10-Day Patch Guarantee Not Mozilla's Policy

narramissic writes "Mozilla has officially backpedaled from a pledge made at Black Hat by the company's director of ecosystem development, Mike Schaver, to fix any critical security bugs in the browser within 'Ten ****ing Days.' On Friday, Mozilla security chief Window Snyder wrote in a blog posting that the 10-day pledge is not Mozilla's policy, saying 'We do not think security is a game, nor do we issue challenges or ultimatums.' And today, the open source browser maker issued a statement retracting the pledge."

It's Shaver

And he's already explained how his comment got out of hand and what he really meant by it.

Re:It's Shaver

[kent_eh]

I'm surprised that someone actually took something said at a party (even by someone in such a high position) as official policy.

If he'd said it during a keynote speech, sure, but at a party?

Re:It's Shaver

[loganrapp]

If Steve Jobs got blasted on Jaeger and said the next-gen iPhone would be made of cheese, dairy commodities would shoot through the roof.

Re:It's Shaver

[AvitarX]

He plants trees.

Re:It's Shaver

Close: he directs people to plant trees.

Mozilla Corporation becoming truly corporate?

[paulius_g]

For me, I always thought that Mozilla was a small and nice open source company. These days, it feels to me as if Mozilla is starting to blend into the corporation scene just like any other evil corporation. The whole Firefox naming debacle on Debian, and now this. Now that they're controlling a big market of the web browsers space, should we continue trusting them? Would it be time to look at Konqueror or other browsers?

Re:Mozilla Corporation becoming truly corporate?

[ZachPruckowski]

I don't think that that follows. They've made a few mistakes, and this was one of them. They shouldn't make ultimatums like that. That said, I have a feeling that they'll continue to be a lot more responsive on the patching front than Microsoft, and I think that the point has been made, even if they won't stick to a set time-line.

The Debian thing is not a strike against Mozilla. Their stance is correct and clear. You can't have someone else using your trademark to cover something that they are supporting. If the Debian team introduces a bug or something into their build of Firefox, Mozilla's brand will suffer. That's why Mozilla wanted Debian to rebrand it.

Re:Mozilla Corporation becoming truly corporate?

Yeah, that explains why all those Linux(TM) distributions can't use the trademark "Linux" - after all, almost all of them patch the Linux kernel. Or why the distributions have to rename KDE or GNOME. Or any other piece of open source software.

No, the reason Mozilla forced Debian to rename Firefox is even stupider than that. Debian fixed their build process. They didn't actually patch the browser. They simply corrected the build process to work under Debian. That was enough to prevent them from using the name "Firefox".

Personally I can't wait until WebKit and Konqueror finish remerging code. Once Konqueror gets a Windows build, it's game-over for Firefox. It's a better browser - it just hasn't, until recently, run on Windows.

Re:Mozilla Corporation becoming truly corporate?

[Kjella]

The Debian thing is not a strike against Mozilla. Their stance is correct and clear. You can't have someone else using your trademark to cover something that they are supporting.

That wasn't really the problem, I think there were a few disagreements on some defaults Debian had set, but in general I don't think Mozilla would have any problem rubbing-stamping it like they do with other distros' versions. Where it really broke down wasn't really a practical problem, it was more policy vs policy.

Mozilla's policy is that they must approve anything using the trademarked name and logo, so that they can stop bad versions with spyware, adware and such.
Debian's policy is that they must be able to apply security parches immidiately without approval from any third parties.

In themselves, both admirable policies but the road to hell is paved with good intentions. In practise there wouldn't have been any problem getting security patches into Debian's version in a timely fashion with Mozilla's blessing, but one of the policies would have to make an exception. Neither Mozilla nor Debian were willing to bend on their principles, and so Iceweasel was born. Yes, it's a policy aberration but I don't feel one side was being more unreasonable than the other.

Re:Mozilla Corporation becoming truly corporate?

[tm2b]

These days, it feels to me as if Mozilla is starting to blend into the corporation scene just like any other evil corporation

Somehow you edited out the rest of this sentence. Here, I'll fix it for you:

These days, it feels to me as if Mozilla is starting to blend into the corporation scene just like any other evil corporation who gives away their source code for free.

HTH. HAND.

Re:Mozilla Corporation becoming truly corporate?

