Mozilla: more corporate than you might think

[Moonchild]

Having dealt with Mozilla people a few times now, I thought I might share the following observations with you all. It's actually rather sad, but I gather it's also a sign of the times.

The first time I was contacted by Mr. Beltzner directly, the product director for Firefox - this was quite a while back when Pale Moon was still very much a "rebuild" of Firefox (3.5.*), like currently a few clones out there do like fbuild, waterfox, pcx. I was asked what code changes I made to build Pale Moon. It seemed sincere at first glance but was brief and pretty much went quiet with no further responses from the Mozilla side when I explained that the optimizations were achieved through the build process, not necessarily code changes. This made me think that they must simply have been looking for a "quick fix" to a few of their more pressing issues with the Firefox code base.

More recently, I got in touch with the Mozilla security team, because a good number of Mozilla security bugs are (rightfully so) shielded from public view, and I was having difficulties examining and implementing fixes for these bugs (still blocked even a month or more after the relevant Firefox version was published). I got met with the expected reluctance, although the vetting process seems quite over the top and extremely limited (basically to people that are very well known to the security team already). I was, however, told:

If you run into any challenges with the security program (for example, locked bugs, etc) feel free to reach out to me directly or through security [at] mozilla.org

I've since tried to contact the security team with a few challenges (one being the padlock display issue that required me to change the logic for it in 15.0) but have not seen any replies whatsoever to anything I sent out to them (either through IM, direct mail, or security mailing list).

Some more background here leading up to my conclusion about the actual approach Mozilla seems to have:

1. After getting in touch with the security team, it was made clear that to be vetted for the security access I require in bugzilla to be able to evaluate security bugs for applicability in Pale Moon, you have to become known to the team. To become known, you have to participate in meetings/conferences (preferably in person) or actively work on security patches or discussions.
2. I was also asked to have a look at the open positions @ Mozilla, almost first thing. Meaning to actually become a paid Mozilla employee - obviously because I was considered a potential, valuable asset for publishing Pale Moon

The silence ensued after I made clear that I really don't have the time for (1) because of my single-handed development of Pale Moon next to a day job, and the fact that I had no interest in creating bug patches for security issues, but rather just needed the information to implement them, and also replied negatively to (2) because none of the jobs offered matched my profile.

The conclusion, from all the above, is that Mozilla, apparently, puts corporate interest above the principles behind FOSS:

• They look for free-to-use code patches from global developers that they may or may not share information about, depending on context (just sharing the source does not provide required context for development) IN
• They look for free development time and intellectual effort from global developers IN
• They look for the acquisition of potential in-house paid developers from the global pool IN
• Their resulting product is widely used around the world, and brings in a lot of revenue
• They show no interest to share "corporate" information (essential security information that would bring the other related products on-par with theirs) with people who have not yet contributed to their own product (for free, as part of vetting) IN->OUT (tit-for-tat)
• They show no interest to actually assist other open source projects based on the same community code used by them OUT
• They actively ignore requests from developers who obviously have a good and potentially competitive product, who are not potentially interested in being absorbed OUT

IN : Using the Open Source community to their advantage at no expense
IN : Not getting something from the Open Source community in this context
OUT : Giving something back to the Open Source community
OUT : Not giving something back to the Open Source community

This is very much a one-way street that makes perfect sense from a corporate point of view, but actually does not, at all, stroke with what you would expect in the Open Source community.

Once again, these are my personal observations, they are food for thought and nothing more.

[stravinsky]

After getting in touch with the security team, it was made clear that to be vetted for the security access I require in bugzilla to be able to evaluate security bugs for applicability in Pale Moon, you have to become known to the team. To become known, you have to participate in meetings/conferences (preferably in person) or actively work on security patches or discussions.
I was also asked to have a look at the open positions @ Mozilla, almost first thing. Meaning to actually become a paid Mozilla employee - obviously because I was considered a potential, valuable asset for publishing Pale Moon

In regard to these two points only :

Cant blame them for doing that. The mozilla corp is seriously under-manned. They have ~800000 bugs, and prolly less than 100 code developers.Lots of bugs are just lying around because nobody has any spare time to look into these bugs. So cant expect them to help a developer who wants their help on their code, without contributing to it first.
Also, from their perspective : you might be trying to take advantage of the security patches and deliberately add spyware/malware.Or your purpose might be innocent, but you could open backdoors (inadvertently) that could compromise the browser security.

