Hacking for Christ

GPLv3 Open Source Evaluation - Does the FSF Approve?

When Microsoft released their "Shared Source" licenses, at least one of them (The Microsoft Community License) looked like it was actually compatible with the Open Source Definition. So John Cowan submitted it for consideration on the OSI's license-discuss mailing list. However, it wasn't officially discussed or approved because Russ Nelson (who is on the OSI board) wrote:

Let's give Microsoft a chance to submit these licenses on its own. I think that the general principle should be that authors have preference over third parties when it comes to submitting licenses.

The OSI then contacted Microsoft to ask if they should proceed with the evaluation, and Microsoft basically said they weren't interested. So Microsoft's licenses are still not OSI-approved.

Chris Di Bona, a Google employee, has submitted the final versions of GPLv3 and LGPLv3 for consideration, 2 hours after they were published. Will the OSI be contacting the FSF for permission to evaluate their licenses as well? If so, I wonder what the FSF will say...

Weekly Status 2007-06-29

This Week

• Attended Paris Developer Day on Saturday - very cool
• Another complete pass through the CA bugs; two more CAs made it out of the pipeline (A-Trust and Entrust)
• Did a wordsmithing pass on the new localiser process summary document
• More work on b.m.o. reorganisation; waiting for bsmedberg and mconnor to decide whether to merge Toolkit and Core
• Credits discussion is on hold until a6 ships, as mconnor is busy
• Wrote How To Ask Good Questions, primarily to help with Bugzilla support but also as a general free software doc
• Tried various ways to find a good solution to the Gecko-vs.-Firefox-sniffing problem

Next Week

• Develop component-moving script for Bugzilla
• Get security group membership structure changes implemented
• Try and direct some Tech Evangelism resource onto the sniffing issue
• Going to LUGRadio Live 2007 in Wolverhampton over the weekend

How To Ask Good Questions

Eric Raymond and Rick Moen's How To Ask Questions The Smart Way is a fantastic document, and I do refer clueless Bugzilla support-seekers to it fairly often. However, it has the large downside that it's very long, and written in idiomatic English. A non-native speaker would be overwhelmed.

Hence: How To Ask Good Questions, a much shorter, simpler document inspired by the above. I have attempted to use simple, declarative English and eliminate complex words and constructions while keeping the meaning.

Comments and suggestions welcome - although there's a fairly high bar for additions, given that we need to keep it simple.

Feel free to point less-than-clueful question askers at this document in support channels you frequent.

Minty City

I've just taken delivery of 2 display boxes (50 rolls) of Mentos... Muwahahaha.

Weekly Status 2007-06-22

This Week

• A lot of work on b.m.o. Product/Component reorganisation plan; please make your suggestions in mozilla.dev.planning ASAP
• Looked into options for Camino user agent string bug
• Started discussion about credit in the Mozilla project in .governance
• Took most of Thursday off
• Started drafting revised license policy, to take account of relicensing completion

Next Week

• Attend Paris Developer Day tomorrow
• I need to do another round of the CA bugs; I didn't get one done this week
• Further work on l10n application bugs, once Axel/Mic have worked out what to say
• More work on b.m.o. reorganisation; this is probably going to take a few weeks
• Develop component-moving script for Bugzilla

Excel Nearly Elects Wrong Government

In the last Scottish Parliamentary elections, the Scottish National Party (SNP) were the largest party by one seat, and that's why Alex Salmond is now First Minister of Scotland, leading a minority administration.

The Open Rights Group's electoral observation report, published today, reveals (pages 51-52) that if an alert election agent in the "Highlands and Islands" constituency had not been doing his own rough count, and challenged the results as they were about to be declared, Labour would have got one extra seat and the SNP two fewer, leading to a different party winning.

The error was that not a single vote for the SNP had actually been included in the count, due to an operator error relating to the Excel spreadsheet used to tabulate the votes! Fortunately, the error was then noticed and the results recalculated, with profuse apologies from the Returning Officer. ORG notes dryly:

ORG is surprised that the Excel software package was permitted to be used to perform such a crucial function in processing the election results. Four years ago the use of office productivity software such as Word and Excel in 2003 English pilots was criticised by the Electoral Commission. Such software does not provide any audit trail or sufficient checks on calculations performed and hence is not appropriate for use in election counts.

