The binaries originally came from the Korean localization team, but they were definitely hosted on ftp.mozilla.org. Although I suppose we could quibble about "distributed"-- records from our primary mirrors indicate zero (0) downloads of the infected files.
I assume mozilla.or.kr points people at the Korean secondary mirrors from which we don't get download numbers.
FWIW, there's no updated version of the Mozilla Suite, either - anyone who's using that is, well, stuck.
Of course we're updating the Suite as well. Here's the QA blog from a few days ago calling for testers http://weblogs.mozillazine.org/qa/archives/2005/09 /another_round_of_candidate_bui.html. Even with builds in-hand they can't all go up at once. Like it or not, getting the English Firefox builds up first helps the most people the fastest. The rest are following.
This crash is bug 280084. We have tracked this down to people who install 1.0.1 over an earlier.zip build. The file structure is different: never, ever mix the two.
Solution: - don't use.zip builds - if you must use.zip builds you must always install each build into a new directory. There is no installer to do any cleanup of obsolete files. - if you've already mixed the two uninstall and re-install 1.0.1 into a virgin directory. If the crash persists anyway delete "xpti.dat" from your profile.
Re:Some things I don't get about open source
on
Netscape Reborn?
·
· Score: 1
> It really depends on the license, and the Mozilla license is fairly permissive, > so one could argue that Mozilla - in choosing their licensing regime - knew > exactly what might happen.
Don't forget that the license was written *by* Netscape in the first place (with community input). The ability to combine with proprietary code made a big difference in the ability to attract corporate-sponsored developers, who have contributed greatly over the years to the open source codebase. Especially in the early days when the payoff of a working browser was a long ways off.
The bounty program page links to our description of critical security bugs: http://www.mozilla.org/security/bug-bounty-faq.htm l#critical-bugs
The Bug Bounty requirements also say "previously unreported" -- no one other than Michael Zalewski could claim the bounty on these bugs. The examples in his gallery, however, don't appear to be exploitable at first look.
Feel free to use his tool to find additional problems, though. Maybe you'll get lucky.
Since Mozilla doesn't like people on Slashdot being able to trash-talk their browser by linking to bug reports [...]
Links are blocks simply to prevent slashdotting the server. Anyone curious enough to copy/paste the link is welcome to come by, and raising the bar that little bit keeps work from grinding to a halt every time a story mentions a Mozilla bug.
That said, please keep unproductive trash-talk out of bug reports. Discussions and rants belong in our newsgroups.
... often the last communication medium when all else fail. You don't believe me and that's normal, because it's never happened to you (or me, I'm too young).
I've seen emergency ham use in California with our once-a-decade-or-so widespread disasters (earthquakes, fires). I imagine the same is true in hurricane country.
The last time I installed a Netscape browser, the only option was to install the full suite of tools, including email, news, AIM and WinAmp.
Unless the last time you installed Netscape was five years ago you are wrong. The Mozilla-based versions of Netscape (6.x and 7.x) have always allowed users to pick and choose which components they'd like to install in addition to the browser. The integration difference now is not that the browser is available separately from mail but that it runs as a separate process.
The main reason for creating Mozilla Firebird and Mozilla Thunderbird, however, is not to make them run separately but to make them run better by improving the UI and rewriting the XUL "chrome" to be more efficient.
I suppose there's not much point in replying a day late, but you're absolutely wrong about the MPL. No one assigns copyright to the Mozilla project and no one has the option of closing a future release any more than the FSF could close GNU.
AOL can release Netscape without releasing full source because the MPL, like the BSD license, is compatible with proprietary code. AOL does have to release source to the bulk of Netscape that is derived from MPL'd code.
Since Sturgeon's Law applies to all forms of content creation, publishers serve the valuable function of separating the wheat from the chaff
Sturgeon's "90% of everything is crap" referred to stuff that was already published, imagine how much crap there is before the publishers start filtering.
Creating invisible windows is a bad idea from a security standpoint, and anything you do short of actually loading and running the content could be detected if sites really care to find out.
Since there are other ways sites can force you to look at ads returning null should be good enough at this point in the ads arms race.
People are working on server-side solutions, see SpamAssassin and Vipul's Razor. If your ISP does not provide server-side support, though, a client-side solution is better than none.
Good idea or bad, the GPL exists and its terms prevented GPL'd projects from taking advantage of Mozilla code. This is a workaround on the Mozilla end so GPL'd projects can embed our engine as easily as proprietary projects can.
Because MPL/NPL code can already be combined with code under all those other licenses. Due to its restrictive nature the GPL must be specially accomodated in order to combine MPL and GPL code.
Since mozilla.org would like to see Mozilla used as widely as possible they have decided to do the extra work required to make this combination possible
The release was always planned for around now (it did slip a little). Since mozilla.org doesn't yet have a spec or plan for what "Mozilla 1.0" means it seems foolish to base a commercial company's plans on waiting for it to be done.
Slashdot Mirror
The binaries originally came from the Korean localization team, but they were definitely hosted on ftp.mozilla.org. Although I suppose we could quibble about "distributed"-- records from our primary mirrors indicate zero (0) downloads of the infected files.
