Linux Pipeline Newsletter www.LinuxPipeline.com Tuesday, May 24, 2005 In This Issue: - Oracle Teams With Zend, Steps Up PHP Scripting Support - Intel Inside Your G5? Apple, Intel May Be Negotiating - Firefox Developer Rips Netscape Over Security Gaffe - More News... - Netscape 8: A Better Firefox Than Firefox? - First Look: Longhorn Beta Build 5048 - Blog Aggregation Breaks Out - More Picks... Join InformationWeek for a FREE, OnDemand TechWebCast on An IT Investment that Pays Real Dividends: Building ROI with Your Email System. Learn how ROI can be achieved through implementing the right email management solution. Register and View Today! http://www.techweb.com/webcasts/ilumin042805 ----------------------------------------- Editor's Note: Bug Bites Right about now, Mozilla developer Ben Goodger may wish he had devoted his blog entry last Thursday to the weather, instead of tearing into Netscape's new browser. Goodger's comments, which might have gone unnoticed a couple of years ago, are now far more likely to take a life of their own, thanks to blogs, content syndication, and the like. In fact, there's not much to Goodger's blog entry, which he published on May 19, the same day America Online's Netscape division shipped its Netscape 8 production release. In a single-sentence paragraph, Goodger points Netscape 8 users to an example of the security bug plaguing their browser--the same bug Mozilla found and fixed in Firefox the week before. In the next, he cites the episode as proof that browsers based on the original Mozilla code will always be a step behind Firefox when it comes to security. Netscape, by the way, released its own patch the next day, on May 20, wrapping up an episode that must have left AOL's public relations staff reaching for the Prozac. Goodger may, in fact, have gone looking for the publicity his entry got. He did, after all, give his screed the less-than-subtle title, "Netscape 8 Is Unsafe." And Goodger's take on the problem may be valid, although I'm not sure that his blanket indictment of any Mozilla-based derivative browser is either necessary or reasonable. In fact, I'm no longer sure it will even hold up in Netscape's case. For those of you who haven't followed the birth of Netscape's comeback kid (which Mitch Wagner covers in an excellent review), their browser uses the page-rendering engines from both Internet Explorer and Firefox. Netscape 8 can choose which engine to use when it renders Web content, depending mostly on security issues, and users can also specify when or if they want to shift gears. As a result, when a security flaw surfaces in Gecko, the page rendering engine Netscape shares with Firefox, developers can't simply slap a new name on the official Mozilla patch and tell users to come and get it. They have to optimize the patch for Netscape 8, and that invariably takes time. This is the rationale behind Goodger's comments on Netscape 8: It's destined always to be a day late and a dollar short when Mozilla releases patches involving Gecko code. Goodger's argument, however, raises some interesting questions. He has to assume, for example, that Netscape's QA team won't catch its own share of Gecko bugs -- bugs that could, in turn, affect Firefox. I wouldn't bet my own money (feel free to send me some of yours) against this happening: Netscape is part of America Online and, one assumes, has a decent full-time QA team to test its products. It's unlikely Netscape will ever be the first to find a major Gecko security bug, given the number of developers and security experts eyeballing the Mozilla code base. Yet Goodger might not want to tempt fate, lest he and his colleagues someday find themselves walking a few hot miles in their Netscape counterparts' shoes. This brings up a related issue: communication, or lack thereof, between Mozilla and Netscape. Common sense, concern for users, and basic karma all dictate that when one group finds a security bug that could affect both browsers, they'll let the other group know about it immediately. Although I haven't seen this mentioned explicitly in any coverage of the Netscape release, it's implied in Netscape's statement attributing its late patch release to a security vendor's advice that the bug wouldn't affect their version of Gecko. If that's the case, and Netscape was able to prepare Mozilla's Firefox patch code for use in their own browser within a matter of hours, it's safe to assume that Mozlla did, indeed, alert Netscape in advance. If the two groups are communicating somewhere besides their developers' blog entries, they're doing the right thing: putting the welfare of users ahead of any personal rivalries or corporate politics. That's important, since Goodger's comments suggest that the two groups won't be planning a bowling league or weenie roast anytime soon. (Although I do wonder why Goodger thinks Netscape may not be able to keep up, given its claim that it released a patch within hours of discovering that the Gecko bug affected Netscape 8.) Just for everyone's peace of mind, however, both organizations should explicitly confirm their willingness to share critical security