Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Mozilla The Internet Security

10-Day Patch Guarantee Not Mozilla's Policy 125

narramissic writes "Mozilla has officially backpedaled from a pledge made at Black Hat by the company's director of ecosystem development, Mike Schaver, to fix any critical security bugs in the browser within 'Ten ****ing Days.' On Friday, Mozilla security chief Window Snyder wrote in a blog posting that the 10-day pledge is not Mozilla's policy, saying 'We do not think security is a game, nor do we issue challenges or ultimatums.' And today, the open source browser maker issued a statement retracting the pledge."
This discussion has been archived. No new comments can be posted.

10-Day Patch Guarantee Not Mozilla's Policy

Comments Filter:
  • It's Shaver (Score:5, Informative)

    by Anonymous Coward on Monday August 06, 2007 @09:36PM (#20137727)
    And he's already explained how his comment got out of hand [off.net] and what he really meant by it.
  • For me, I always thought that Mozilla was a small and nice open source company. These days, it feels to me as if Mozilla is starting to blend into the corporation scene just like any other evil corporation. The whole Firefox naming debacle on Debian, and now this. Now that they're controlling a big market of the web browsers space, should we continue trusting them? Would it be time to look at Konqueror or other browsers?
    • I don't think that that follows. They've made a few mistakes, and this was one of them. They shouldn't make ultimatums like that. That said, I have a feeling that they'll continue to be a lot more responsive on the patching front than Microsoft, and I think that the point has been made, even if they won't stick to a set time-line.

      The Debian thing is not a strike against Mozilla. Their stance is correct and clear. You can't have someone else using your trademark to cover something that they are supporting. If the Debian team introduces a bug or something into their build of Firefox, Mozilla's brand will suffer. That's why Mozilla wanted Debian to rebrand it.
      • by Anonymous Coward on Monday August 06, 2007 @10:09PM (#20137993)
        Yeah, that explains why all those Linux(TM) distributions can't use the trademark "Linux" - after all, almost all of them patch the Linux kernel. Or why the distributions have to rename KDE or GNOME. Or any other piece of open source software.

        No, the reason Mozilla forced Debian to rename Firefox is even stupider than that. Debian fixed their build process. They didn't actually patch the browser. They simply corrected the build process to work under Debian. That was enough to prevent them from using the name "Firefox".

        Personally I can't wait until WebKit and Konqueror finish remerging code. Once Konqueror gets a Windows build, it's game-over for Firefox. It's a better browser - it just hasn't, until recently, run on Windows.
        • The Mozilla folks were being silly about the use of their trademark.

        • Re: (Score:1, Insightful)

          by Anonymous Coward
          Finally, someone explains it as it is. I'm so tired of Mozilla fanboys who do not understand the situation. Thanks.
        • by iminplaya ( 723125 ) on Tuesday August 07, 2007 @12:03AM (#20138595) Journal
          Once Konqueror gets a Windows build, it's game-over for Firefox. It's a better browser - it just hasn't, until recently, run on Windows.

          I happen to agree it's a much better browser, and a very good file manager, among other things, BUT there's nothing to make me think that once it becomes popular enough, the exact same thing won't happen to it. Popular software gets sucked into the corporate venus fly trap faster than a trailer park gets sucked into a tornado. The nice thing about all this open source though, is that nobody can claim exclusivity. We can always make something similar, a little bit better, and put a different name on it. I was under the impression that's the idea behind GPL and BSD and Creative Commons, etc. to begin with. So we can simply forget about the guy who takes a wrong turn, instead of following him over the cliff.
          • by Fri13 ( 963421 )
            If there is only one developer who makes wrong turn on developing, it's happening and there is nothing we can do unless there are few other developers who can take "control" and build own version what to offer. And if it comes more popular then than original, then it can start be used by default and not the original one. This is good idea on OpenSource. If Mozilla is now doing wrong turns, everything what it needs is few developers starts making own version and takes good ideas from original and add them
        • by _Sprocket_ ( 42527 ) on Tuesday August 07, 2007 @12:32AM (#20138743)

          No, the reason Mozilla forced Debian to rename Firefox is even stupider than that. Debian fixed their build process. They didn't actually patch the browser. They simply corrected the build process to work under Debian. That was enough to prevent them from using the name "Firefox".
          Is it just that, though? Before the whole Icedove rename, I had two copies of Firefox on my Debian desktop. One was the Debian package. The other was from Mozilla. I had the Mozilla version because something broke in the Debian package. It had something to do with my laptop's Xorg config (I have a config that allows dual screens when docked and just the single screen when not). When it wasn't docked, Debian's Firefox would run but wouldn't show. The Mozilla version came up without a problem. I could never figure out why (wish I could - then I would have filed a bug report).