[iminplaya]

Once Konqueror gets a Windows build, it's game-over for Firefox. It's a better browser - it just hasn't, until recently, run on Windows.

I happen to agree it's a much better browser, and a very good file manager, among other things, BUT there's nothing to make me think that once it becomes popular enough, the exact same thing won't happen to it. Popular software gets sucked into the corporate venus fly trap faster than a trailer park gets sucked into a tornado. The nice thing about all this open source though, is that nobody can claim exclusivity. We can always make something similar, a little bit better, and put a different name on it. I was under the impression that's the idea behind GPL and BSD and Creative Commons, etc. to begin with. So we can simply forget about the guy who takes a wrong turn, instead of following him over the cliff.

Re:Mozilla Corporation becoming truly corporate?

[_Sprocket_]

No, the reason Mozilla forced Debian to rename Firefox is even stupider than that. Debian fixed their build process. They didn't actually patch the browser. They simply corrected the build process to work under Debian. That was enough to prevent them from using the name "Firefox". Is it just that, though? Before the whole Icedove rename, I had two copies of Firefox on my Debian desktop. One was the Debian package. The other was from Mozilla. I had the Mozilla version because something broke in the Debian package. It had something to do with my laptop's Xorg config (I have a config that allows dual screens when docked and just the single screen when not). When it wasn't docked, Debian's Firefox would run but wouldn't show. The Mozilla version came up without a problem. I could never figure out why (wish I could - then I would have filed a bug report).

I bring this up because this was going on around the same time the whole rename issue was getting a lot of attention. It seemed to me that Debian was introducing changes that Mozilla wasn't - as demonstrated by my own odd behavior of the two Firefox installs. Of course - I don't know enough about the bug I had or the issue in general to really know for sure. Maybe someone else can take a swing at it?

Re:Mozilla Corporation becoming truly corporate?

[Kjella]

The real problem was that Debian was using the Firefox logo with modified Firefox code (as in: Debian patches not in official Firefox build), witch is against Mozilla policy.

That's where it started, not where it ended. It went something like:
Moz: "You're using some mods to Mozilla with the official logo, stop it."
Deb: "Ok, but some of these changes we want/need to do."
Moz: "Submit them to us and we'll approve them. Oh and those won't go through."
Deb: "Ok, we can drop those. We'll sumbit the rest."
Moz: "Good. And you must also submit any updates to us first."
Deb: "In general ok, but security patches we'll push immidiately."
Moz: "No, you must. Mozilla policy."
Deb: "Not acceptable. Debian policy."

I think my post was fairly accurate only I didn't include the backstory, there was dialog to fix the rest but the policies were the deal-breaker.

Re:Mozilla Corporation becoming truly corporate?

[plague3106]

"My band, they sold out MAN. What a bunch of sellouts MAN. Before I was the only cool person to like this band, and now that they haven't changed and have become people, I can't use that to make myself seem really cool MAN."

Ugh. You just liked FF because no one was using it. You'll leave anything that becomes popular, because popular things can't be cool, MAN.

Re:Mozilla Corporation becoming truly corporate?

[trifish]

The thing is, if you allow different products from different sources to be publicly distributed under a single trademarked name, the trademark becomes dilluted and can be declared invalid (by court, trademark dispute board, etc.) That's what the law says, there's not much you can do about it.

BTW, that's why the "Linux" trademark wouldn't surive a test in court now. It doesn't identify a single product from a single source. It's dilluted and invalid.

Re:Mozilla Corporation becoming truly corporate?

[TemporalBeing]

Yeah, that explains why all those Linux(TM) distributions can't use the trademark "Linux" - after all, almost all of them patch the Linux kernel. Or why the distributions have to rename KDE or GNOME. Or any other piece of open source software.

Actually, all those guys have to get a license for the Linux trademark from Linus - or whoever Linus appointed to manage the trademark. It's just that there are not that many strings attached to said license.

Mozilla is certainly free to license their Firefox trademarks how they like, and if someone does not want to abide by that license, then they will not be able to use the trademark. In this case, it appears that Debian was not willing to abide by Mozilla's terms, so they gave up their license and renamed it to IceWeasel.

Like it or not, that's how trademarks work.

As always - IANAL.

Re:Mozilla Corporation becoming truly corporate?

[Tacvek]

There has been much information about this. The reality is that much of the information is wrong or only partially complete. There were at least 3 problems, only one of which did not seem resolvable.

