get it... what's with the stars?
...we still have companies like Google that can set good examples.
If your post isnt a troll, perhaps it is a poor attempt at humor.
Mozilla welcomes vulnerability information so that it can address them
Mozilla is pretty quick to address vulnerabilities
MS wont even admit to a vulnerability unless enough of a stink has been made that the world already knows about it.
MS has often ignored serious vulnerabilities until they deemed it necessary to resolve them (see previous point for definition of "necessary")
Dont worry, Mozilla has a long way to go before they slip as far as MS...
StarTrekPhase2 - The Five Year Mission Continues!
Most Geeks feel very lucky if they get laid once a month or so. Therefore ten fucking days is about ten months or so. Should be able to roll out a patch in that time, especially since we get so many days to work on software rather than having sex.
Engineering is the art of compromise.
NT
The Mozilla folks were being silly about the use of their trademark.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
to hold up to the 10-day pledge but in the end, if something major holds back a fix, are we all going to bash them for missing the 10-day pledge? I doubt it. After all, we are not talking about Microsoft. These people are trying to do the best job possible and don't have to consider how the browser fix would interfere with some feak'n gumball machine driver that has IE code in it.
But she's right in that they really shouldn't be making statements like that without having discussed this with their team and doing so could be considered a challenge to others. Not something you want to do with a company willing to pay billions just to purchase marketshare let alone how much they'd be willing to put into ads and other FUD should a fix take 241 hours.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Are the censored four letters "work"?
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Yes, like Microsoft, the Mozilla security chief will resort to insulting the competition. I expect he'll make many snyde remarks about Windows.
I hate printers.
As an aside, it always seems the network and hardware geeks are the ones who smoke pot, and the database and BSD guys who like their vodka. The C/C++/Java programmers (this is my category, usually) are chain smokers - Marlboro Reds in a soft pack style, and caffeine junkies. How many of you have a Mountain Dew can that you're drinking next to an empty Mountain Dew can - and both are still cold to the touch? Yeah - all the programmers.
And the Mac guys generally seem to be clean cut replicas of Jeff Goldblum, for the most part. They're health conscience, and probably taking on a good number of sunshine units from those freakin' 45 inch MacBook Pro screens as they tend to be fans of irony. Mac guys also probably currently have a half gallon of water, in a jogging harness, on their desks right now... probably the cleanest desks on
Oh, and I think the Amiga guys are in to acid or something - that's why they've been in their garages for the last 15 years hacking away. Poor guys don't even know their wife unplugged the monitor 3 years ago.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
director of ecosystem development?!
What kind of title is that?
They might have a long way to go, but every journey begins with that one little step and this definitely looks like that step...
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
It's really strange. Mozilla wants to give our enemies a timetable. Never in the history of software patches has a browser company been asked to give a timetable. I'm for victory.
It's a mistake to put your unconditional trust in any organization or institution, no matter what branding or happy face they show to the world.
Well said. I certainly wouldn't unconditionally trust any individual package of software. For instance, the number of people I know who apparently trust their browser's password manager to keep username/password combos for critical things like internet banking safe is nothing short of appalling. The security on them may even be quite good, but they only have to be compromised once to completely ruin you.
That's not to say we shouldn't use things like password managers. It would be mildly inconvenient, for instance, for me to lose my Slashdot ID, but hardly the end of the world. But trusting software instead of common sense is wilful stupidity.
My mayor ran on the promising of "fixing any pothole within 24 hours of discovery." Of course the roads are still filled with potholes. Turns out, it was 24 hours of any confirmed pothole, which is trivially easy as the pothole confirmation team is as slow/backed up as the pothole filling team.
You must be from Houston...
I've actually seen construction crews create potholes and then not fix them. And the heavy metal sheets they place on the concrete roads are worse than the original hole.
How good of an idea is it to hire a guy named Windows as the top security chief?
It's a real world and everyone understands that when someone says "we pledge to fix ALL reported security bugs in 10 days" it really means 99% of bugs, safe for a few extraordinarily difficult ones. Furthermore a temporary fix can be partial - just add some regular expression filter eliminating likely exploits - and it can involve disabling all but the most core functionality until the real solution is found. Imagine an extension turning off all plugins and running in chroot jail as nobody until the user confirms that a particular site is definitely trusted. Given these constraints, why can't Firefox foundation respond to any reproducible threat within 10 days? Unless of course they are run by geeks who care more about passing the latest CSS test than keeping users' credit cards out of russian hacker sites.
The stupid thing is it is a statement of policy, it's just that it's not in marketing speak.
If your brother says something like that you know you'll get either that or a good excuse. The good excuse is always an unwritten option, it's just with professional liars that you have to tie them to the every single written word because trying to pin them to a statment is like trying to pin live eels!
I think we should be more concerned that the head of Mozilla Security is a Windows Nyder. Nyder is a phonetic anglicization of "Najder" which is the Welsh word for snake.
Actually, they always were "corporate", but I don't think that's necessarily "evil".
Honestly, the shiny happy image of OSS as a community where thousands of volunteers in their free time do all sorts of useful things -- i.e., ESR's "bazaar" -- stopped being true, oh, about a decade ago. It was true when software complexity was on the level of "ls" and "cat" and had enough lines of code to need a day or two to fully understand and be able to add your own clever switches. When you need to understand a whole framework and a million lines of code, practically noone bothers with it. Understanding someone else's code and framework just looks too much like work, and just isn't as good for instant gratification and bragging rights.
So almost all OSS work lately is actually done by corporations.