          I bring this up because this was going on around the same time the whole rename issue was getting a lot of attention. It seemed to me that Debian was introducing changes that Mozilla wasn't - as demonstrated by my own odd behavior of the two Firefox installs. Of course - I don't know enough about the bug I had or the issue in general to really know for sure. Maybe someone else can take a swing at it?
        • Re: (Score:2, Interesting)

          by moosesocks ( 264553 )
          Sure, Mozilla's trademark is pretty stupid.

          However, FireFox is still the superior browser in many cases. WebKit's javascript and CSS implementations are incomplete in several cases. It's not as common as it used to be, but there are still a few sites that will legitimately work in Firefox, but not Safari or Konqueror.
        • by trifish ( 826353 ) on Tuesday August 07, 2007 @07:57AM (#20140705)
          The thing is, if you allow different products from different sources to be publicly distributed under a single trademarked name, the trademark becomes dilluted and can be declared invalid (by court, trademark dispute board, etc.) That's what the law says, there's not much you can do about it.

          BTW, that's why the "Linux" trademark wouldn't surive a test in court now. It doesn't identify a single product from a single source. It's dilluted and invalid.
          • by Dan Ost ( 415913 )
            Near as I can tell, there's only one Linux kernel.

            How does that dilute the trademark?
            • by trifish ( 826353 )
              Actually, no, there are many Linux kernels. Many major distros "customize" their kernels. Hence, it is no longer a single product from multiple sources. As Linus provavbly failed to or didn't want to defend his trademark from dilution, it would very likely be found to be invalid by now. Really. That's what the law says.
        • Re: (Score:3, Informative)

          Yeah, that explains why all those Linux(TM) distributions can't use the trademark "Linux" - after all, almost all of them patch the Linux kernel. Or why the distributions have to rename KDE or GNOME. Or any other piece of open source software.

          Actually, all those guys have to get a license for the Linux trademark from Linus - or whoever Linus appointed to manage the trademark. It's just that there are not that many strings attached to said license.

          Mozilla is certainly free to license their Firefox tradem

      • by Kjella ( 173770 ) on Monday August 06, 2007 @10:25PM (#20138113) Homepage
        The Debian thing is not a strike against Mozilla. Their stance is correct and clear. You can't have someone else using your trademark to cover something that they are supporting.

        That wasn't really the problem, I think there were a few disagreements on some defaults Debian had set, but in general I don't think Mozilla would have any problem rubbing-stamping it like they do with other distros' versions. Where it really broke down wasn't really a practical problem, it was more policy vs policy.

        Mozilla's policy is that they must approve anything using the trademarked name and logo, so that they can stop bad versions with spyware, adware and such.
        Debian's policy is that they must be able to apply security parches immidiately without approval from any third parties.

        In themselves, both admirable policies but the road to hell is paved with good intentions. In practise there wouldn't have been any problem getting security patches into Debian's version in a timely fashion with Mozilla's blessing, but one of the policies would have to make an exception. Neither Mozilla nor Debian were willing to bend on their principles, and so Iceweasel was born. Yes, it's a policy aberration but I don't feel one side was being more unreasonable than the other.
        • Re: (Score:3, Informative)

          by Tacvek ( 948259 )
          There has been much information about this. The reality is that much of the information is wrong or only partially complete. There were at least 3 problems, only one of which did not seem resolvable.
          • Debian has a policy of not introducing new upstream versions into a stable release. Instead, any necessary security changes are backported. MoCo's policies tend to counter this. But this was not too major an issue, and could likely have been resolved.
          • Debian distributed Firefox with some patches. MoCo's policy
          • by nuzak ( 959558 )
            > So now we have Debian Iceweasel and Icedove.