• Debian has a policy of not introducing new upstream versions into a stable release. Instead, any necessary security changes are backported. MoCo's policies tend to counter this. But this was not too major an issue, and could likely have been resolved.
• Debian distributed Firefox with some patches. MoCo's policy is that patched browsers cannot be labeled "Mozilla Firefox" or "Firefox" without special approval. Debian policy is that any such permission must not be Debian specific nor can it excessively delay the release of security fixes.. It seems likely that there wold be negotiations, and eventually a reasonable compromise could have occurred.
• However there was the deal killer: The Firefox logo. The Firefox logo's copyright license does not meet the DFSG. Debian has a very stict policy there. It is not a problem that the logo is a Trademark, and thus special licensing conditions. The problem is that the MoCo was not willing to consider placing the logo copyright under a free license, and simply place restrictions on the image as a trademark. Debian therefore was unwilling to distribute the logo. Debian was willing to use a replacement logo that had been manually recreated, and looked nearly identical to the original. Obviously the use of that recreation would be subject the any trademark restrictions of MoCo. However, MoCo's policy was that only the official logo could be used, not a nearly identical replacement; the logo's copyright license was not going to be changed; and that the "Firefox" name cannot be used on a browser without the Logo. MoCo was not willing to compromise on these issues at all. So the choice for Debian was allow the official logo in despite its failure to meet the DFSG, have a renamed version of Firefox, or have no Firefox at all.

As you can see, that last issue was an absolute killer. It was not even worth working to resolve the other two unless that one was fixed. MoCo was not willing to compromise at all on the last issue. Debian decided not to compromise on the DFSG issue. So now we have Debian Iceweasel and Icedove.

Synder would never succeed as a politician...

[Actually,+I+do+RTFA]

On Friday, Mozilla security chief Window Snyder wrote in a blog posting that the 10-day pledge is not Mozilla's policy, saying 'We do not think security is a game, nor do we issue challenges or ultimatums.'

Upon hearing the news of this "flip-flopping," President Bush confidently stepped in for the Mozilla group and challenged the black hats to "bring it on."

Well at least they are not stupid

[infonography]

Making that sort of pledge is rather rash. I am not saying it can't be done, but I don't see it as simple to fix anything anytime.

Questions you have to ask are;

Is it really a bug?

Can it really be reproduced?

etc etc

Being timely in bugs is good. But not all crashes are the result of bad software. You have to be sure your fix doesn't turn another thing into a bug. They would soon end up chasing after every little bit of dust and lose sight of their real work.

Clarification

[nacturation]

On this blog entry Mike Shaver clarifies:

(I thought I commented here on Friday, but I was working from my Blackberry, which is not especially web-friendly. Bleh.)

Glad you enjoyed the party, Robert. To clarify, I was making a personal commitment, not a Mozilla one, that you could redeem that card if there was a vulnerability that you believed needed to be turned around in 10 days. I didn't consider at the time that it would be taken as a Mozilla policy statement -- even *I* don't make new policy announcements at late-night parties in Vegas :) -- but it seems to have been read that way, which I can understand in hindsight. I'm sure I'll be answering for my potty mouth and apparent lack of clarity for a while... Also spelled out on his own blog.

Easy solution...

[Actually,+I+do+RTFA]

My mayor ran on the promising of "fixing any pothole within 24 hours of discovery." Of course the roads are still filled with potholes. Turns out, it was 24 hours of any confirmed pothole, which is trivially easy as the pothole confirmation team is as slow/backed up as the pothole filling team.

Re:Easy solution...

[myowntrueself]

My mayor ran on the promising of "fixing any pothole within 24 hours of discovery."

Dude we could do with that kind of attitude here.

Except it'd be more like "I have a pot *hole* right here. In my pipe. Please fill it in. With pot. Thanks."

Re:Easy solution...

Most of the comments come from stoned or drunk coders really. You can't be in a sane state of mind to think that posting to slashdot is a good idea.

Re:Easy solution...

[Xero_One]

You can't be in a sane state of mind to think that posting to slashdot is a good idea. Woooooaaaahhh Duuuuuude!

That's totally... like, INSIGHTFUL!

Thank God...

[thanksforthecrabs]

...we still have companies like Google that can set good examples.

Re:So... eleven days?