That'd be the understatement of the year...

Camera Rocketry: Hack Day London

I spent the weekend in Alexandra Palace (only ten minutes away from me by train) at Hack Day London 2007 (except when I was in church), doing a hardware hack in a team with Ewan Spence and Greg McCarroll.

I intended to spend some time building a personal project, but when Ewan wandered over and suggested rocketry, I switched over like a shot :-). Our project was called Beagle 3; the initial plan was a multi-stage rocket using air/water for the first stage and Diet Coke/Mentos for the second stage, with a camera payload, but our experiments with the Coke, while highly amusing to all the assembled geeks Ewan had called out to watch, didn't actually result in anything leaving the ground. We had to settle for something a little more modest. I have a web page which gives some details.

At the end of the day, along with 70 other teams, we were given 90 seconds to tell everyone else about our hack; we showed a video (YouTube), (.mp4), skilfully edited by Ewan (Mr. Podcast).

To enter the contest, the rule was that you had to use either a Yahoo or a BBC API. We, in fact, used every single Yahoo API - by loading them onto a USB key and firing it up on top of the rocket :-) For this, we got a prize for "Best Hack of the Rules".

Weekly Status 2007-06-15

This Week

• Canonicalised the names of the open l10n help bugs, to help us see what we have
• Commented on list of possible new modules and updated it
• Rewrote mozilla.org licensing pages for clarity, relevance and conciseness
• Updated CABForum Security Committee document draft
• Reviewed multiple iterations of potential Places UI
• Another full pass through the CA applications
• Moved the four CAs who have made it through to the list of included CAs
• Watched video of dbaron talking about layout
• Started project for mass rename/move of Bugzilla products and components to make it fit current project structure

Next Week

• Further work on l10n bugs, once Axel/Mic have worked out what to say
• More work on b.m.o. reorganisation; this is probably going to take a few weeks
• Develop component-moving script for Bugzilla

bugzilla.mozilla.org Reorganisation

We are looking at reorganising the Products and Components in bugzilla.mozilla.org to more clearly reflect the current state of the project. This might involve renaming, moving, merging, splitting or deprecating Products or Components.

We are going to do this all in one go, so this is your chance to get things cleaned up. Here is the current structure, together with the current state of the proposal. (Note that, as of this writing, no changes have been made so the two sides are the same. But this URL will continue to be valid as the plan evolves.)

If you have proposals for change, please make them in mozilla.dev.planning. Make each change request or set of related requests a new post, with the title prefix "Proposal: ".

Persistent Client-Side Bug Sorting

Jesse's bugsort.user.js Greasemonkey script for client-side buglist sorting in Bugzilla is a great idea. It saves a lot of time. However, if you try and use Bugzilla's Next/Previous feature to move through the newly-sorted bugs, you'll find that it doesn't work. The bugs come out in the original order. That's because it doesn't update the cookie that Bugzilla uses to store the list in sorted order.

Here is a version that does.

EV Certificates: Spot the Dog

(Cartoon by Peter Steiner. The New Yorker, July 5, 1993
issue [Vol.69 no. 20] page 61)

For more than 2 years now, the Mozilla project has been part of an organisation called the CA/Browser Forum, which is an industry body made up of the major Certificate Authorities (CAs) and the major browser vendors - Microsoft, the Mozilla Foundation, Opera and KDE (but not Apple, for reasons best known to them).

A CA is a body who issues certificates, such as those for email or web servers (SSL); most of them control "roots" in our certificate store - that is, Firefox or Thunderbird will accept their certificates without warning. (Some are in other certificate stores but not ours.) Large CAs include Verisign/GeoTrust/Thawte, Comodo and GoDaddy, but there are a host of smaller ones too. The Forum currently has 26 members who are CAs, and that number keeps increasing.

The Forum was constituted to look at ways to fix the undeniable problem that the system was beginning to show cracks. In the originally-envisaged model, a certificate was intended to perform two functions. Firstly, it provides an encrypted connection to the destination. Secondly, it tells you who the destination is, to make sure you aren't talking to the wrong person.