            One could have forgiven all of this had Debian simply not picked new names that were so blisteringly stupid.

            Yes, it's a Matt Groening reference. No, no one gets it.
      • Yes, because a bug in the Debian copy of Firefox will totally destroy the Mozilla brand everywhere.
        • It could if the bug introduced critical vulnerabilities, or included a virus or spyware, it could tarnish Firefox's reputation even outside of Debian. You know as well as I that the news articles won't specify that it was a debian-introduced bug, they'll just report that Firefox contains a virus, or spyware, or some other horrible thing, and laypeople will equate the Firefox brand with this horrible thing.
    • I still think that Mozilla/Firefox is the best solution on the market today. Yes they have made mistakes but what major project hasn't being foss or closed source. Don't forget the hype of how kernel 2.4 would be the last need for a major kernel release when it first came out by the community. And as far as the name change request I think its reasonable example if someone took wine and inject some of the famous leaked MS code into it so it would be a more compatible API. Then Microsoft sued wine for cop
    • by tm2b ( 42473 ) on Monday August 06, 2007 @11:04PM (#20138315) Journal

      These days, it feels to me as if Mozilla is starting to blend into the corporation scene just like any other evil corporation
      Somehow you edited out the rest of this sentence. Here, I'll fix it for you:

      These days, it feels to me as if Mozilla is starting to blend into the corporation scene just like any other evil corporation who gives away their source code for free.
      HTH. HAND.
      • You've never tried to work with wu-imapd or daemontools, have you? The restrictive licensing on both of those not only prevents forking, but prevents the application of packaging or internal compatibility patches.
        • I'll bite:

          1) The wu-imapd home page states that the source is licensed under "the Apache License, Version 2.0",
          2) A random sampling of the source files of "daemontools" gave: 5 files stated "public domain", 1 file (makefile) had no license

          Neither of these looks like an intentionally restrictive license (I have the distinct impression that the omission of a license for the makefile of daemontools is an oversight).

          Could you explain what you meant in your post?
          • Let's see:

            The wu-imapd license is a welcome change, except that the exact same software inside the Pine package has a rather different license, in the file marked CPYRIGHT. That license for Pine (and its ramifications in wu-imapd) are among the compelling reasons it's been left out of most contemporary Linux distributions, and the imap daemon has been replaced by tools like dovecot.

            So I guess it's pick and choose for your wu-imapd licenses? No, that's entirely unacceptable. And the historical ramifications
          • By the way, your questions are good. You've done the modicum of research to ask your questions, and I applaud you for doing so. I have some old experience with tools like this that make me more aware of the vagaries of the difference betwen public source code and a genuinely open license.
      • by Ant P. ( 974313 )
        You mean like SCO?
    • It's a mistake to put your unconditional trust in any organization or institution, no matter what branding or happy face they show to the world. Organizations follow their own inner logic and patterns and have their own psuedo-biological agendas. I'm not saying that organizations are inherently evil, rather that they are inherently amoral. Nor am I suggesting that they have a mind of their own. Rather, what passes for a mind is a sort of weighted group consensus made up of individuals and blocs within the o

      • It's a mistake to put your unconditional trust in any organization or institution, no matter what branding or happy face they show to the world.

        Well said. I certainly wouldn't unconditionally trust any individual package of software. For instance, the number of people I know who apparently trust their browser's password manager to keep username/password combos for critical things like internet banking safe is nothing short of appalling. The security on them may even be quite good, but they only have to b
    • Re: (Score:1, Flamebait)

      by jlarocco ( 851450 )

      Would it be time to look at Konqueror or other browsers?

      What are you, a lemming or something?

    • Actually, they always were "corporate", but I don't think that's necessarily "evil".

      Honestly, the shiny happy image of OSS as a community where thousands of volunteers in their free time do all sorts of useful things -- i.e., ESR's "bazaar" -- stopped being true, oh, about a decade ago. It was true when software complexity was on the level of "ls" and "cat" and had enough lines of code to need a day or two to fully understand and be able to add your own clever switches. When you need to understand a whole f
    • Re: (Score:3, Funny)

      by plague3106 ( 71849 )
      "My band, they sold out MAN. What a bunch of sellouts MAN. Before I was the only cool person to like this band, and now that they haven't changed and have become people, I can't use that to make myself seem really cool MAN."

