Google was the default search in Mozilla browsers _years_ before any monetary deal was made. Google may be paying for the default spot but they didn't _buy_ the default spot.
Why is encryption a good thing? I assume you want to prevent someone from intercepting or modifying your traffic, but if the end-point is unverified you might have a secure connection right to the eavesdropper.
Look up "Marketscore" from a few years back, they made a business of intercepting SSL traffic and reencrypting it out the other side.
1) automatic software updates (such as from the couple million beta testers) won't count. Only people who go to the site of their own free will and explicitly choose to download will count.
2) Firefox 2 most definitely will not offer Firefox 3 immediately upon release. Maybe after Firefox 3.0.1 or 3.0.2 are released will be the right time. People trust that Mozilla is trying to keep them safe; if instead people see the automatic updates as just a marketing channel they'll be more likely to turn it off. The end result is that they personally will be increasingly less safe, and Firefox will become a more attractive target for malware authors if there are increasing numbers of down-rev users.
Official Firefox 2 support will only last six months after Firefox 3 is released (though most Linux vendors will support it far longer) so we won't want to wait too long to start transitioning people, but it won't be right off the bat.
>> we can create a link that has a simple php script to have the user check >> a random domain through them. That way it isn't all coming from one IP Address... > > Wouldn't all the queries be coming from teh server that has teh PHP script?
Not if it served a page that simply had a link or form post for you, although the server's address might show up in the Referer: header (better make it an SSL page). A PHP "script" seems a bit overkill, a static page ought to do.
I don't know why Quickcam needs to use the MAPI interface, but if Thunderbird is the default mail app then any app on the system loading the MAPI service will get the Thunderbird library.
By all means keep using the extension (which probably does the same thing). If enough people install the extension maybe it'll be a "vote" for getting this changed back in FF3. Slim hope, but at least it's something.
1.5 users will not get the offer to update to 2.0 right away. There will be an autoupdate to 1.5.0.8 first (soon), and then probably another couple of weeks while we evaluate feedback from the launch to make sure no glaring compatibility issues need to be addressed first. Might even wait for the first bug-fix update to 2.0
If you want to get 2.0 soon then don't wait for the autoupdate, that's for a more conservative audience.
It also needs to be noted that the impact of this bug is not nearly as wide as a slashdot front-page headline might suggest.
Unfortunately it is. While it may be true that few certs are issued with small exponents these days it doesn't really matter. Some of the pre-installed Certificate Authorities use a small exponent and you simply forge *their* signature to create a "valid" cert for any site you like.
Big Evil Corporation just gives you the source for SuperLibrary v1.0 and says, "We never changed your library. We just added new functionality in our part of the program, the proprietary part, and you can't have it."
How are you going to prove them wrong? Is there a way to dissect a binary and see if the modules are intact?
You can, of course, dissect a binary (heck, people are dissecting and patching MS Windows), and the LGPL requires that the work using the library cannot be shipped with a license that prevents reverse engineering. The LGPL also requires that the larger work be distributed in a form that allows the recipient the freedom to modify the LGPL'd part and relink the whole (or they can avoid this by dynamically loading the LGPL'd library). You could tell if the pieces don't add up to the whole.
Given the million or so/. accounts the number of Firefox developers can't possibly be more than an insignificant fraction, but we are nonetheless here.
'it is not a bug but a feature to make your browser faster'. It doesn't make it faster if it thrashes the cache...
That caching feature makes memory use larger, but isn't a leak -- it's capped at a certain number of pages. If you're seeing a leak (and some people are) that's something else. Many leaks have been fixed in the code that will become Firefox 2 (beta coming soon), you might try that if you're not already too steamed about it. We fixed a few small leaks in the 1.5.0.x releases, but the patches that got the big wins were inappropriate for stability/security releases.
'just use about:config to change the defaults'. If that is necessary the defaults should be changed, Firefox was intended as a browser for everyone - not just the about:configging/etc/sendmail.cf grokking crowd...
Quite true, the about:config changes are more a diagnostic tool. If turning off or limiting the caching feature mentioned above doesn't help then we can stop blaming it. If that does fix it then we know the problem is probably in the code that's intended to limit the amount used by the cache. No one expects normal people to ever use about:config anymore than they should hand-edit linux config files or the Windows sytem registry.
Who the hell modded the parent up to "5-Informative"? Yes, submitting the login over SSL will prevent passive eavesdropping, but without a secure home page you have absolutely no assurance you are really on paypal's site or that it hasn't been modified in transit to submit somewhere else. Google "airpwn" for an amusing incident (but don't think only wireless is vulnerable to man-in-the-middle attacks).
