Firefox 3.0.10 released [LWN.net]

inherited?

Posted Apr 28, 2009 15:34 UTC (Tue) by pr1268 (subscriber, #24648) [Link]

Which may have been a bad idea to begin with.

inherited?

Posted Apr 28, 2009 22:14 UTC (Tue) by jordanb (guest, #45668) [Link]

1) Joel is a tool.

Netscape was losing marketshare like crazy when the code was released. It had little to do with the long release time for Mozilla 1.0. Also, the code that Netscape released was unbuildable. They basically ripped out anything that had a copyright question on it so all you got an incoherent blob of C code that nobody understood. So the long release time had was mostly a result of trying to figure out what they had and how they'd go about turning it into a functioning computer program.

2) I've poked around in the Mozilla codebase and there is a TON of "mcom" stuff in there. So if there was a serious effort to rewrite it (I don't think there was) they sure did leave a lot of truly ancient code.

inherited?

Posted Apr 29, 2009 7:59 UTC (Wed) by sdalley (subscriber, #18550) [Link]

If one has a cogent argument, then ad hominems detract from, rather than adding to, what one says.

Is this a joke?

Posted Apr 28, 2009 20:03 UTC (Tue) by sbergman27 (subscriber, #10767) [Link]

Uhhh.... right. If a project pushes out updates automatically then all the security sites ignore any security advisories regarding that software, and news sites like LWN.net decline to report on them. Is that *really* the case that you want to argue?

Of course, I'm assuming, just for the sake of argument, that what you claim about WebKit-based browsers pushing out security updates against the users' will was true.

The lengths to which some die-hard Firefox fans will go... the logical contortions they are willing to accept... to "prove" that the endless stream of security vulnerabilities in Firefox is really a good thing is beyond just worrisome. It's out and out scary.

I doubt that there is a transgression that Mozilla Corp could commit, short of maybe dissing the GPL, that would cause some of the more ardent fans to even think critically about the situation.

Is this a joke?

Posted Apr 28, 2009 22:39 UTC (Tue) by njs (guest, #40338) [Link]

I don't think Firefox's security vulnerabilities are a good thing -- I'm not sure who exactly you're arguing with that does -- but it is a fact that Firefox reports internally discovered vulnerabilities as vulnerabilities when they are fixed, while most other browser vendors do not. Therefore, using reported vulnerabilities as an estimate of relative exposure is systematically biased against Firefox. It's possible that even after correcting for that bias then Firefox is the worst. I don't know. But I'm not yet convinced by the evidence available.

If that's "logically contorted", then so be it...

Actually that's not 100% true.

Posted Apr 29, 2009 6:29 UTC (Wed) by khim (subscriber, #9252) [Link]

Therefore, using reported vulnerabilities as an estimate of relative exposure is systematically biased against Firefox.

I'm not convinced in that - only Microsoft practices this hiding approach. Apple and Google are publishing internally-discovered vulnerabilities. And there are less of them then in Firefox (8 vs 38 in 2009 so far), but is this difference enough to claim that Firefox is disaster while WebKit is ideal? Statistic for full 2008 is 45 Safari vs 102 Firefox. Safari still wins but difference is moderate if you'll recall that Firefox has more subsystems - Safari does does support Firefox-like extensions and all this flexibility does not come free.

Yup.

Posted Apr 29, 2009 6:16 UTC (Wed) by khim (subscriber, #9252) [Link]

If a project pushes out updates automatically then all the security sites ignore any security advisories regarding that software, and news sites like LWN.net decline to report on them. Is that *really* the case that you want to argue?

No. Security sites don't ignore them, only news sites do. If you visit security database you'll find out that WebKit is vulnerable, Safari is too and Chrome is far from ideal - but they don't issue numbered releases to be downloaded from site so LWN does not issue articles on subject too. Yes, 1/3 of bugs (159 for Safari vs 455 for Firefox) is good achievment, but is it enough to say "WebKit doesn't seem to have this chronic problem"?

You can not do apples-to-apples comparison between Gecko and WebKit: for Gecko there are just 5 CVE and for WebKit 27, but I find it hard to believe that out of 455 Firefox's vulnerabilities only 5 affect Gecko and some 450 are in different subsystems...

The lengths to which some die-hard Firefox fans will go... the logical contortions they are willing to accept... to "prove" that the endless stream of security vulnerabilities in Firefox is really a good thing is beyond just worrisome. It's out and out scary.

Yes, it's really scary. Only Firefox-haters are worse...

Is this a joke?

Posted Apr 29, 2009 7:46 UTC (Wed) by epa (subscriber, #39769) [Link]

Please distinguish between 'security vulnerabilities' and 'fully disclosed security updates'. It is not possible to say that because program X has more patches released than program Y, that program X has (or had) more vulnerabilities.

A large number of security fixes being published is neither a 'good thing' nor a 'bad thing' in itself.

That's hairsplitting...

Posted Apr 29, 2009 8:28 UTC (Wed) by khim (subscriber, #9252) [Link]

Worthy of Firefox fanboy. It's know fact that Firefox has more vulnerabilities than WebKit-based browsers. May be they are less severe, may be not. That is not the point. The point is: number of vulnerabilities in Firefox and WebKit-based browsers are of the same order. It's not like OpenBSD vs Linux comparison: one side has hundreds of potential vulnerabilities, the other one - just a handful ("ten over last ten years" or something like that). Here both sides have sizable number and these vulnerabilities were exploited in the wild and will surely be exploited in the future. No reason for WebKit developers to feel smug and not reason for Firefox developers to fret over statistic.