Date: Tue, 24 May 2005 12:30:46 -0400 (EDT)
From:"Linux Pipeline Newsletter" <>
Subject: [LXP] Linux Pipeline - 05-24-2005 - Bug Bites Linux Pipeline Newsletter | Bug Bites | 05.24.2005
Linux Pipeline Newsletter
Tuesday, May 24, 2005

In This Issue:
  • Editor's Note: Bug Bites
  • Top Linux News
        - Oracle Teams With Zend, Steps Up PHP Scripting Support
        - Intel Inside Your G5? Apple, Intel May Be Negotiating
        - Firefox Developer Rips Netscape Over Security Gaffe
        - More News...
  • Editor's Picks
        - Netscape 8: A Better Firefox Than Firefox?
        - First Look: Longhorn Beta Build 5048
        - Blog Aggregation Breaks Out
        - More Picks...
  • Voting Booth: Your 64-Bit Future
  • Get More Out Of Linux Pipeline
  • Manage Your Newsletter Subscription

    ------- Advertisement -------------------
    Join InformationWeek for a FREE, OnDemand TechWebCast on An IT Investment that Pays Real Dividends: Building ROI with Your Email System. Learn how ROI can be achieved through implementing the right email management solution. Register and View Today!


    Editor's Note: Bug Bites

    Right about now, Mozilla developer Ben Goodger may wish he had devoted his blog entry last Thursday to the weather, instead of tearing into Netscape's new browser. Goodger's comments, which might have gone unnoticed a couple of years ago, are now far more likely to take a life of their own, thanks to blogs, content syndication, and the like.

    In fact, there's not much to Goodger's blog entry, which he published on May 19, the same day America Online's Netscape division shipped its Netscape 8 production release. In a single-sentence paragraph, Goodger points Netscape 8 users to an example of the security bug plaguing their browser--the same bug Mozilla found and fixed in Firefox the week before. In the next, he cites the episode as proof that browsers based on the original Mozilla code will always be a step behind Firefox when it comes to security.

    Netscape, by the way, released its own patch the next day, on May 20, wrapping up an episode that must have left AOL's public relations staff reaching for the Prozac.

    Goodger may, in fact, have gone looking for the publicity his entry got. He did, after all, give his screed the less-than-subtle title, "Netscape 8 Is Unsafe." And Goodger's take on the problem may be valid, although I'm not sure that his blanket indictment of any Mozilla-based derivative browser is either necessary or reasonable. In fact, I'm no longer sure it will even hold up in Netscape's case.

    For those of you who haven't followed the birth of Netscape's comeback kid (which Mitch Wagner covers in an excellent review), their browser uses the page-rendering engines from both Internet Explorer and Firefox. Netscape 8 can choose which engine to use when it renders Web content, depending mostly on security issues, and users can also specify when or if they want to shift gears.

    As a result, when a security flaw surfaces in Gecko, the page rendering engine Netscape shares with Firefox, developers can't simply slap a new name on the official Mozilla patch and tell users to come and get it. They have to optimize the patch for Netscape 8, and that invariably takes time.

    This is the rationale behind Goodger's comments on Netscape 8: It's destined always to be a day late and a dollar short when Mozilla releases patches involving Gecko code.

    Goodger's argument, however, raises some interesting questions. He has to assume, for example, that Netscape's QA team won't catch its own share of Gecko bugs -- bugs that could, in turn, affect Firefox.

    I wouldn't bet my own money (feel free to send me some of yours) against this happening: Netscape is part of America Online and, one assumes, has a decent full-time QA team to test its products. It's unlikely Netscape will ever be the first to find a major Gecko security bug, given the number of developers and security experts eyeballing the Mozilla code base. Yet Goodger might not want to tempt fate, lest he and his colleagues someday find themselves walking a few hot miles in their Netscape counterparts' shoes.

    This brings up a related issue: communication, or lack thereof, between Mozilla and Netscape.

    Common sense, concern for users, and basic karma all dictate that when one group finds a security bug that could affect both browsers, they'll let the other group know about it immediately. Although I haven't seen this mentioned explicitly in any coverage of the Netscape release, it's implied in Netscape's statement attributing its late patch release to a security vendor's advice that the bug wouldn't affect their version of Gecko. If that's the case, and Netscape was able to prepare Mozilla's Firefox patch code for use in their own browser within a matter of hours, it's safe to assume that Mozlla did, indeed, alert Netscape in advance.