Our intention is to never ship a 1.5.1.x, if we do it means there was some security issue we couldn't fix without breaking extensions (as happened in 1.0.3). With this scheme extensions can claim compatibility into the future (1.5.0.*) and we can warn the user about potentially incompatible extensions before they update.
If it helps, think of it as version "1.5.04" -- the extra decimal is for internal use.
It would, indeed, be nice if we had partial patches more than one version back. We simply don't have the capacity to do so and ship timely releases. We're already juggling 3 platforms (4 while we transition from Mac PPC to Mac Universal Binary releases) times around 40 languages times 2 update packages (full and partial). Adding even one version back means another 120 update paths to build and test and ask our mirror sites to host.
For what? Anyone with automatic updates turned on is at most one version back--they've had several weeks of daily update checks to get them there--so we're talking about people who have updates turned off and one random day decide to hit the "Check for Updates" button. It's not worth burning our people out and adding to our mirroring burden to optimize the experience of a very small number of people.
But anyone who watches the project will see that we know leaks are bugs and are actively fixing them. Look in bugzilla, or look at the change logs of recent releases, for example: http://www.squarefree.com/burningedge/releases/1.5 .0.2.html
> I suspect that some of these are bugs found by HD Moore
Nearly all of the flaws were found by long-time Mozilla contributors who were actively looking for security flaws.
Of the externally reported ones three were vulnerabilities submitted by the Zero Day Initiative from anonymous researchers. All were fuzzer-based and one used code from the Metasploit Project, but "anonymous" doesn't seem Moore's style.
[Paraphrasing] Flock had a choice not to open source their browser?
Of course they had a choice. Netscape 8 is not open source even though it's built on Mozilla code, and Safari is not open source even though it's built on KHTML.
True, and the Suite and Thunderbird localized binaries are not built by mozilla.org (unlike Firefox). But the resulting infected builds were hosted on ftp.mozilla.org mirrors.
Thunderbird version 1.5 will be moving to the Firefox system where mozilla.org hosts the localization source repository and creates the builds itself.
records from our primary mirrors indicate zero (0) downloads of the infected files.
I've been corrected: a log of downloads through the great osuosl.org "bouncer" tool we use show 341 downloads. I've been told mozilla.or.kr appears to direct its downloads through this tool so it's probably a relatively accurate indicator of the download numbers. Anyone going directly to an ftp site wouldn't get counted by this tool, but that's a small percentage of people who download builds.
Slashdot Mirror
Google was the default search in Mozilla browsers _years_ before any monetary deal was made. Google may be paying for the default spot but they didn't _buy_ the default spot.
Why is encryption a good thing? I assume you want to prevent someone from intercepting or modifying your traffic, but if the end-point is unverified you might have a secure connection right to the eavesdropper.
Look up "Marketscore" from a few years back, they made a business of intercepting SSL traffic and reencrypting it out the other side.
Did anyone else think "Prince of Ico"? Climbing a desolate tower, dragging a princess of some sort around, beating black snot out of monsters...
1) automatic software updates (such as from the couple million beta testers) won't count. Only people who go to the site of their own free will and explicitly choose to download will count.
2) Firefox 2 most definitely will not offer Firefox 3 immediately upon release. Maybe after Firefox 3.0.1 or 3.0.2 are released will be the right time. People trust that Mozilla is trying to keep them safe; if instead people see the automatic updates as just a marketing channel they'll be more likely to turn it off. The end result is that they personally will be increasingly less safe, and Firefox will become a more attractive target for malware authors if there are increasing numbers of down-rev users.
Official Firefox 2 support will only last six months after Firefox 3 is released (though most Linux vendors will support it far longer) so we won't want to wait too long to start transitioning people, but it won't be right off the bat.
>> we can create a link that has a simple php script to have the user check
>> a random domain through them. That way it isn't all coming from one IP Address...
>
> Wouldn't all the queries be coming from teh server that has teh PHP script?
Not if it served a page that simply had a link or form post for you, although the server's address might show up in the Referer: header (better make it an SSL page). A PHP "script" seems a bit overkill, a static page ought to do.
Neither the Mozilla Foundation nor Mozilla Corporation has a board member from Google
http://en.wikipedia.org/wiki/Mozilla_Foundation#People
http://en.wikipedia.org/wiki/Mozilla_Corporation#People
The new "MailCo" represents a significant increase in funding for Thunderbird, it's not evidence of abandonment by Mozilla.