Mozilla itself always had a paid team of _employees_ for example. The development was first paid for by Netscape, then by AOL, and nowadays it's funded by Google. It's not exactly the traditional model of selling a product, that's for sure. (AOL mostly wanted a threat to extort MS with for subsidies, and Google does it for free advertising.) But it's a small cathedral anyway, and the development model sure looks no different from the one at MS, from where I stand.
It's not the only piece of software whose development works like that. OOo is worked on by Sun's paid developpers, Apache is mostly IBM work, at least Trolltech (you know, the guys behind the all the pretty widgets in KDE) is a company, etc. A lot of other frameworks come to mind too. E.g., Xerces and Xalan are IBM work.
If you look at the kernel release notes, well, you'll notice that most email addresses are from IBM, RedHat, etc. And there's a reason why SCO thought they could hand-wave a case against IBM in court (other than that Darl is on crack): because IBM did donate a ton of AIX code. SCO just had no rights to that AIX code, but it's in there. Other parts of it were, basically, paid contract work for some company. E.g., since Hans Reiser has been mentioned a lot lately, ReiserFS development was paid for by SuSE. Etc.
Heck, even the fact that now we can sneer at MS's security problems, is because at some point RedHat paid for a code review and security audit of Linux. Before that (e.g., in 2000 or so), a non-firewalled Linux machine on the Internet would get pwned in about half an hour.
And I'm not saying it's a bad thing or "evil". Those developers have to eat too, and it's just increasingly more work to make a modern program and/or to learn a whole framework just to add your own "print diagonally" feature to OOo. If you rely only on idealistic/utopian volunteers, it's going to be a long slow road to nowhere. See: Hurd. Or the tens of thousands of alpha-stage little projects on Sourceforge, where they _didn't_ get thousands of elite developers just begging to donate code and bug fixes.
The funny thing is, that idealistic bazaar model sure has plenty of apologists, but extremely few of them actually contribute anything except lip service.
On the other hand, if you were in it for some idealistic "stick it to the evil corporations" reason... well, sorry to shatter that nice illusion, but you're a decade or two too late for that. Sorry.
A polar bear is a cartesian bear after a coordinate transform.
How does django figure into this? Damn I'm a geek. 2many screencasts.
This is a step in the right direction, though. Guaranteeing to fix a future bug that you know nothing about in ten days is just plain insanity. While it's a nice pledge from a marketing viewpoint, developers realise that it's just a lie.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
...who would take someone saying "we'll fix it in ten ****ing days!!!!!!1111one" to be equivalent to a corporate pledge? Its just talking smack and giving a sense of scale, basically saying "we won't make you wait for the first service pack in '09 for it to be stable, we'll put guys on it right away." Chill, corporate retraction dudes.
Maybe Mozilla needs to upgrade its Window Snyder to Vista Snyder. Microsoft says Vista is more secure.
Where did I say Firefox is all open source projects?
h tml/ is-open-source-complacent-16924
"Unfortunately, that is the direction open source is headed."
This is referring to the attitude of the open-source teams, and it does seem to be going the same way the Mozilla teams are going. I do believe the open source teams will get to the point of telling people to fix the bugs themselves. Actually, it may already be the attitude of some open source teams. Allegedly, some have already used the line "If you don't like it, fix it yourself." No I am not trolling or trying to flamebait but if this is indeed the attitude of the Firefox teams "or open-source in general" then it needs to change if open-source is to grow. On the other hand, those who call it "open-sores" or Linux "Linsux" are simply immature.
http://www.cygwin.com/ml/cygwin/2000-06/msg00613.
http://blogs.ittoolbox.com/linux/locutus/archives
I have given suggestions for features to closed-source developers and every time they have stated they will implement it when there is enough of a demand for it. They also have seem to take bug reports.
I find it difficult to understand how anybody would have taken that pledge seriously in the first place. For one thing, the way it was phrased. It's pretty safe to say anybody who use the word F-followed-by-four-asterisks in a sentence is not stating official company policy. Add to that the inherent ridiculousness of the claim. It's like me saying I can dig any hole in the ground you want in two hours. Sure, maybe I have a pretty good grave-digging track record, but it doesn't matter if I have trapezoids of steel, I'm not going to dig the town well in 120 minutes.
My guitar chord generator.
You call that me a "troll" simply because you disagree with me? If any post is a flamebait or a troll it is yours. It is the attitude that is keeping people away from open source software.
Do a search on the Internet, using any search engine and the attitude of "Fix it yourself" is becoming more frequent. Not everyone is a programmer, nor can everyone afford to hire a programmer. Some can but it would be more inexpensive to purchase software. It isn't trolling to say closed source developers are more curteous towards the users. For open source to expand, the open source developers should be curteous and at times hold back from saying something harsh as that could reflect very poorly amongst other open source developers.
If the attitude is unintentional and meant to communicate something other than they intended, then make it a point to learn better communication skills.
the government decided that caffeine is bad =(. You're... you're... kidding, right? Please say it ain't so!
Geeks, assemble! We need to start a charity for our oppressed brother in a foreign land!
I'll need a keg of Mountain Dew - no make it 2 kegs, a Red Bull Truck, some rope, a carton of Marlboros, flares, a large parachute, sausage links, some explosives... an iPod, iPhone, Macbook Pro, power converter, and one of those backpacks that have the USB ports accessible from the outside. Oh, and ZZ-Tops greatest hits encoded at nothing less than 512Kb/sec AAC. And if anyone has a plan, that would help, too.
On the bright side, any security is likely asleep on their post without caffeine. Make it happen; I need to shave my body and watch the Rambo trilogy so as to sharpen myself.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.