On Friday, July 31, 2015 at 11:36:09 AM UTC-5, [email protected] wrote: > Hi Mika, > Please can you clarify: "If you would like to distribute Pocket using Mozilla > code you've modified, you would have to enter into an agreement with them > separately". > Does this mean that if you distribute the current FF code you are bound by > terms that Mozilla agreed with Pocket ? If so it would seem somewhat contrary > to the FF license. > Thanks
I don't think Mika normally reads this mailing list so you might want to try contacting directly. As far as being able to redistribute Firefox (in binary or source code form), if it is unmodified then you probably already are satisfying the terms of redistribution. If they are modified then the modification may no longer fall under the terms for us of the brand. This is a pre-existing issue for third-parties that modify the code (such as the Debian group) which pre-dates the addition of Pocket. You can only be sure that the Firefox brand can be used if the code has not been modified. If you want to be sure that the branding included can still be kept after modification, either submit the modification for inclusion in the mainstream build or ask each of the holders of the brands to review the change (in this case, both Mozilla Foundation and Pocket). In the case of Debian, they were making changes that were specific to their distribution and where not the type of changes that would be accepted into the mainstream build. Also, since submitting changes for review did not fit in their timeline, they decided to remove the Firefox branding and use the name IceWeasel instead. They don't seem to be modifying any of the code involving the Pocket integration so it might be that Pocket is fine with them redistributing Pocket as part of IceWeasel or that the Debian group has gotten their own agreement. However, if Debian does make any changes that Pocket feels hurts their brand, it is well within their right to protect the brand. I don't see anything about the integration that is contrary to the Firefox license. Instead, I see how it is continued to be handled as contrary to the Mozilla principles. I am not against commercial integration. A web browser is inherently a set of defaults where alternatives could have been provided but key functionality is already built-in. Very few people want a web browser that looks like a lego set. Who would want to install Gecko and then get something that says "congratulations on installing the Gecko rendering engine, we recommend you now install an URL/location bar add-on, TLS add-on, etc." Having a remote bookmarking system was determine to be key functionality expected by new users just the same as having TLS built-in is just expected. On this point, I agree with the Mozilla Foundation and it is silly that some users are taking a vote to get commercial integration removed. What makes me upset isn't as much specific to Pocket as much as Mozilla Foundation's handling of it which is problematic not only for this integration but any future integrations as well. There seems to be nothing enforcing that integrations live up to the same level of transparency and security that should be expected of a "take back the web" browser. To date, there is still no progress on documenting the function call of "/v3/firefox/save" other than to claim it as a "private endpoint." As far as I can tell, this is the first time that Firefox has directly called a private endpoint. It has always been possible that a web page's javascript may make calls which are privately documented. But for calls directly built into Firefox, the function is always documented publicly either in the OS SDK, in a protocol description or someplace else. By having a private endpoint that is specific to Firefox, it is unlikely to have the same level of security review as the mainstream and publicly documented endpoints. Despite that, bug #1779699 has still made no progress other than to indicate at least one Mozillian think expecting transparency is an "entitlement" that rubs him the wrong way and that the "burden of proof" is on those expecting transparency. Well, for Gravin Sharp, please let me explain what rubs me the wrong way. It is a Privacy Policy that claims "[Pocket uses] industry standard practices to protect your privacy" without actually following industry standard practices as explained in Clint Ruoho security disclosure available at: https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/ Apache had released a security update to v2.2 of v2.2.31 on July 17 and according to this disclosure it appears they still hadn't applied the update over a week later. But the best part of the disclosure is that Apache is configured to run as root. It is an industry standard practice to *start* Apache as root. But in terms of configuring it to remain as root, well, I'll let Apache's documentation speak for the industry standard practice: "the user should have no privileges that result in it being able to access files that are not intended to be visible to the outside world" Another industry standard practice, after it is discovered that a third-party can read any arbitrary file on the system is to get the SSL/TLS certificates re-issued based on a new private key. This is such a industry standard practice that some certificate authorities will even re-issue the certificate for *free*. But even today, Pocket is still using the certificate (and associated private key) issued back in April. This issue still isn't resolved despite Clint Ruoho giving them a month to fix it! Any of these should have come up in any security audit or penetration testing. But I am guessing that one wasn't performed by either Pocket or the Mozilla Foundation. In fact, it appears the security issues with the Pocket service have no security bug bounty. So while some may use Firefox because Mozilla provides a bug bounty to help close up Firefox security issues, in this case that doesn't seem to apply. And while the Pocket integration uses a Firefox specific endpoint which may someday result in a security issue that only impacts Firefox users, it still seems to be the case the Mozilla Foundation's bug bounty won't apply even which the service issue is only impacts Firefox. And there also appears to be no requirement passed on by the Mozilla Foundation that Pocket match their bug bounty offer. If "the web we want" has security and transparency as key points, then the commercial integrations that Mozilla puts into Firefox needs to have these as key points as well. Not be a service of private end-points and not be a service that over-states a claim to be following industry standard practices. Otherwise, what is the point of protecting the Firefox "brand?" If the Mozilla Foundation is going to endorse a service that configures Apache to run as root and leaves a compromised private key still in use then the biggest threat to the Firefox brand is the Mozilla Foundation. Pocket seems to be cutting corners and it appears refusing to document the calls made by the Firefox integration is just the tip of the iceberg. _______________________________________________ governance mailing list [email protected] https://lists.mozilla.org/listinfo/governance