[OnlyHalfEvil]

Mozilla security chief Window Snyder wrote in a blog posting that the 10-day pledge is not Mozilla's policy

What is it with Windows being against quick patches?

Re:So... eleven days?

[RobertM1968]

If your post isnt a troll, perhaps it is a poor attempt at humor.

Mozilla welcomes vulnerability information so that it can address them

Mozilla is pretty quick to address vulnerabilities

MS wont even admit to a vulnerability unless enough of a stink has been made that the world already knows about it.

MS has often ignored serious vulnerabilities until they deemed it necessary to resolve them (see previous point for definition of "necessary")

Dont worry, Mozilla has a long way to go before they slip as far as MS...

Ten fucking days is a long time...

[EmbeddedJanitor]

for us geeks.

Most Geeks feel very lucky if they get laid once a month or so. Therefore ten fucking days is about ten months or so. Should be able to roll out a patch in that time, especially since we get so many days to work on software rather than having sex.

Re:Ten fucking days is a long time...

[Hanners1979]

Most Geeks feel very lucky if they get laid once a month or so.

Is that an Earth month?

Re:Ten fucking days is a long time...

[Phroggy]

That's bug #95849.

Mozilla is not Microsoft, they'll do their best

[Locutus]

to hold up to the 10-day pledge but in the end, if something major holds back a fix, are we all going to bash them for missing the 10-day pledge? I doubt it. After all, we are not talking about Microsoft. These people are trying to do the best job possible and don't have to consider how the browser fix would interfere with some feak'n gumball machine driver that has IE code in it.

But she's right in that they really shouldn't be making statements like that without having discussed this with their team and doing so could be considered a challenge to others. Not something you want to do with a company willing to pay billions just to purchase marketshare let alone how much they'd be willing to put into ads and other FUD should a fix take 241 hours.

LoB

Ten ****ing Days

[shish]

Are the censored four letters "work"?

Re:Ten ****ing Days

[datapharmer]

no.

Re:Ten ****ing Days

[Eighty7]

So they're including weekends too?

Re:So... eleven days?

[MrNaz]

Yes, like Microsoft, the Mozilla security chief will resort to insulting the competition. I expect he'll make many snyde remarks about Windows.

Habits of the geek kind

[Gazzonyx]

I don't smoke any more, but of my 'IT type' friends who still do (all in their early to mid 20's, mind you - 1 is 21 working on his masters), well... I spent the night working on my Solaris server trying to get NFS, LDAP, MySQL and Samba to play nicely with a BSD box, Mac, XP, and Gentoo inside segmented routed networks. Granted, I failed miserably, but I'm fairly sure my friends spent their night sharpening their skill set by getting high, eating munchies, and watching Sponge Bob's Square Pants before passing out at 10pm.

As an aside, it always seems the network and hardware geeks are the ones who smoke pot, and the database and BSD guys who like their vodka. The C/C++/Java programmers (this is my category, usually) are chain smokers - Marlboro Reds in a soft pack style, and caffeine junkies. How many of you have a Mountain Dew can that you're drinking next to an empty Mountain Dew can - and both are still cold to the touch? Yeah - all the programmers.

And the Mac guys generally seem to be clean cut replicas of Jeff Goldblum, for the most part. They're health conscience, and probably taking on a good number of sunshine units from those freakin' 45 inch MacBook Pro screens as they tend to be fans of irony. Mac guys also probably currently have a half gallon of water, in a jogging harness, on their desks right now... probably the cleanest desks on /. for that matter.
Oh, and I think the Amiga guys are in to acid or something - that's why they've been in their garages for the last 15 years hacking away. Poor guys don't even know their wife unplugged the monitor 3 years ago.

Re:So... eleven days?

[Architect_sasyr]

They might have a long way to go, but every journey begins with that one little step and this definitely looks like that step...

Well Doh'

[rdebath]

The stupid thing is it is a statement of policy, it's just that it's not in marketing speak.
If your brother says something like that you know you'll get either that or a good excuse. The good excuse is always an unwritten option, it's just with professional liars that you have to tie them to the every single written word because trying to pin them to a statment is like trying to pin live eels!

Re:So... eleven days?

[iapetus]

This is a step in the right direction, though. Guaranteeing to fix a future bug that you know nothing about in ten days is just plain insanity. While it's a nice pledge from a marketing viewpoint, developers realise that it's just a lie.