Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Mozilla Uncooperative With OSS Groups on Security?

Posted by CmdrTaco on Sun May 22, 2005 08:56 AM
from the working-the-bugs-out dept.
Mozilla The Internet Security
An anonymous reader writes "In response to Firefox lead developer Ben Goodger's claim that "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla", Christopher Aillon of Red Hat says that this is only because Mozilla doesn't play by the same rules as other OSS projects. He says that while other OSS projects work with vendors to achieve simeltaneous releases of patched software, Mozilla does no such thing unless compelled to do so."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Mozilla Uncooperative With OSS Groups on Security? 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Secrecy? (Score:5, Insightful)

    by lachlan76 (770870) <lachlan.gunn@nospAm.internode.on.net> on Sunday May 22 2005, @09:00AM (#12604613)
    Sounds like the alleged rules involve keeping bugs secret until users of the code have updated it and/or changing their release cycle to accomodate this.

    • Re:Secrecy? (Score:5, Insightful)

      by gclef (96311) on Sunday May 22 2005, @09:35AM (#12604780)
      Honestly, Mozilla is in a lose/lose situation here.

      If they hold on to fixes until all the distros are ready, they get beat up for slow patch times compared to MS. If they release immediately, they get beat up by the distros for not coordinating with them.

      I think this is coming up because Moz is one of the first high-profile OSS projects to support both Linux/BSD and Windows. If this were (like most other Linux/BSD apps) an OSS-OS only app, then the lack of coordination would be a real issue. But, for the Windows folks, there isn't a distro to coordinate with, so Moz has to release as soon as possible. I'm with Moz on this, honestly.
      • If they hold on to fixes until all the distros are ready, they get beat up for slow patch times compared to MS. If they release immediately, they get beat up by the distros for not coordinating with them.

        NO! Mozilla is responsible for its own releases and security updates and not for the distros'. Mozilla isn't there to make the life of Linux distros easy. The Linux distros must make security patches available ASAP.

        • Re:Secrecy? (Score:5, Insightful)

          by gclef (96311) on Sunday May 22 2005, @11:38AM (#12605331)
          I disagree. Completely. It's in the general interest of everyone for the app writers and the distros to work together...the goal, after all, is for the end user to get patches quickly, effectively, and *before* there's an exploit. A lot of the distros have central patch distribution systems...these systems are the best way to get patches to the end user for that distro.

          If an app releases a bug fix without working with the distro, it leaves the end user there to get screwed...either they wait for their distro to get the patch put together (running vulnerable code the whole time), or they break their use of the patch distribution system (meaning they have to either re-patch once the vendor releases, or never follow the vendor patch system for that app again). This isn't a choice we want to be giving the users. The best result is *absolutely* a coordinated response, where the authors, the distros and the original reporter of the problem all release simultaneously.

          That isn't possible in this case, since there's no distro to work with for Windows. Mozilla is, in this situation, choosing to minimize the risk for their Windows users (who likely far outnumber their OSS users), at the expense of the distro coordination. It's not a fun choice to make, but a sensible one, given their situation.
          • If an app releases a bug fix without working with the distro, it leaves the end user there to get screwed...either they wait for their distro to get the patch put together (running vulnerable code the whole time), or they break their use of the patch distribution system

            Lets break this down:

            If:
            • App releases bug fix without waiting for distros, users can:
              • Install the vendors version early
              • Wait for the distro patch
            • App waits for distros before releasing bug fix, users can:
              • Wait for the distro patch

            • Re:Secrecy? (Score:3, Informative)

              by gclef (96311)
              You left out a variable: time. Releasing early widens the amount of time that the users relying on the distro for the patch are vulnerable. There is tons of evidence that vulnerabilities are attacked more after release of a patch, or announcement of a vulnerability. (Not to say it doesn't happen before, just that it happens *more* afterwards.)

              So, it's in the general interest to get as many people patched *quickly* once the public announcement is made. Vendor patch systems are the best way to do that.
              • You're assuming the security hole is announced at the same time as the fix. This isnt always the case. In a case where an exploit is already known and possibly in use, it is always best to make a fixed version available, without waiting for the distros.

          • How do you pick what distros to work with? There are so many to choose from, do you just choose those who give you financial backing? Should the release time of distro A be forced to coincide with distro B? Should Red Hat and commercial vendors be in control?

            I think they should release fixes as soon as a stable fix is available. Alot of people just use a distro for a base install, and then build apps from source, some even choose to do Linux From Scratch, its their choice. No one should be locked in

        • Re:Secrecy? (Score:5, Informative)

          by gclef (96311) on Sunday May 22 2005, @11:03AM (#12605174)
          Why cant mozilla stop hiding bugs and marking vulnerabilities as secret in bugzilla? Open indeed...