I assume mozilla.or.kr points people at the Korean secondary mirrors from which we don't get download numbers.
"Only"? That's quite bad enough, isn't it?
We've already done that, in fact. The next version will be called "Deer Park". https://bugzilla.mozilla.org/show_bug.cgi?id=29038 3
This crash is bug 280084. We have tracked this down to people who install 1.0.1 over an earlier .zip build. The file structure is different: never, ever mix the two.
.zip builds .zip builds you must always install each build into a new directory. There is no installer to do any cleanup of obsolete files.
Solution:
- don't use
- if you must use
- if you've already mixed the two uninstall and re-install 1.0.1 into a virgin directory. If the crash persists anyway delete "xpti.dat" from your profile.
Yes, two years ago Slashdot had a thread http://slashdot.org/article.pl?sid=02/05/28/014224 8 discussing a paper titled "The Homograph Attack" http://www.cs.technion.ac.il/~gabr/papers/homograp h.html
> It really depends on the license, and the Mozilla license is fairly permissive,
> so one could argue that Mozilla - in choosing their licensing regime - knew
> exactly what might happen.
Don't forget that the license was written *by* Netscape in the first place (with community input). The ability to combine with proprietary code made a big difference in the ability to attract corporate-sponsored developers, who have contributed greatly over the years to the open source codebase. Especially in the early days when the payoff of a working browser was a long ways off.
The bounty program page links to our description of critical security bugs: http://www.mozilla.org/security/bug-bounty-faq.htm l#critical-bugs
The Bug Bounty requirements also say "previously unreported" -- no one other than Michael Zalewski could claim the bounty on these bugs. The examples in his gallery, however, don't appear to be exploitable at first look.
Feel free to use his tool to find additional problems, though. Maybe you'll get lucky.
Yes, setting the permission on the key to "deny" for all kept AIM from recreating values.
Rather than deleting the aim key, a better fix is to leave it so you can set permissions, and delete its contents instead.
Ha ha -- good one! Too bad we thought of that already: no bounties on code you wrote or reviewed.
Links are blocks simply to prevent slashdotting the server. Anyone curious enough to copy/paste the link is welcome to come by, and raising the bar that little bit keeps work from grinding to a halt every time a story mentions a Mozilla bug.
That said, please keep unproductive trash-talk out of bug reports. Discussions and rants belong in our newsgroups.
I've seen emergency ham use in California with our once-a-decade-or-so widespread disasters (earthquakes, fires). I imagine the same is true in hurricane country.
Unless the last time you installed Netscape was five years ago you are wrong. The Mozilla-based versions of Netscape (6.x and 7.x) have always allowed users to pick and choose which components they'd like to install in addition to the browser. The integration difference now is not that the browser is available separately from mail but that it runs as a separate process.
The main reason for creating Mozilla Firebird and Mozilla Thunderbird, however, is not to make them run separately but to make them run better by improving the UI and rewriting the XUL "chrome" to be more efficient.
I suppose there's not much point in replying a day late, but you're absolutely wrong about the MPL. No one assigns copyright to the Mozilla project and no one has the option of closing a future release any more than the FSF could close GNU.
AOL can release Netscape without releasing full source because the MPL, like the BSD license, is compatible with proprietary code. AOL does have to release source to the bulk of Netscape that is derived from MPL'd code.
Sturgeon's "90% of everything is crap" referred to stuff that was already published, imagine how much crap there is before the publishers start filtering.
Creating invisible windows is a bad idea from a security standpoint, and anything you do short of actually loading and running the content could be detected if sites really care to find out.
Since there are other ways sites can force you to look at ads returning null should be good enough at this point in the ads arms race.
People are working on server-side solutions, see SpamAssassin and Vipul's Razor. If your ISP does not provide server-side support, though, a client-side solution is better than none.
Javascript can use sockets in Mozilla/Netscape. The Chatzilla IRC client, for example, is entirely coded in Javascript.
It doesn't, however, have the "phone home" concept of the Java sandbox. Either you're privileged (installed locally or signed) or you're not.
As the bugtraq posting (and the bugzilla report) makes very clear, this does not prevent the attack.
The Mozilla Public License is a true open source license, Mozilla code can no more be taken closed than code under the BSD or GPL.
We're already on to that one -- the same setting blocks that too.
Good idea or bad, the GPL exists and its terms prevented GPL'd projects from taking advantage of Mozilla code. This is a workaround on the Mozilla end so GPL'd projects can embed our engine as easily as proprietary projects can.
Because MPL/NPL code can already be combined with code under all those other licenses. Due to its restrictive nature the GPL must be specially accomodated in order to combine MPL and GPL code.
Since mozilla.org would like to see Mozilla used as widely as possible they have decided to do the extra work required to make this combination possible
If Adobe really wanted to make amends they would have at least paid his bail and replaced his plane ticket home. They didn't.
The release was always planned for around now (it did slip a little). Since mozilla.org doesn't yet have a spec or plan for what "Mozilla 1.0" means it seems foolish to base a commercial company's plans on waiting for it to be done.