MozillaZine

New Architect Interview with Gervase Markham

Sunday July 14th, 2002

New Architect has an interview with Gervase Markham, the youngest mozilla.org staff member. The interview touches on 1.0 and standards compliance but mainly concentrates on Mozilla's quality assurance effort.


#1 Good interview

by asa <asa@mozilla.org>

Sunday July 14th, 2002 9:52 PM

Reply to this message

And I think Gerv gives some solid answers.

--Asa (working to make Mozilla rock more!)

#2 Re: Good interview

by Lancer

Sunday July 14th, 2002 10:52 PM

Reply to this message

yea... solid answers.

#3 Really? :-)

by Gerv

Monday July 15th, 2002 1:37 AM

Reply to this message

I come to MozillaZine looking to find out the latest Mozilla news. This was somewhat of a surprise :-) I gave the interview a while back, and completely forgot about it.

Gerv

#4 nice material for the faq

by jilles

Monday July 15th, 2002 1:37 AM

Reply to this message

His answers would be nice material for the various mozilla faq's.

#5 Good security process?

by jsebrech

Monday July 15th, 2002 6:31 AM

Reply to this message

What about releasing fixed installers when security bugs are discovered after release? Like this bug, for example:

<http://bugzilla.mozilla.org/show_bug.cgi?id=150339>

I hope I'm wrong, but as far as I know the X-based OS installers currently on mozilla.org are still vulnerable to this (and this made my system hang). Mozilla should also have a process to easily update itself after the fact when stuff like this happens. (It probably already has?)

I admit that I could very well be talking out of my rear-end on this. I'm just asking what the status regarding all this is. I'd like to hear someone big from mozilla.org reassure me that a BINARY update release process is in place for when something really bad happens.

#6 Re: Good security process?

by turi

Monday July 15th, 2002 8:24 AM

Reply to this message

The new nightly releases (with or without graphical installer) have the fix for that bug incorporated.

The standard mozilla homepage warns you about security bugs like the xml-vulnarability when accessing it with an affected build. And there's the update reminder which goes off after a week or a month, depending on your preferences. I don't think, the homepage warns about the X-bug (which isn't a mozill bug anyway, mozilla just triggered it in X).

#8 Re: Good security process?

by leafdigital

Monday July 15th, 2002 10:21 AM

Reply to this message

I don't think Mozilla has any incremental update method, which is a bit of a problem since it means whenever they discover a security bug, you have to download a huge-ass entire new browser...

The particular bug you mention doesn't seem to be a terribly serious security risk: I don't see any immediately obvious way to exploit the crash, so at present it looks to me like only DoS. On a trivial level, any crash bug in Mozilla is a potential DoS (although normally of just the browser and not the entire OS/GUI) but unless there is an interesting way to exploit it into running code or something then it's not a major security issue. (IMO.)

Worst-case for this particular bug is, as far as I can see, if somebody sends out spam mails that exploit it. I'm not sure whether anyone would bother because (a) there is no potential gain and (b) there is no target audience - Linux (etc.) is a tiny minority operating system on the client, and Mozilla is a tiny minority browser (with even fewer people using it for email). Combine those two, and...

So basically it looks to me like the worst thing possible is to irritate someone (probably someone you know). There are numerous other ways to do that, so...

--sam

#10 Re: Re: Good security process?

by jsebrech

Tuesday July 16th, 2002 7:17 AM

Reply to this message

You may not consider a bug that crashes your entire system "very important". But to me that's a BIG DEAL. The exploit for this is some simple CSS, so it's not really hard to activate. Ofcourse, the bug is X's, but the trigger is mozilla's, as is the quick fix.

Anyway, I wasn't commenting on this bug specifically. I was only pointing this out as an example. Nobody will deny that some day a serious security bug in the stable releases of mozilla will be discovered. What happens when that happens?

#13 Re: Re: Re: Good security process?

by asa <asa@mozilla.org>

Tuesday July 16th, 2002 11:17 PM

Reply to this message

"What happens when that happens?"

Is that some kind of trick question? You get a new build with the fix the day after it lands (probably within a day or two of its discovery).

--Asa

#16 Re: Re: Re: Re: Good security process?

by jsebrech

Thursday July 18th, 2002 3:59 AM

Reply to this message

"You get a new build with the fix"

That's what I thought: no separate patch. What about modem users? They'll just have to wait for the download to finish isn't an answer. Where I live downloading mozilla costs several dollars.

#17 Re: Re: Re: Re: Re: Good security process?

by asa <asa@mozilla.org>

Thursday July 18th, 2002 7:06 PM

Reply to this message

"They'll just have to wait for the download to finish isn't an answer."

Yes, it is an answer. Until someone contributes the necessary code for patching Mozilla binaries you have to download the whole 10MB of it every time a fix comes along that you want. If you can't afford to download Mozilla when a security fix lands then maybe you should use a Mozilla distribution available on a CD (like Netscape) and you could pay someone to ship you that CD.

--Asa

#7 New Architect, formerly Web Techniques

by pmsyyz

Monday July 15th, 2002 10:17 AM

Reply to this message

Warning: The stylesheet <http://www.newarchitectmag.com/generic.css> was loaded as CSS even though its MIME type, "text/richtext", is not "text/css".

And there are huge numbers of "Warning: reference to undefined property...", so many in fact that Mozilla freezes for about 10 seconds.

#9 great article -- ironic advertisement

by punkrider <jonathan.sullivan@uvm.edu>

Monday July 15th, 2002 2:25 PM

Reply to this message

Quote from the Microshaft advertisement placed smack dab in the middle of the new.architect article:

QUOTE ******* How can you anticipate change? How can you respond faster?

By embracing open standards, unifying legacy code, and streamlining your systems, .NET connected software from Microsoft leaves just one degree of separation between the critical aspects of your infrastructure.

END QUOTE ********

HAAHAHAHAHAHAH "embracing open standards" yeah that's why we're claiming IP patents on part of OpenGL. So we can "embrace" it. Then squeeze it to death until DirectX reigns !!! MUA HA HA HA

SOrry, just thought it was pretty funny to see it there...

#11 Yougest?

by jedbro

Tuesday July 16th, 2002 5:40 PM

Reply to this message

Hey Gerv, mind if I ask how old you are? I'm 20, and am getting into Moz-fever bad, so hoping I'm not too old to learn new tricks.. hehe. No but seriously, I find in interesting age groups/ Foreigners /etc. that are working on Moz! Awesome Thanks --JED

#12 How stupid am I? (Sorry)

by jedbro

Tuesday July 16th, 2002 5:41 PM

Reply to this message

Sorry... must have missed it on the article!! =)

#15 Re: Youngest?

by Gerv

Wednesday July 17th, 2002 1:08 AM

Reply to this message

I was 23 when I gave the interview; I'm actually 24 now. Over the hill :-)

Gerv

#14 Koochee-koo!

by flacco

Wednesday July 17th, 2002 12:35 AM

Reply to this message

Awww, 23 years old - the little lizards are soooo cute at that age!

:-)