[Moonchild]

Lots of bugs are just lying around because nobody has any spare time to look into these bugs.

No, they are lying around because priority is given to "polish", new features, and adding more tools to the browser - and a 6-week rabid release schedule.

Also, from their perspective : you might be trying to take advantage of the security patches and deliberately add spyware/malware.Or your purpose might be innocent, but you could open backdoors (inadvertently) that could compromise the browser security.

... security patches are reviewed vigorously, for one, so Firefox security is not endangered.
Secondly, not being given access to security bugs would be the situation that would potentially compromise browser security, but only for people NOT part of the Mozilla team and developing things independently based on their code. I.e.: it would impact browser security for any browser but Firefox (which is the corporate approach, wanting as many people as possible to use their product and not alternatives).
What would be my advantage of adding malware/spyware to my own browser?

As said: it is understandable that their vetting process for including people in their security team is strict - and I don't really have the desire to become part of that team; It is not needed!
It's also understandable that they want to keep these bugs restricted to as few people as possible until a live patch is out, but they should certainly consider authorizing independent developers of derivative FOSS products for access to specific bugs that they indicate are a challenge. As an aside, I gave them carte blanche for asking me for any information they wanted to verify my identity and integrity. Even offered to sign an NDA if that is what they preferred. All I need is "read-only" access to understand the context of certain locked bugs.

But what I do expect is for them to keep their word and actually disclose information on specific bugs that i ask for, or at the very least tell me they can't/won't, for a certain reason -- not give me the silent treatment.
It takes no effort on their behalf, and it should not be a concern that someone has not yet contributed to solving security issues (they may not be able to, to begin with) before being given the context for code that anyone who knows the development process and knows how to use the tinderbox can pull out of the tree (it is, in fact, what I am forced to do now, reverse-engineer the code patches to find out if they are applicable to Pale Moon or not, and to try and find out what exactly the patch does -- also with no real way to test it or know the context of the bug) -- unless they treat this kind of access as a privilege for someone who has made an investment in the product that makes them money (the corporate approach).

[Night Wing]

After reading the comments, it seems (to me) Mozilla has the "ivory tower mentality".

[stravinsky]

What would be my advantage of adding malware/spyware to my own browser?

You dont need me to answer this question Online bank transactions.............

unless they treat this kind of access as a privilege for someone who has made an investment in the product that makes them money (the corporate approach)

imho, moz approach is "market share" instead of "making money" . They might be related, but not overly so in mozilla's case. They arent google.
To be honest, i would like moz to make some money of their own, instead of relying majorly on google.

[Moonchild]

You dont need me to answer this question Online bank transactions.............

So now you think I'm a criminal...
I think my entire project would get axed in no time if I ever did this. Not that I even want to; the mere fact that I'm clearly making it my responsibility to keep every Pale Moon user as safe as I can should tell you enough...

imho, moz approach is "market share" instead of "making money" . They might be related, but not overly so in mozilla's case.

Wikipedia:
Revenue $91.3 million (2009) [1]
Net income $43.1 million (2009)[1]

After reading the comments, it seems (to me) Mozilla has the "ivory tower mentality".

Yes, seems very much so. And pretty much leaving me dead in the water, requiring me to go through a lot of unnecessary hoops to keep Pale Moon as secure as it ought to be. (Check MFSA -> find bug# -> find changeset related to the bug # -> examine code in the changeset -> assess the reason for this added/changed code -> evaluate if it applies to Pale Moon (difficult without info like affected versions, affected OS, etc.) -> backport manually to Pale Moon)

[stravinsky]

So now you think I'm a criminal...

I never said that. And you know it....
But the fact is that there is a very potent motivation to implement such spywares/backdoors.

I think my entire project would get axed in no time if I ever did this. Not that I even want to; the mere fact that I'm clearly making it my responsibility to keep every Pale Moon user as safe as I can should tell you enough...

It is satisfactory enough for me. It may not be satisfactory enough for moz corp.because you dont simply make a rebuild. You do code changes too.

[Rohugh]

So now you think I'm a criminal...

The rest of us regulars and the probably majority of PM users don't think that MC.