          I shouldn't respond to this troll, but I will.

          Marking security-related bugs as secret is entirely appropriate. If the bug notes were public, they would serve as a blueprint to 0-day attacks on Mozilla, which the Moz folks are (rightly) attempting to prevent.

          Attacking Mozilla for following standard security procedures for bugs is fucking childish.

          • Attacking Mozilla for following standard security procedures for bugs is fucking childish.

            No, the fact that the most recent bugs were hidden for months and leaked along with an exploit is fucking childish.

            Both RedHat and Mozilla have been trying this "hide all the bugs" crap for a while and it has resulted in worse security. And the only reason they're bitching at each other now is that each one wants to be the sole provider of updates. This is the kind of behaviour you would expect from Microsoft, not

  • Why is this a bad things? (Score:5, Interesting)

    by afd8856 (700296) on Sunday May 22 2005, @09:03AM (#12604627) Homepage
    They may want to release the updates earlier, without waiting for whatever linux/bsd distro to updated their packages.

    And it seems fair to me. If I run fedora, for example, if I'm concerned about security, I can always download and install their binary package. Because, for example, I couldn't find an updated rpm for firefox 1.0.4 (only a spec file)
      • mozilla-firefox-1.0.4 hit the Gentoo tree the same day the official 1.0.4 version was released and had been moved to stable on most architectures by the beginning of the next day. The binary packages (mozilla-firefox-bin-1.0.4) was in the stable tree within two days, same timing as Debian.

  • Nor should it have to. (Score:5, Insightful)

    by Trillan (597339) on Sunday May 22 2005, @09:03AM (#12604628) Homepage Journal

    Priorities are not the same all over, and Mozilla should be focused on supporting their users. Those several days of warning are extra days of end-user vulnerability. As a Firefox user, I would feel my trust was misplaced if they did something else..

    One other comment:

    indirectly -- it still displays their branding

    Correct me if I'm wrong, but other builds are not supposed to use Mozilla's branding anyway. The PowerPC G4-optimized build of Firefox contains only compiler/linker changes, and apparently can not use the same icon.

    • I agree that Mozilla should support their users and not wait to supply updates just so that other Mozilla based browsers can update simultaneously. Although, it would certainly be great to let these other projects know about the vulnerability and make the update available to them, but waiting to update their own product is bad for their own users.
      • it would certainly be great to let these other projects know about the vulnerability and make the update available to them

        If its a 0day vulnerability letting other distros know in advance would be putting the vulnerability into the wild for any script kiddie to play with.

        waiting to update their own product is bad for their own users

        Exactly. If someone forks or uses open source code its a lot to ask the people who made the original trunk to take care for all. Share knowledge yes, but to do the j

  • I'm not sure I agree with this... (Score:5, Interesting)

    by Rantastic (583764) on Sunday May 22 2005, @09:04AM (#12604636) Journal
    Other projects make sure that the vendors know of a security vulnerability, supply the patch and new tarball (if applicable, which it is in mozilla.org's case), give a brief period of time for the vendors to catch up, and then do a synchronous release with them at a planned time.

    Ok, I do agree that OSS projects should supply security patches when they have them, and new releases as well, but what good does it do to let the vendors at them first?

    Why should end users not be offered the same patches as soon as they are ready? If it takes a vendor 24 hours to get a new package out, that sounds reason able to me, but again, why limit access to the update for that 24 hours?

    • Re:I'm not sure I agree with this... (Score:5, Insightful)

      by Rantastic (583764) on Sunday May 22 2005, @09:09AM (#12604658) Journal
      Just to clarify:

      I am saying that if Red Hat expects OSS projects to sit on security updates until Red Hat has a new package ready, that is just plain rude.

      Are all users not equal in the eyes of Free software? We should all be able to have a crack at the security update as soon as it is ready. Some of us do in fact maintain our own packages. Why should we be forced to wait?

        • If Redhat discovered a security flaw, patched it themselves and then released their fixed version without giving the mozilla people time to patch and QA, people would be screaming bloody murder.

          What? Can you point out one instance of this happening, ever? Distributions release fixes all the time without waiting for the application team to apply and test the patches.

        • Holding back by a few hours until vendors can merge the fixes with any customizations they have done actually equalizes the users, in that all end users have access to the fixes for their particular build at the same time, regardless of where they get their builds from.

          And that's good why? If a fix is out and I'm running something mission-critical, I want it now. If your distro is slow, get another distro - or better yet - install it your f**king self using the version Mozilla puts out. It's really no

          • I'm sure you have an example of a vulnerability not yet exploited in the wild that was patched and released by one distro without notification and coordination with the other distros.

            Mozilla was not wrong to release this fix as soon as they had it ready, as the vulnerability had already been publicized. However, security fixes for vulnerabilities that don't have known exploits in the wild should be coordinated.

    • Re:I'm not sure I agree with this... (Score:5, Interesting)

      by Husgaard (858362) on Sunday May 22 2005, @09:19AM (#12604705)
      I understand why Mozilla does not want to delay security updates. Of course Redhat would like that at it would look like they are less behind on security updates.

      Unfortunately it looks like Redhat has persuaded other Open Source projects to delay their security updates.

      And now Redhat is using these other Open Source projects to attempt to pressure Mozilla into also delaying their security updates by claiming that Mozilla doesn't play by the rules.

      Shame on Redhat.

    • Re:I'm not sure I agree with this... (Score:4, Insightful)

      by ProfaneBaby (821276) on Sunday May 22 2005, @09:24AM (#12604726)
      Why should end users not be offered the same patches as soon as they are ready? If it takes a vendor 24 hours to get a new package out, that sounds reason able to me, but again, why limit access to the update for that 24 hours?

      Just speaking to the theory here, once the 'end users' are notified of the hole, it's reasonable to assume that 'someone' is going to reverse engineer an exploit out of the patch.

      On very large holes, the coordinated release allows the largest possible user base to have an upgrade path by the time the hole is made public. If all users were notified as soon as a source patch was released, but the source patch didn't apply directly to distribution X because of local changes to the codebase, a malicious user could (and will) create and circulate an exploit before that group can create a patch.

      Note that the security community does not agree here. When OpenSSH had a massive hole, Theo went mailing-list to mailing-list telling people a workaround, and coordinated a very large release of information on a specific day. When DJB's students come out with their list of new exploits every year, they release them all on a webpage with zero notice to ANYONE, including the software vendors involved.

      It's a matter of philosophy - are you in the game to protect the most people, or are you managing your software and letting other people worry about their users? I personally don't have a problem with Mozilla's practices - they still beat some other vendors, even if they're not as 'responsible' as the OpenSSH crowd.

  • The question is "WHY?" (Score:4, Insightful)

    by bogaboga (793279) on Sunday May 22 2005, @09:04AM (#12604638)
    Quote: "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla".

    I read the above quote may times over and the person from RedHat's response. I kept asking myself over and over again...WHY? Because if Mozilla operated the same way other OSS projects do by default, I can only see good things out of this. I wonder why they choose to do things this way.

    • Re:The question is "WHY?" (Score:5, Interesting)

      by ProfaneBaby (821276) on Sunday May 22 2005, @09:33AM (#12604770)
      There's really two scenarios here:

      1) A hole is made known to Mozilla before it's made known to the public.

      2) A hole is made known to Mozilla and the public at the same time.

      In (1), it's reasonable to ask that the software developer at least make a token notification to various vendor's security contacts. Most of the vendors are reasonably private - they won't post the matter to a mailing list - and responsible. The software developer certainly doesn't HAVE to do this, but it would benefit a larger portion of its end users.

      In (2), it doesn't make any sense to notify each distribution, because the whole world already knows, and each hour wasted on notification could mean people who are damaged by the hole.

      I think the difference between (1) and (2) is significant, and it's important to realize that the case we're talking about here is (2). The hole was made public in Bugzilla, and Mozilla had to rush to create a patch. Holding that patch to give the distributions time to update is silly - people already knew there was a hole, and users were already waiting on the fix. If the initial bug was private, this would be an entirely different story.
        • When a project knows there is a security hole and when the general public knows there is one is usually at least a week sometimes several apart. Many projects have secret lists that security information is distributed on. Also with respect to fixing the bugs in CVS they in general don't commit the security fix in CVS until the public disclosure date. An example project that I know does this is KDE.

          People just like to beat up on Redhat but this really is standard practice for Case 1.

  • What's worse (Score:5, Interesting)

    by keesh (202812) on Sunday May 22 2005, @09:06AM (#12604643) Homepage
    What's worse is the way the mozilla projects rarely seem to manage to put out an actual working source tarball. For the past dozen or so releases they've always released incomplete or unworking sources. Screwing up once is understandable, but to repeatedly omit things strongly implies that they're not interested in anyone using anything except their official binaries.

      • Re:What's worse (Score:4, Informative)

        by Anonymous Coward on Sunday May 22 2005, @09:27AM (#12604740)
        But mozilla/firefox from the mozilla foundation is released under the MPL with the logos trademarked (You can't use the firefox logo. In your custom version, you have to use the globe icon or something new)

        You can freely download the tri-license source code (MPL/GPL/LGPL I believe) from the CVS. If the tarball isn't working it's probably because an automated script is busted and perhaps the person complaining should file a bug.

      • That's all well and good.. except for that Mozilla is released under the MPL (Mozilla Public License), AFAIK.
  • Where's the article?? It's just two short blog entries between two guys arguing over an issue. How is that news or "stuff that matters"? It's almost like reading two headlines. This has a feel of high school.

    High school girl A: So Ben Goodger's claim that "redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla"
    High school girl B: "Christopher Aillon of Red Hat says that this is only because Mozilla doesn't play by the same rules as other OSS

    • Where's the article?? It's just two short blog entries between two guys arguing over an issue. How is that news or "stuff that matters"? It's almost like reading two headlines. This has a feel of high school.

      Except that these two highschool girls talk in the name of two pretty large OSS projects, and thus are in the interrest of 'News for nerds' ...

  • Making a story that isn't there. (Score:5, Insightful)

    by Anonymous Coward on Sunday May 22 2005, @09:10AM (#12604666)
    Those links seemed almost like the biggest non-articles ever to hit Slashdot. I asked myself... "is that it?" Links to some petty blog nonsense, basically.

    Mozilla's problems aside, Aillon's point is stupid. Stupid as that picture of him imitating the Matrix, or whatever the hell he is doing. Basically, there doesn't seem to be any meat here, any story. Good work saving Slashdotters the time of RTFA-ing, because in this case, reading the article wouldn't have made any difference.
  • This may sound like the tail whinning that the dog doesn't wag, but the vendors may have a legitimate complaint.

    The potential for harm is if Mozilla releases a security fix, and the distros don't right away. There's a period of time in which Mozilla version x.y is vulnerable on FooDistLinux, and there's no reasonable expectation for the fix to happen for some period. Since the fix has been released, attackers are on notice that there is are vulnerable systems out there, and they're running Mozilla x.y on FooDistLinux.

    Now, mind you, I don't think that's such a big fat hairy deal. But the situation does put minor distros (anything not supported by the official Mozilla site) at a disadvantage. The perception is that the major players are "more secure", since you can get your fix straight from Mozilla.org.
    • The real problem here is not that Mozilla is releasing security fixes too quickly, or that the distros aren't keeping up.

      The real problem is that a Linux application needs to be modified in some way by the operating system vendor before end-users of that operating system can use it. Think about that for a minute. When's the last time you had to go through Microsoft to download the latest copy of a 3rd-party application?

      One of the selling points of OSS development has always been its decentralized nature.
  • I suspect that the vast majority of Firefox users are on Windows (simply because the majority of computer users are). They don't have the luxury of up2date or an apt-get repository and have to go to each non-Windows vendor to obtain updates. Why should Mozilla wait for someone maintaining a repository for a minority of their users before releasing an update for the majority?

    I'm sure that's the offical position, anyway. And of course they want to drive traffic to their site, and make a big deal about counting downloads.

  • fuck off (Score:3, Insightful)

    by Turn-X Alphonse (789240) on Sunday May 22 2005, @09:27AM (#12604739) Journal
    "simeltaneous releases of patched software"

    This is OSS took to the extreme. One for all and all for one doesn't apply when people are at risk. If you don't release a fix ASAP then you're knowingly risking the security of peoples computers. Like it or not this is a ridiclous idea from the ground up.

    Work together for the greater good, don't force others to work together so you all look good.

    • Depends (Score:5, Insightful)

      by zerbot (882848) on Sunday May 22 2005, @09:37AM (#12604790)
      If the exploit is public knowledge, or is known as being used to exploit by blackhats, then releasing the fix as soon as it is finished is best. If the exploit is not publically known, and there are no signs it is being used, then a coordinated release is best. Not coordinating ends up leaving a window for blackhats to find out about the exploit and use the vulnerability on those systems that are not yet patched.
        • There's a difference between being unpatched because you're a mouth breather who doesn't pay attention, and being unpatched because the devs didn't notify the distro I use before they put the exploit in the wild.

          I can set things up to automatically patch or notify me when security patches come out for my distro. I don't know of anyway to do that right off the Mozilla site. This is all pretty moot in this situation since the exploit was already publicized, and this is end user software as opposed to serve

  • How is this Mozilla's problem? (Score:3, Insightful)

    by Emetophobe (878584) on Sunday May 22 2005, @09:32AM (#12604767)
    I don't see how Mozilla is in the wrong. It is upto the various linux distributions to manage said distribution, not mozilla.

    I want Firefox security updates as soon as they are available on my Micro$oft box, why should I have to wait for distribution X to play catchup. It is said distributions job to maintain that distribution, not Mozilla.

    Should I, the user, have to wait for important security updates because some distribution wants to repackage them? The answer is no.
    • It's the project's problem if they want the continued support of the vendors. A completely plausible example of how a vendor could be justifiably furious:

      1) Vendor gets bug reports from their customers.
      2) Vendor examines the code and discovers that the bug is exploitable.
      3) Vendor's developers write a patch and send it to the project's security team.
      4) Project security team realizes that they do a similar bad thing in other parts of their code, and the fix will need to be a much larger patch.
      5) Project pu

  • Why is latency such a problem? (Score:4, Interesting)

    by vagabond_gr (762469) on Sunday May 22 2005, @10:15AM (#12604951)
    I don't understand why a 1-2 days latency is such a problem for a distro. It's like someone complaining that cvs users get the fixes before they appear on mozilla.org.

    Summary:
    - you're paranoid about security, get cvs updates every hour.
    - you're seriously concerned about security, get the new binary as soon as you read it on /.
    - you're lazy and you like it: apt-get install, 1-2 days after.

  • Becuase (Score:3, Insightful)

    by Bruha (412869) on Sunday May 22 2005, @10:25AM (#12604987) Journal
    Redhat makes it's own modificatoins to Mozilla and Firefox maybe.

    Linspire surely does but they at least work with the company to get them into the main tree so it's not so much of a problem.

    Along with any number of big distros that do something to the original package.

    All which could of been avoided if said companies just used the plugin infrastructure to make their modifications and repackaged it that way.

  • Honestly (Score:3, Insightful)

    by rbanffy (584143) on Sunday May 22 2005, @10:37AM (#12605029) Homepage
    How long can it take for package maintainers to update the source and run the package-assembly scripts.

    I mean, it is automated, isn't it?

    Mozilla guys are not obligated to wait until the slowest of the crowd gets its job done. And they shouldn't treat any OS/distro differently from one another.

    If Red Hat feels having up-to-the-minute RPMs is all that important, they should compensate Mozilla Foundation for the additional hassle. If not, they should wait in line just like everyone else.

  • Context... Context... Context... (Score:5, Insightful)

    by TigerX (859482) on Sunday May 22 2005, @10:37AM (#12605033) Homepage
    This article rips Ben Gooder's words so far out of context that it is not even funny...

    Here's the original sentence with the quoted portion bolded:
    If security is important to you, this demonstration should show that browsers that are redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla will itself for its supported products.

    The context of Ben's blog post was the final release of the Netscape 8.0 browser which was based on top of the Firefox 1.0.3 source code. Ben was merely pointing out that this left the Netscape users open to attack. Netscape promptly released 8.0.1 built on the Firefox 1.0.4 code.

    Mozilla is fulfilling its obligation to its users by producing quality secure products, not pandering to an OSS "community" which seem more intent on arguing about every minute detail rather than change the way things are done.

    To that end, Go Mozilla!

  • Windows User Here (Score:3, Insightful)

    by Hangtime (19526) on Sunday May 22 2005, @11:07AM (#12605190) Homepage
    I have used Mozilla for over a year now and have been VERY satisfied with the release schedule especially as it comes to security releases. I get alerted with the little icon, I press icon, I download update, restart Mozilla, done. When it comes to security updates I do not want to see the release hampered because the distros haven't built it yet because quite frankly most of the exploits out there are for Windows anyway. No, I will not be transitioning to Linux anytime soon but I do support it where I can :).
    • Mozilla isn't obligated to offer you support. You are an idiot for firing an employee simply over a small software issue. Plus, any reasonable IT person would give users a CHOICE of IE or FireFox for quite a while, until people adjusted to the new software and the IT staff were certain that it would not conflict with existing systems (such as your intranet).

      However, I'd like to note that Mr. Goodger should really learn how to develop websites for cross-browser compatibility. It looks like crap here at wo
      • It's a common troll. Replace the software in question with whatever is being discussed. The tagline is the giveaway, "Needless to say, the $SOFTWARE_PACKAGE team offered no support whatsoever. I made the employee uninstall $SOFTWARE_PACKAGE from the machines and lets just say he's not with us anymore."
    • Are you trying to say simultaneous?

      Nope. He is obviously an overclocker running SMP and he is referring to the rare condition where all of his CPU's melt at once.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.