information. Given the timeline of this event, it's possible, in theory, that Netscape could have heard about the bug the same way the public did: when the news leaked several days before Mozilla's own patch was ready. I simply don't believe that could be the case, since the risk to innocent end-users could damage Mozilla's reputation beyond repair. (It could also, incidentally, get Mozilla sued into the Stone Age, if Netscape users suffered financial losses due to attacks based on the exploit.) But there's a final, related issue that leaves a lot more room for debate: whether Mozilla should actually wait to announce a new bug, and a new patch, until Netscape prepares its own patch. Given the same starting point for both organizations, I'm inclined to say that it's not Mozilla's problem if Netscape can't keep up the pace. Mozilla would, after all, put its own users at risk by delaying any security-related patch release, and a commercial product based on open-source code simply can't expect to get that sort of crutch. And once again, this works both ways, if Netscape is ever the one to find a ticking time bomb in Gecko's innards. I don't think there's a right or wrong answer here -- it's a delicate, complicated question, and only time will tell how these sorts of problems work themselves out in real life. It will be fascinating to watch this process unfold, and it will be just as interesting to see how it affects the relationship between open-source developers and the commercial entities that have big money riding on the code they create. Before I go, a quick note for Red Hat users and their fellow-travelers: The Red Hat Summit is right around the corner. This event caught my eye, since I'm a New Orleans native, and I'm sure that a lot of Linux users are headed for either a great time, the worst hangover of their lives, or a few days in jail, in addition to feeding their inner geeks some serious brain food. The program looks better than most, the price is reasonable, and while New Orleans is definitely air conditioning country this time of year, it's also a great deal for things like airfares and hotel rooms. If you're interested but haven't checked it out yet, you can get more information on the Red Hat Summit, planned June 1-3, at http://www.redhat.com/promo/summit/. If you see anyone I know, tell them I said hello--and keep your hand on your wallet.
Matthew McKenzie
Don't let future editions of Linux Pipeline Newsletter go missing. Take a moment to add the newsletter's address to your anti-spam whitelist: linuxed@techwire.com If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. Thanks. Top Linux News Oracle Teams With Zend, Steps Up PHP Scripting Support Oracle joins other major IT vendors, including IBM, Intel, and SAP, with a high-profile show of support for the open-source scripting language, which is now in use on nearly 15 million Web sites worldwide.
Intel Inside Your G5? Apple, Intel May Be Negotiating
Firefox Developer Rips Netscape Over Security Gaffe
Startup Unveils Enterprise Database Using Open-Source Code
MontaVista Debuts New Edition Of Carrier-Grade Linux
Netscape Needs Patch Hours After Debut
IBM, Red Hat Put Squeeze On Sun
Apple Tames Tiger With Big Patch
Embedded Systems To Get New Linux Tools
Apple Recalls G4 Batteries
SCO Denies Rumored SEC Investigation Editor's Picks Netscape 8: A Better Firefox Than Firefox? The latest release from AOL's Netscape division, says Mitch Wagner, is a sleek and cutting-edge product with top-notch password management, anti-spyware tools, and anti-phishing protection. Despite an initial security gaffe that required a quick patch, it's still better than Internet Explorer-- and it's even better than Firefox.
First Look: Longhorn Beta Build 5048
Blog Aggregation Breaks Out
Considering Linux For Your Business? Here's How To Get Started
Review: Veritas Makes Solaris Disaster Recovery A Snap--Or A Click
Review: Standards-Aware Software Simplifies Wi-Fi Access Cast Your Vote Now! This week, we're continuing our poll on your experience so far using 64-bit systems, either in production or on test systems. We pay good money to rig our elections, so get over there, and make it look good!
Poll Results: Try Linux Pipeline's RSS Feed Linux Pipeline's content is available via RSS feed: Get RSS link. The feed is also auto-discoverable to many RSS readers from the Linux Pipeline home page. Note: RSS feeds are not viewable in most Web browsers. You need an RSS reader, Web-based service, or plug-in to view RSS. Find out which RSS readers the Pipeline editors recommend.
Check Out Our Linux Product Finder
Discover All The Pipelines
Recommend This Newsletter To A Friend
Join InformationWeek for a FREE, OnDemand TechWebCast on An IT Investment that Pays Real Dividends: Building ROI with Your Email System. Learn how ROI can be achieved through implementing the right email management solution. Register and View Today! http://www.techweb.com/webcasts/ilumin042805 ----------------------------------------- Manage Your Newsletter Subscription We take your privacy very seriously. Please review our Privacy Policy.
Linux Pipeline Newsletter
|