Revenue $91.3 million (2009) [1]
Net income $43.1 million (2009)[1]

Wow! 1% of that would get you several copies of VS 2012.

[stravinsky]

Yes, seems very much so. And pretty much leaving me dead in the water, requiring me to go through a lot of unnecessary hoops to keep Pale Moon as secure as it ought to be. (Check MFSA -> find bug# -> find changeset related to the bug # -> examine code in the changeset -> assess the reason for this added/changed code -> evaluate if it applies to Pale Moon (difficult without info like affected versions, affected OS, etc.) -> backport manually to Pale Moon)

This tedious process is for "security/critical bugs " or generally all "out of official release schedule" patches too ?

[Moonchild]

This tedious process is for "security/critical bugs " or generally all "out of official release schedule" patches too ?

This process is needed for locked bugs - by definition bugs that are flagged "critical security issues". So basically the very bugs that are the most important and pertinent to implement are the ones that are difficult to "get to"

Wow! 1% of that would get you several copies of VS 2012.

1% of the lower figure ($431,000) would buy me... almost 700 copies of Visual Studio
So for Mozilla, buying it is really not significant as an expense.

[lyceus]

I think that they had gone that way long ago after they made the slogan "WE SAY SO" (like Disney's Dinosaurs show) about what is better for you and what is not good for you inside FireFox.

[Tallpaultn]

Must give credit where credit is due--at the end of the day when all is said & done, Mozilla must be doing something right because they're providing a web browser for free that works rather well I might add. Some people choose to use other web browsers & that's ok too. Competition & peer pressure are good things in almost all instances...

[Blacklab]

Coming from a heavily vetted world where "need to know" was the rule of the day I am glad to hear that Mozilla do not make it easy for anyone to gain access to security critical information. If MC can reverse engineer then you can bet there are some equally bright criminals doing exactly the same thing. Even in a world far more perfect than this one I sincerely doubt that "Open Source" and "Secure" are ever going to sit easily together - frankly they are mutually incompatible concepts!

The vetting procedure is not explained but the impression given is that it depends more on the Mozilla security team's personal recommendation rather than the normal (and exceptionally expensive) methods used by governments, the military and security agencies. If this is so then logic would suggest that the only way "in" is going to be by some "give and take" on both sides. Mozilla obviously rate MC's abilities or they wouldn't bother paying him the compliment of immediately attempting to headhunt him.... so again logic would suggest that doing something for Mozilla in return for the security clearances/access desired is likely to be the most fruitful way ahead.

Obviously MC does not want to do this in the way Mozilla have so far suggested - but it's got to be nice to be asked and not just shown the door? Surely there are very good grounds for continuing friendly discussions (like JFK in Cuban Missile Crisis it can sometimes pay huge dividends to just ignore the other sides negative comments/attitude and only respond to their positive aspects), develop trust, and perhaps slowly negotiate something mutually beneficial?

It's not for me to say.... but living on the beautiful, but very wet, West Coast of Scotland the thought of a well paid trip to Hotel California every now and then doesn't sound so awful. Who knows a cute little Pale Fox / Fire Moon "child" might get conceived? I'm sure you can check out any time you like.... and probably even leave!

PS. If this wasn't a Freudian Slip by MC then it was a really great turn of phrase?

No, they are lying around because priority is given to "polish", new features, and adding more tools to the browser - and a 6-week rabid release schedule.

[Moonchild]

I've "given" what I can in their context (which excludes me travelling to Mozilla offices at my own expense or joining meetings and giving presentations with a webcam, but includes me offering any information they want from me for verifying my integrity), and am now being ignored in turn. As said I more than understand the requirements for disclosure, and the impact of disclosing it to the "wrong" people. That's not up for discussion here. The point I was making is that it's not so much about the vetting procedure as it is about extending an offer to keep the Pale Moon community up to spec regarding security and then not making good on it because it is not in the corporate interest.

PS: That was not a Freudian slip. It was very much on purpose.

[Ryrynz]

I thought they would have been more open, it benefits them AND the community.
Looks like you'd need to buddy up with someone at Mozilla to get what you want, the way of the world sometimes, I can understand your frustration.
I guess it's either that or pester everyone you can think of at Mozilla until you get a reply, surely someone's gotta give a damn.