New Architect Interview with Gervase Markham
Sunday July 14th, 2002
New Architect has an interview with Gervase Markham, the youngest mozilla.org staff member. The interview touches on 1.0 and standards compliance but mainly concentrates on Mozilla's quality assurance effort.
And I think Gerv gives some solid answers.
--Asa (working to make Mozilla rock more!)
yea... solid answers.
I come to MozillaZine looking to find out the latest Mozilla news. This was somewhat of a surprise :-) I gave the interview a while back, and completely forgot about it.
His answers would be nice material for the various mozilla faq's.
What about releasing fixed installers when security bugs are discovered after release? Like this bug, for example:
I hope I'm wrong, but as far as I know the X-based OS installers currently on mozilla.org are still vulnerable to this (and this made my system hang). Mozilla should also have a process to easily update itself after the fact when stuff like this happens. (It probably already has?)
I admit that I could very well be talking out of my rear-end on this. I'm just asking what the status regarding all this is. I'd like to hear someone big from mozilla.org reassure me that a BINARY update release process is in place for when something really bad happens.
The new nightly releases (with or without graphical installer) have the fix for that bug incorporated.
The standard mozilla homepage warns you about security bugs like the xml-vulnarability when accessing it with an affected build. And there's the update reminder which goes off after a week or a month, depending on your preferences. I don't think, the homepage warns about the X-bug (which isn't a mozill bug anyway, mozilla just triggered it in X).
I don't think Mozilla has any incremental update method, which is a bit of a problem since it means whenever they discover a security bug, you have to download a huge-ass entire new browser...
The particular bug you mention doesn't seem to be a terribly serious security risk: I don't see any immediately obvious way to exploit the crash, so at present it looks to me like only DoS. On a trivial level, any crash bug in Mozilla is a potential DoS (although normally of just the browser and not the entire OS/GUI) but unless there is an interesting way to exploit it into running code or something then it's not a major security issue. (IMO.)
Worst-case for this particular bug is, as far as I can see, if somebody sends out spam mails that exploit it. I'm not sure whether anyone would bother because (a) there is no potential gain and (b) there is no target audience - Linux (etc.) is a tiny minority operating system on the client, and Mozilla is a tiny minority browser (with even fewer people using it for email). Combine those two, and...
So basically it looks to me like the worst thing possible is to irritate someone (probably someone you know). There are numerous other ways to do that, so...
#10 Re: Re: Good security process?
Tuesday July 16th, 2002 7:17 AM
You may not consider a bug that crashes your entire system "very important". But to me that's a BIG DEAL. The exploit for this is some simple CSS, so it's not really hard to activate. Ofcourse, the bug is X's, but the trigger is mozilla's, as is the quick fix.
Anyway, I wasn't commenting on this bug specifically. I was only pointing this out as an example. Nobody will deny that some day a serious security bug in the stable releases of mozilla will be discovered. What happens when that happens?
#13 Re: Re: Re: Good security process?
Tuesday July 16th, 2002 11:17 PM
"What happens when that happens?"
Is that some kind of trick question? You get a new build with the fix the day after it lands (probably within a day or two of its discovery).
#16 Re: Re: Re: Re: Good security process?
Thursday July 18th, 2002 3:59 AM
"You get a new build with the fix"
That's what I thought: no separate patch. What about modem users? They'll just have to wait for the download to finish isn't an answer. Where I live downloading mozilla costs several dollars.
#17 Re: Re: Re: Re: Re: Good security process?
Thursday July 18th, 2002 7:06 PM
"They'll just have to wait for the download to finish isn't an answer."
Yes, it is an answer. Until someone contributes the necessary code for patching Mozilla binaries you have to download the whole 10MB of it every time a fix comes along that you want. If you can't afford to download Mozilla when a security fix lands then maybe you should use a Mozilla distribution available on a CD (like Netscape) and you could pay someone to ship you that CD.
#7 New Architect, formerly Web Techniques
Monday July 15th, 2002 10:17 AM
Warning: The stylesheet <http://www.newarchitectmag.com/generic.css> was loaded as CSS even though its MIME type, "text/richtext", is not "text/css".
And there are huge numbers of "Warning: reference to undefined property...", so many in fact that Mozilla freezes for about 10 seconds.
#9 great article -- ironic advertisement
Monday July 15th, 2002 2:25 PM
Quote from the Microshaft advertisement placed smack dab in the middle of the new.architect article:
QUOTE ******* How can you anticipate change? How can you respond faster?
By embracing open standards, unifying legacy code, and streamlining your systems, .NET connected software from Microsoft leaves just one degree of separation between the critical aspects of your infrastructure.
END QUOTE ********
HAAHAHAHAHAHAH "embracing open standards" yeah that's why we're claiming IP patents on part of OpenGL. So we can "embrace" it. Then squeeze it to death until DirectX reigns !!! MUA HA HA HA
SOrry, just thought it was pretty funny to see it there...
Hey Gerv, mind if I ask how old you are? I'm 20, and am getting into Moz-fever bad, so hoping I'm not too old to learn new tricks.. hehe. No but seriously, I find in interesting age groups/ Foreigners /etc. that are working on Moz! Awesome Thanks --JED
Sorry... must have missed it on the article!! =)
I was 23 when I gave the interview; I'm actually 24 now. Over the hill :-)
Awww, 23 years old - the little lizards are soooo cute at that age!