      Ugh. You just liked FF because no one was using it. You'll leave anything that becomes popular, because popular things can't be cool, MAN.
  • by Actually, I do RTFA ( 1058596 ) on Monday August 06, 2007 @09:38PM (#20137755)

    On Friday, Mozilla security chief Window Snyder wrote in a blog posting that the 10-day pledge is not Mozilla's policy, saying 'We do not think security is a game, nor do we issue challenges or ultimatums.'

    Upon hearing the news of this "flip-flopping," President Bush confidently stepped in for the Mozilla group and challenged the black hats to "bring it on."

    • It's Open Source Software. Therefore sandals, not flip flops.
    • Re: (Score:1, Troll)

      by Dunbal ( 464142 )
      Upon hearing the news of this "flip-flopping," President Bush confidently stepped in for the Mozilla group and challenged the black hats to "bring it on."

            In before Bush declares Mozilla to be a terrorist organization and launches a war of aggression against it.

            Well, you did infer that he flip flops a lot...
    • It's really strange. Mozilla wants to give our enemies a timetable. Never in the history of software patches has a browser company been asked to give a timetable. I'm for victory.
  • See, that's what happens when you drink too much Bawlz (tm!) XD
  • by infonography ( 566403 ) on Monday August 06, 2007 @09:44PM (#20137793) Homepage
    Making that sort of pledge is rather rash. I am not saying it can't be done, but I don't see it as simple to fix anything anytime.

    Questions you have to ask are;

    Is it really a bug?

    Can it really be reproduced?

    etc etc

    Being timely in bugs is good. But not all crashes are the result of bad software. You have to be sure your fix doesn't turn another thing into a bug. They would soon end up chasing after every little bit of dust and lose sight of their real work.
    • Also, how seriously messed up is it? A security bug can either be a detail, or it can throw the entire architecture behind a system into question by exposing flaws inherent in the fundamental way it works. Just look at all these AJAX problems we're having. A security hole might even force a company to shut everything down while they do a massive panicky conversion of tons of code. And bug fix code is usually the shittiest code of all; I bet half these patches tear open more holes than they close.
  • Clarification (Score:5, Informative)

    by nacturation ( 646836 ) <nacturation@gmai l . c om> on Monday August 06, 2007 @09:44PM (#20137803) Journal
    On this blog entry [ckers.org] Mike Shaver clarifies:

    (I thought I commented here on Friday, but I was working from my Blackberry, which is not especially web-friendly. Bleh.)

    Glad you enjoyed the party, Robert. To clarify, I was making a personal commitment, not a Mozilla one, that you could redeem that card if there was a vulnerability that you believed needed to be turned around in 10 days. I didn't consider at the time that it would be taken as a Mozilla policy statement -- even *I* don't make new policy announcements at late-night parties in Vegas :) -- but it seems to have been read that way, which I can understand in hindsight. I'm sure I'll be answering for my potty mouth and apparent lack of clarity for a while...
    Also spelled out on his own blog [off.net].
     
  • It's truly sad to see Mozilla start to take this route. Even making a joke about it would have been good. "Our eco director meant ten Plutonian days. Unfortunately, he was not aware that pluto is no longer a planet and as such should not be used for a timescale in contests."
  • Easy solution... (Score:5, Insightful)

    by Actually, I do RTFA ( 1058596 ) on Monday August 06, 2007 @09:57PM (#20137897)

    My mayor ran on the promising of "fixing any pothole within 24 hours of discovery." Of course the roads are still filled with potholes. Turns out, it was 24 hours of any confirmed pothole, which is trivially easy as the pothole confirmation team is as slow/backed up as the pothole filling team.

    • by myowntrueself ( 607117 ) on Monday August 06, 2007 @10:02PM (#20137947)
      My mayor ran on the promising of "fixing any pothole within 24 hours of discovery."

      Dude we could do with that kind of attitude here.

      Except it'd be more like "I have a pot *hole* right here. In my pipe. Please fill it in. With pot. Thanks."
    • My mayor ran on the promising of "fixing any pothole within 24 hours of discovery." Of course the roads are still filled with potholes. Turns out, it was 24 hours of any confirmed pothole, which is trivially easy as the pothole confirmation team is as slow/backed up as the pothole filling team.