    If the two groups are communicating somewhere besides their developers' blog entries, they're doing the right thing: putting the welfare of users ahead of any personal rivalries or corporate politics. That's important, since Goodger's comments suggest that the two groups won't be planning a bowling league or weenie roast anytime soon. (Although I do wonder why Goodger thinks Netscape may not be able to keep up, given its claim that it released a patch within hours of discovering that the Gecko bug affected Netscape 8.)

    Just for everyone's peace of mind, however, both organizations should explicitly confirm their willingness to share critical security information. Given the timeline of this event, it's possible, in theory, that Netscape could have heard about the bug the same way the public did: when the news leaked several days before Mozilla's own patch was ready. I simply don't believe that could be the case, since the risk to innocent end-users could damage Mozilla's reputation beyond repair. (It could also, incidentally, get Mozilla sued into the Stone Age, if Netscape users suffered financial losses due to attacks based on the exploit.)

    But there's a final, related issue that leaves a lot more room for debate: whether Mozilla should actually wait to announce a new bug, and a new patch, until Netscape prepares its own patch. Given the same starting point for both organizations, I'm inclined to say that it's not Mozilla's problem if Netscape can't keep up the pace. Mozilla would, after all, put its own users at risk by delaying any security-related patch release, and a commercial product based on open-source code simply can't expect to get that sort of crutch. And once again, this works both ways, if Netscape is ever the one to find a ticking time bomb in Gecko's innards.

    I don't think there's a right or wrong answer here -- it's a delicate, complicated question, and only time will tell how these sorts of problems work themselves out in real life. It will be fascinating to watch this process unfold, and it will be just as interesting to see how it affects the relationship between open-source developers and the commercial entities that have big money riding on the code they create.

    Before I go, a quick note for Red Hat users and their fellow-travelers: The Red Hat Summit is right around the corner. This event caught my eye, since I'm a New Orleans native, and I'm sure that a lot of Linux users are headed for either a great time, the worst hangover of their lives, or a few days in jail, in addition to feeding their inner geeks some serious brain food. The program looks better than most, the price is reasonable, and while New Orleans is definitely air conditioning country this time of year, it's also a great deal for things like airfares and hotel rooms.

    If you're interested but haven't checked it out yet, you can get more information on the Red Hat Summit, planned June 1-3, at If you see anyone I know, tell them I said hello--and keep your hand on your wallet.

    Matthew McKenzie
    Editor, Linux Pipeline

    Keep Getting This Newsletter
    Don't let future editions of Linux Pipeline Newsletter go missing. Take a moment to add the newsletter's address to your anti-spam whitelist:

    If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. Thanks.

    Top Linux News

    Oracle Teams With Zend, Steps Up PHP Scripting Support
    Oracle joins other major IT vendors, including IBM, Intel, and SAP, with a high-profile show of support for the open-source scripting language, which is now in use on nearly 15 million Web sites worldwide.

    Intel Inside Your G5? Apple, Intel May Be Negotiating
    According to a Wall Street Journal report, Apple Computer is on the verge of inking a deal with the giant chipmaker to take over its microprocessor production. Apple, while refusing further comment, referrred to the report as "speculation."

    Firefox Developer Rips Netscape Over Security Gaffe
    Responding to Netscape 8's release and immediate security gaffe last week, a lead developer of Firefox lambasted the rival browser -- which uses much of the same code as Mozilla's Firefox -- in a recent blog entry, declaring it "unsafe."

    Startup Unveils Enterprise Database Using Open-Source Code
    EnterpriseDB, joining a growing field of open-source startups, unveils an open source-based database that the company claims is comparable, but less expensive, than similar products from Oracle.

    MontaVista Debuts New Edition Of Carrier-Grade Linux
    The software maker's latest Linux release, designed primarily for the telecom industry, gives the open-source OS fresh momentum as a low-cost option for high-availability systems.

    Netscape Needs Patch Hours After Debut
    America Online's new Netscape 8 browser went from zero to three bugs in less than 12 hours Thursday, forcing developers to celebrate its debut by working to patch the same problem that hobbled its open-source cousin Firefox the week before.

    IBM, Red Hat Put Squeeze On Sun
    Trying to squash Sun's attempt to rejunenate Solaris as an open-source product, Red Hat and Big Blue plan a joint effort to encourage companies to migrate to Linux instead.

    Apple Tames Tiger With Big Patch
    Apple on Monday patched its newest operating system, Mac OS X 10.4 -- better known as Tiger -- to fix a number of bugs reported in the three weeks since its release.

