10-Day Patch Guarantee Not Mozilla's Policy

narramissic writes "Mozilla has officially backpedaled from a pledge made at Black Hat by the company's director of ecosystem development, Mike Schaver, to fix any critical security bugs in the browser within 'Ten ****ing Days.' On Friday, Mozilla security chief Window Snyder wrote in a blog posting that the 10-day pledge is not Mozilla's policy, saying 'We do not think security is a game, nor do we issue challenges or ultimatums.' And today, the open source browser maker issued a statement retracting the pledge."

It's Shaver

And he's already explained how his comment got out of hand and what he really meant by it.

Clarification

[nacturation]

On this blog entry Mike Shaver clarifies:

(I thought I commented here on Friday, but I was working from my Blackberry, which is not especially web-friendly. Bleh.)

Glad you enjoyed the party, Robert. To clarify, I was making a personal commitment, not a Mozilla one, that you could redeem that card if there was a vulnerability that you believed needed to be turned around in 10 days. I didn't consider at the time that it would be taken as a Mozilla policy statement -- even *I* don't make new policy announcements at late-night parties in Vegas :) -- but it seems to have been read that way, which I can understand in hindsight. I'm sure I'll be answering for my potty mouth and apparent lack of clarity for a while... Also spelled out on his own blog.

Re:So... eleven days?

[RobertM1968]

If your post isnt a troll, perhaps it is a poor attempt at humor.

Mozilla welcomes vulnerability information so that it can address them

Mozilla is pretty quick to address vulnerabilities

MS wont even admit to a vulnerability unless enough of a stink has been made that the world already knows about it.

MS has often ignored serious vulnerabilities until they deemed it necessary to resolve them (see previous point for definition of "necessary")

Dont worry, Mozilla has a long way to go before they slip as far as MS...

Re:Mozilla Corporation becoming truly corporate?

[Kjella]

The Debian thing is not a strike against Mozilla. Their stance is correct and clear. You can't have someone else using your trademark to cover something that they are supporting.

That wasn't really the problem, I think there were a few disagreements on some defaults Debian had set, but in general I don't think Mozilla would have any problem rubbing-stamping it like they do with other distros' versions. Where it really broke down wasn't really a practical problem, it was more policy vs policy.

Mozilla's policy is that they must approve anything using the trademarked name and logo, so that they can stop bad versions with spyware, adware and such.
Debian's policy is that they must be able to apply security parches immidiately without approval from any third parties.

In themselves, both admirable policies but the road to hell is paved with good intentions. In practise there wouldn't have been any problem getting security patches into Debian's version in a timely fashion with Mozilla's blessing, but one of the policies would have to make an exception. Neither Mozilla nor Debian were willing to bend on their principles, and so Iceweasel was born. Yes, it's a policy aberration but I don't feel one side was being more unreasonable than the other.

Re:Mozilla Corporation becoming truly corporate?

[Kjella]

The real problem was that Debian was using the Firefox logo with modified Firefox code (as in: Debian patches not in official Firefox build), witch is against Mozilla policy.

That's where it started, not where it ended. It went something like:
Moz: "You're using some mods to Mozilla with the official logo, stop it."
Deb: "Ok, but some of these changes we want/need to do."
Moz: "Submit them to us and we'll approve them. Oh and those won't go through."
Deb: "Ok, we can drop those. We'll sumbit the rest."
Moz: "Good. And you must also submit any updates to us first."
Deb: "In general ok, but security patches we'll push immidiately."
Moz: "No, you must. Mozilla policy."
Deb: "Not acceptable. Debian policy."

I think my post was fairly accurate only I didn't include the backstory, there was dialog to fix the rest but the policies were the deal-breaker.

Re:Mozilla Corporation becoming truly corporate?

[TemporalBeing]

Yeah, that explains why all those Linux(TM) distributions can't use the trademark "Linux" - after all, almost all of them patch the Linux kernel. Or why the distributions have to rename KDE or GNOME. Or any other piece of open source software.

Actually, all those guys have to get a license for the Linux trademark from Linus - or whoever Linus appointed to manage the trademark. It's just that there are not that many strings attached to said license.

Mozilla is certainly free to license their Firefox trademarks how they like, and if someone does not want to abide by that license, then they will not be able to use the trademark. In this case, it appears that Debian was not willing to abide by Mozilla's terms, so they gave up their license and renamed it to IceWeasel.

Like it or not, that's how trademarks work.

As always - IANAL.

Re:Mozilla Corporation becoming truly corporate?

[Tacvek]

There has been much information about this. The reality is that much of the information is wrong or only partially complete. There were at least 3 problems, only one of which did not seem resolvable.

• Debian has a policy of not introducing new upstream versions into a stable release. Instead, any necessary security changes are backported. MoCo's policies tend to counter this. But this was not too major an issue, and could likely have been resolved.
• Debian distributed Firefox with some patches. MoCo's policy is that patched browsers cannot be labeled "Mozilla Firefox" or "Firefox" without special approval. Debian policy is that any such permission must not be Debian specific nor can it excessively delay the release of security fixes.. It seems likely that there wold be negotiations, and eventually a reasonable compromise could have occurred.
• However there was the deal killer: The Firefox logo. The Firefox logo's copyright license does not meet the DFSG. Debian has a very stict policy there. It is not a problem that the logo is a Trademark, and thus special licensing conditions. The problem is that the MoCo was not willing to consider placing the logo copyright under a free license, and simply place restrictions on the image as a trademark. Debian therefore was unwilling to distribute the logo. Debian was willing to use a replacement logo that had been manually recreated, and looked nearly identical to the original. Obviously the use of that recreation would be subject the any trademark restrictions of MoCo. However, MoCo's policy was that only the official logo could be used, not a nearly identical replacement; the logo's copyright license was not going to be changed; and that the "Firefox" name cannot be used on a browser without the Logo. MoCo was not willing to compromise on these issues at all. So the choice for Debian was allow the official logo in despite its failure to meet the DFSG, have a renamed version of Firefox, or have no Firefox at all.

As you can see, that last issue was an absolute killer. It was not even worth working to resolve the other two unless that one was fixed. MoCo was not willing to compromise at all on the last issue. Debian decided not to compromise on the DFSG issue. So now we have Debian Iceweasel and Icedove.