      You must be from Houston...

      I've actually seen construction crews create potholes and then not fix them. And the heavy metal sheets they place on the concrete roads are worse than the original hole.
    • My mayor ran on the promising of "fixing any pothole within 24 hours of discovery." Of course the roads are still filled with potholes. Turns out, it was 24 hours of any confirmed pothole, which is trivially easy as the pothole confirmation team is as slow/backed up as the pothole filling team.

      My guess is he'll be reelected by all his loyal supporters who wait an extra day or two before voting...
  • by Anonymous Coward
    I don't get it... what's with the stars?
  • by thanksforthecrabs ( 1037698 ) on Monday August 06, 2007 @09:59PM (#20137921)
    ...we still have companies like Google that can set good examples.
    • On most days. Google's cooperation with Chinese censorship is troubling: so is the lax overall security of their mail services, which are easily obtained without a warrant or verifiable judicial review under the US "Patriot Act" legislation. So I do wonder at what happens behind closed doors there.

      Their overall reputation is good, but let's be clear that they're aggressive.
      • For the record, Yahoo volunteered information to China that led to a political blogger being imprisoned for writing about Tianamin Square. Microsoft has also volunteered from day 1 to cooperate with Chinese censorship.

        Google was the only major company to fight China on the issue. Eventually they caved and I believe the statement was "we can't make in-roads for growth and progress if we're not in the country at all." They stated that they don't support censorship, but you can't influence China in a positi
        • I didn't say they're evil: but they're not innocent. They're aggressively pursuing markets, and there are cases where people get badly hurt, like this one. It's hardly the only case, just the most famous.
  • by Locutus ( 9039 ) on Monday August 06, 2007 @10:24PM (#20138093)
    to hold up to the 10-day pledge but in the end, if something major holds back a fix, are we all going to bash them for missing the 10-day pledge? I doubt it. After all, we are not talking about Microsoft. These people are trying to do the best job possible and don't have to consider how the browser fix would interfere with some feak'n gumball machine driver that has IE code in it.

    But she's right in that they really shouldn't be making statements like that without having discussed this with their team and doing so could be considered a challenge to others. Not something you want to do with a company willing to pay billions just to purchase marketshare let alone how much they'd be willing to put into ads and other FUD should a fix take 241 hours.

    LoB
  • by shish ( 588640 ) on Monday August 06, 2007 @11:07PM (#20138341) Homepage
    Are the censored four letters "work"?
  • How good of an idea is it to hire a guy named Windows as the top security chief?

  • It's a real world and everyone understands that when someone says "we pledge to fix ALL reported security bugs in 10 days" it really means 99% of bugs, safe for a few extraordinarily difficult ones. Furthermore a temporary fix can be partial - just add some regular expression filter eliminating likely exploits - and it can involve disabling all but the most core functionality until the real solution is found. Imagine an extension turning off all plugins and running in chroot jail as nobody until the user co
  • Well Doh' (Score:3, Insightful)

    by rdebath ( 884132 ) on Tuesday August 07, 2007 @02:48AM (#20139277)
    The stupid thing is it is a statement of policy, it's just that it's not in marketing speak.
    If your brother says something like that you know you'll get either that or a good excuse. The good excuse is always an unwritten option, it's just with professional liars that you have to tie them to the every single written word because trying to pin them to a statment is like trying to pin live eels!
  • ...who would take someone saying "we'll fix it in ten ****ing days!!!!!!1111one" to be equivalent to a corporate pledge? Its just talking smack and giving a sense of scale, basically saying "we won't make you wait for the first service pack in '09 for it to be stable, we'll put guys on it right away." Chill, corporate retraction dudes.
  • I find it difficult to understand how anybody would have taken that pledge seriously in the first place. For one thing, the way it was phrased. It's pretty safe to say anybody who use the word F-followed-by-four-asterisks in a sentence is not stating official company policy. Add to that the inherent ridiculousness of the claim. It's like me saying I can dig any hole in the ground you want in two hours. Sure, maybe I have a pretty good grave-digging track record, but it doesn't matter if I have trapezoids of

The trouble with being punctual is that nobody's there to appreciate it. -- Franklin P. Jones

Working...