RUS-CERT Criticizes Mozilla Security Bugs Policy

Thursday March 11th, 2004

Simon Paquet sent us a link to a German article from the Computer Emergency Response Team of the University of Stuttgart (RUS-CERT) that criticizes Mozilla's security policy.

Simon provides a translation of the key points of the article: "The RUS-CERT criticizes Mozilla's security approach to security leaks. They find fault in the fact that no official security advisories are published by the Mozilla Foundation. Instead security leaks are silently patched and incorporated into newer releases.

"They come to the conclusion, 'At the moment Mozilla is obviously no convincing alternative to the market leader [Microsoft].' In an update to their article, they state that this sentence was interpreted as saying that everyone should refrain from using Mozilla. This is not the case. They only state that Mozilla suffers from the same security problems as all other clients and that the use of Mozilla alone is no solution to those security problems."

The last major update to the Known Vulnerabilities in Mozilla page was in November. The Mozilla Security Bugs Policy explains how security flaws are handled.

#16 Re: Re: Re: I supported Mozilla's policy..

by bzbarsky

Friday March 12th, 2004 1:21 PM

You are replying to this message

> Is that not one of the main reasons for refactoring and object-oriented programming?

Of course. There are a few things that lead to the "recompile the entire thing" problem (or rather the perception that the problem exists).

1) A large chunk of the mozilla code is the layout library. This _could_ be split into multiple libraries (used to be, in fact), but that introduces performance overhead, memory overhead, and code maintainability overhead that makes it not worth doing. Naturally, changes to the layout library require the layout library to be recompiled. Once you have the recompiled version, you can either ship the whole thing (about 3MB) or try to make a "binary patch". The latter shouldn't really be all that bad, in my opinion.... So distributing a typical security patch really shouldn't require recompiling all of mozilla. It should only require shipping an update for the one library affected, IF the patch is applied to the version that shipped.

2) When people are talking about "the whole thing would need to be recompiled" they are talking about a wholesale update from one milestone to another, more often than not. The problem there is that Mozilla is in active development and a large fraction of the libraries is touched between milestones. This is due not so much to the fact that there is poor separation between libraries (though there is some of that too) as to the fact that with about 1000 changes (that's how many we tend to have per milestone) and about 100 libraries all told most of the libraries end up with at least one change in them. Those that don't tend to be pretty small. So doing milestone upgrades via incremental update is really not worth it.

All that said, localized security fixes really should not require rebuilding the whole thing and could be distributed incrementally, as far as I can tell.