I don't know why Quickcam needs to use the MAPI interface, but if Thunderbird is the default mail app then any app on the system loading the MAPI service will get the Thunderbird library.
By all means keep using the extension (which probably does the same thing). If enough people install the extension maybe it'll be a "vote" for getting this changed back in FF3. Slim hope, but at least it's something.
Oh, and leave feedback at http://hendrix.mozilla.org/ about this and other complaints
1.5 users will not get the offer to update to 2.0 right away. There will be an autoupdate to 1.5.0.8 first (soon), and then probably another couple of weeks while we evaluate feedback from the launch to make sure no glaring compatibility issues need to be addressed first. Might even wait for the first bug-fix update to 2.0
If you want to get 2.0 soon then don't wait for the autoupdate, that's for a more conservative audience.
Given the million or so /. accounts the number of Firefox developers can't possibly be more than an insignificant fraction, but we are nonetheless here.
It was certainly incomplete, but it *did* compile. The PBS show "CodeRush" documented this initial effort.
No need for an http proxy, the Mozilla networking library comes with built-in logging that can be turned on. For instruction see http://www.mozilla.org/projects/netlib/http/http-d ebugging.html
Who the hell modded the parent up to "5-Informative"? Yes, submitting the login over SSL will prevent passive eavesdropping, but without a secure home page you have absolutely no assurance you are really on paypal's site or that it hasn't been modified in transit to submit somewhere else. Google "airpwn" for an amusing incident (but don't think only wireless is vulnerable to man-in-the-middle attacks).
0 .aspx
This is SSL critical mistake #1, the fact that everyone's doing it doesn't make it safe.
http://blogs.msdn.com/ie/archive/2005/04/20/41024
Our intention is to never ship a 1.5.1.x, if we do it means there was some security issue we couldn't fix without breaking extensions (as happened in 1.0.3). With this scheme extensions can claim compatibility into the future (1.5.0.*) and we can warn the user about potentially incompatible extensions before they update.
If it helps, think of it as version "1.5.04" -- the extra decimal is for internal use.
It would, indeed, be nice if we had partial patches more than one version back. We simply don't have the capacity to do so and ship timely releases. We're already juggling 3 platforms (4 while we transition from Mac PPC to Mac Universal Binary releases) times around 40 languages times 2 update packages (full and partial). Adding even one version back means another 120 update paths to build and test and ask our mirror sites to host.
For what? Anyone with automatic updates turned on is at most one version back--they've had several weeks of daily update checks to get them there--so we're talking about people who have updates turned off and one random day decide to hit the "Check for Updates" button. It's not worth burning our people out and adding to our mirroring burden to optimize the experience of a very small number of people.
> It's been less than a month since the last point release,
l nerabilities.html#firefox1.5.0.2
A security problem was publicized last week, this week there's a fix for it. That's a problem?
> which fixed 21 critical security flaws.
FUD, Mozilla published eight advisories fixed in Firefox 1.5.0.2: http://www.mozilla.org/projects/security/known-vu
Most of them were found internally by the Mozilla team which means the numbers can't be compared to proprietary products in any meaningful way.
We've also said bugs in popular extensions cause some of the leaks. http://kb.mozillazine.org/Problematic_extensions
But anyone who watches the project will see that we know leaks are bugs and are actively fixing them. Look in bugzilla, or look at the change logs of recent releases, for example: http://www.squarefree.com/burningedge/releases/1.5 .0.2.html
> I suspect that some of these are bugs found by HD Moore
Nearly all of the flaws were found by long-time Mozilla contributors who were actively looking for security flaws.
Of the externally reported ones three were vulnerabilities submitted by the Zero Day Initiative from anonymous researchers. All were fuzzer-based and one used code from the Metasploit Project, but "anonymous" doesn't seem Moore's style.
Of course they had a choice. Netscape 8 is not open source even though it's built on Mozilla code, and Safari is not open source even though it's built on KHTML.
> The Korean site is NOT A MIRROR.
True, and the Suite and Thunderbird localized binaries are not built by mozilla.org (unlike Firefox). But the resulting infected builds were hosted on ftp.mozilla.org mirrors.
Thunderbird version 1.5 will be moving to the Firefox system where mozilla.org hosts the localization source repository and creates the builds itself.
I've been corrected: a log of downloads through the great osuosl.org "bouncer" tool we use show 341 downloads. I've been told mozilla.or.kr appears to direct its downloads through this tool so it's probably a relatively accurate indicator of the download numbers. Anyone going directly to an ftp site wouldn't get counted by this tool, but that's a small percentage of people who download builds.