The rise of Domain Validation (DV) certificates, which are issued quickly and cheaply after checking only that the applicant controls the domain in question (and nothing about who they are) meant that certificates were being issued to anonymous entities. So you had encryption but not identity. Such certificates are useful in some cases, but if your bank has one, you ought to be concerned. In other words, on some occasions, it's important to know if someone else on the Internet is a dog. Yet the browser UI showed no difference between the different types.

However, there was also no sane way for the browser makers to sort the CAs into two buckets - "not enough identity validation" (DV) and "sufficient identity validation" (IV or OV, for Organisational Validation) because the processes of each CA were mostly secret - and even if they weren't, it would be an enormous task to compare dozens of sets of widely different procedures, and keep the assessments up to date.

So the Forum has spent the last 2 years, via email and a large number of face-to-face meetings, hammering out a minimum standard for identity validation, to try and make sure that certificates issued under them contain reliable information. This standard is called Extended Validation (EV), and compliance by CAs is enforced by audit. It must be said that at the beginning, there were several diverging opinions on how this should work, and what sort of level of validation was required. Interestingly enough, those CAs who issued domain-control only certificates (those with the lowest level of validation) often wanted stronger controls than those who already did some checking, who tended to believe that their existing processes were adequate.

However, with a little help and encouragement from the browser vendors, some of whom had a clear idea of what they wanted, consensus began to form around a set of guidelines which are significantly stronger than anything any CA deploys for non-EV certificates today.

It took a long while to break down the institutional aversion of several forum participants to working in public, with the result that the drafts of the Guidelines were only made public starting at Draft 11. Comments were solicited from the Mozilla security community on Draft 13, and were recorded, submitted, and dealt with by the Forum's processes (with results that can be seen on the referenced web page). Since then, there have been several more rounds of improvements and tweaks. A couple of times we've thought we were there, but another issue raised its head at the last minute.

However, at long last, a vote was called proposing that Draft 20 (500k .doc) of the Guidelines be blessed as version 1.0. With our concerns addressed to a satisfactory level, The Mozilla Foundation voted Yes. It's good enough to spot the dog.

I have just heard that the Guidelines have been unanimously approved. See cabforum.org for the press release. Of course, we won't be stopping there. The Forum will continue to maintain and update the guidelines as conditions change, and if weaknesses are found. I recently drafted a document suggesting how a Forum Security Committee, which would have responsibility for reacting to problems in the vetting procedures discovered by the CAs or by third parties, might work.

I hope that Window Snyder, the Mozilla Corporation's Chief Security Something-or-other, will soon have a post on what this means for Firefox and Thunderbird.

Weekly Status 2007-06-08

This Week

• Booked into to OSCON and Ubuntu Live
• Teleconference with NSS team, beltzner, mconnor and johnath to discuss EV and Firefox 3 schedules
• Weekly CABForum teleconference
• Yet more discussions on Link Fingerprints
• Watched jst's video on Gecko internals from devmo
• Correspondence with Brett Smith at the FSF about GPLv3 draft 4
• Updated devmo copy of Bug Writing Guidelines based on the new Bugzilla ones; they are now much shorter and clearer
• Triaged the 5 MPL violation bugs:
  • Two of them were no longer relevant, because the company was gone or the product was old
  • WebRenderer do make source available on request
  • NetDive are taking down their "Oxygen" browser because they don't have the source; it's based on 2002-era code (!)
• Another pass through some of the CA list - didn't get to the end this week, though

Next Week

• Triage the open "I want to help localise" bugs

Choice Considered Harmful

The Mozilla Foundation's mission is to preserve choice and innovation on the Internet. And that's a great thing.

But there are some contexts where choice is harmful. Security is one. For example, I believe that if a Link Fingerprint download fails, the file should be deleted without giving the user the option to retain it. That's because when you ask the user about security decisions (like "This certificate is bogus; do you want to continue?"), they normally do the insecure/convenient thing. So the trick is to avoid having to ask. But my view has been attacked in discussion as not "giving the user choice" and "just deciding for them, like Microsoft", as if taking decisions for users is somehow always a bad thing.

Another example is shown by this O'Reilly Radar post, which notes with derision that Windows Vista preserves a distinction between "Sleep" and "Hibernate". Commenter "Rick" exemplifies the "what's wrong with choice? