Opera Screeches at Mozilla Over Security Disclosure 208
The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."
Oh bitch, bitch, bitch! (Score:3, Interesting)
Sheesh... (Score:3, Interesting)
I'm finding it a bit difficult to feel bad for Opera. Exactly how long does it take to "evaluate" a security issue, especially when someone else goes to the trouble of finding it in the first place, and then notifies you of the issue?
Opera had ample opportunity to roll out a fix...but they dragged their feet (as is their habit). This time, their habit got them burned. Perhaps next time they'll take a notification of a security issue more seriously.
Streisand effect? (Score:5, Interesting)
Fanboys (Score:1, Interesting)
http://my.opera.com/desktopteam/blog/2008/02/14/9-26-coming-soon [opera.com]
"Well those Mozilla guys think that openness is the answer to everything.
"Mozilla never knows when to keep their mouths shut...
Of course, considering that there are active exploits for Firefox, it's safe to say that the malware authors already knew about this security vulnerability."
"I'm not surprised about the Mozilla Corporation. Maybe they pretend they never have security issues with their code? There are still security issues with Firefox and with *any* software developed by humans, so they should be more humble and responsible. They're not harming Opera Software ASA, they're putting the Opera users in jeopardy, this is not a good way to have them to use Firefox. This is evil, irresponsible and antiethical at the very least. Shame on Mozilla!"
"Nevermind, guys, let the Mozilla devs have more secure browser for at least few days (-;E"
Re:overreaction (Score:5, Interesting)
At the end of the day, Mozilla would have acted better by keeping the exploits closed for a few more days, as they would hope anyone else would do for them. By not doing so, they upset people, and others expressing that upset is perfectly understandable. There's no mass outcry at Opera, no press release or open letter saying the Mozilla team are dicks, there's a few words saying what happened and a couple of emoticons on a developer blog entry.
Whats the big deal, just go fix it (Score:3, Interesting)
I know you don't have any people committed to different projects.
I know you have your code at a stable point so its easy to slip in a change
I know this only takes one guy 5 min to go change a few lines of code
I know its ready to ship the moment its changed
I know you coded it right and didn't break anything else
Remember this is open source. so you should be able to fix all security issues quickly. I bet someone else had already done it for you. Just ask someone for it.
Whats the point of being open source if you don't do what the community expects of you.
END RANT
OK, i bet the underlying issue is they expected to have a Little time. Emails went out to a few people that would look at and identify how big of an issue it was. Once they reported back, only the resources needed would be pulled off other projects to fix this.
The next day they see the advisory without warning and now they scramble to figure it out. Probably pulled a lot of people off other stuff that they didn't need to in order to rush out a minimally tested release.
Re:Sheesh... (Score:5, Interesting)
Now, wait a second. If I am developing software package "A", and you develop competing package "B", and I find a hole in A and fix it, then just for laughs test to see if your product has the same hole and then I am kind enough to let you know that it does, then I announce that there is a hole in A, how am I responsible for the security of B at all? I've done you a favor by performing the test and giving you a heads up in the first place! I don't owe you anything.
I'm not sure what you think that has to do with anything. The Mozilla foundation didn't even announce to the public that there was a hole in Opera. The announcement is that there is a hole in Firefox. Why not try reading the advisory [mozilla.org]? There is NOTHING in there about Opera's susceptibility. You can't even view the bug report [mozilla.org] without a Mozilla bugzilla account with the proper access - I just logged into my account, and that doesn't include me, so it's not like even the report is generally available. Also, as per the advisory:
So it seems as though the Opera team has had some warning about problems similar to these in the past - along with the rest of the world.
Could I find and fix a bug in one of my pieces of software in a day? Probably, because all of them are very simple. If I had a development team and a security response team (they do have one of those, don't they?) then I bet "I" could find and fix known security problems in larger software products in a day, too.
Actually, a number of security holes in the Linux kernel have been found, announced, and fixed on the same day, now that I think of it.
Re:insightful?? (Score:5, Interesting)
Re:All Things Considered... (Score:2, Interesting)
TFA didn't mention Opera at all... (Score:2, Interesting)