    Embedded Systems To Get New Linux Tools
    Wind River says its new tools will help manufacturers cut costs and time to market for their Linux-powered embedded devices, and they will also enable CIOs to make such devices an integral part of their IT operations.

    Apple Recalls G4 Batteries
    The computer maker recalled around 128,000 lithium-ion batteries manufactured for use with its 12-inch iBook G4, 12-inch PowerBook G4, and 15-inch PowerBook G4.

    SCO Denies Rumored SEC Investigation
    Litigious software vendor SCO denies it is under Securities and Exchange Commission scrutiny, after a post on open-source community site Groklaw fuels the Slashdot rumor mill.

    Editor's Picks

    Netscape 8: A Better Firefox Than Firefox?
    The latest release from AOL's Netscape division, says Mitch Wagner, is a sleek and cutting-edge product with top-notch password management, anti-spyware tools, and anti-phishing protection. Despite an initial security gaffe that required a quick patch, it's still better than Internet Explorer-- and it's even better than Firefox.

    First Look: Longhorn Beta Build 5048
    While many features announced for Microsoft's "Longhorn" Windows update aren't in this first beta version, it previews some major changes in UI and graphics systems. Veteran Windows expert Scot Finnie gives the Linux world an early look at what to expect from Microsoft's bid to retain its desktop dominance.

    Blog Aggregation Breaks Out
    With blogs proliferating at breakneck speed, it's getting much more difficult either to keep track of interesting new blogs or to make your own words stand out from the crowd. Not surprisingly, a market is emerging for developers of search engines that find and aggregate all of this content.

    Considering Linux For Your Business? Here's How To Get Started
    Everything you need to know to deploy Linux in your company, including what to look for in IT staff, in management tools, technical support (and where to get it), application support, security, who's already doing it and why, and desktop Linux issues.

    Review: Veritas Makes Solaris Disaster Recovery A Snap--Or A Click
    Disaster recovery for Solaris shops is a snap with Veritas Storage Foundation's HA Solaris 4.1. Cluster set up is simple, and support for Solaris containers rounds out this product.

    Review: Standards-Aware Software Simplifies Wi-Fi Access
    The Air Secure Access Point concurrently supports many different generations of the 802.11 security technology found in today's wireless networks.

    Voting Booth: Your 64-Bit Future Vote

    Cast Your Vote Now!
    This week, we're continuing our poll on your experience so far using 64-bit systems, either in production or on test systems. We pay good money to rig our elections, so get over there, and make it look good!

    Poll Results:
    The results so far: If our deceptively scientific-looking poll is any indication, companies pushing 64-bit technology as the wave of the future better start pushing harder: A majority of you aren't even experimenting yet with 64-bit hardware or Linux distros.

    Get More Out Of Linux Pipeline

    Try Linux Pipeline's RSS Feed
    Linux Pipeline's content is available via RSS feed: Get RSS link. The feed is also auto-discoverable to many RSS readers from the Linux Pipeline home page. Note: RSS feeds are not viewable in most Web browsers. You need an RSS reader, Web-based service, or plug-in to view RSS. Find out which RSS readers the Pipeline editors recommend.

    Check Out Our Linux Product Finder
    Don't reinvent the wheel. Find the right off-the-shelf product to do the job. How do you find the right one? Two words ... Product Finder:
       - Desktop Applications
       - Application Servers
       - Commercial Linux Distributions
       - Network Management
       - Web Servers

    Discover All The Pipelines
    Linux Pipeline is part of a large series of specialized IT sites from the TechWeb Network. Find out more about the Pipelines on the TechWeb Network Pipeline Publications page. Every Pipeline site has its own newsletter. Give them a try!

    Recommend This Newsletter To A Friend
    Do you have a friend or colleague who might enjoy this newsletter? Please forward it to him or her and point out the subscription page.

    ------- Advertisement -------------------
    Join InformationWeek for a FREE, OnDemand TechWebCast on An IT Investment that Pays Real Dividends: Building ROI with Your Email System. Learn how ROI can be achieved through implementing the right email management solution. Register and View Today!


    Manage Your Newsletter Subscription

    We take your privacy very seriously. Please review our Privacy Policy.

    Linux Pipeline Newsletter
    A free service of Linux Pipeline and the TechWeb Network.
    Copyright (c) 2004-2005 CMP Media LLC
    600 Community Drive
    Manhasset, NY 11030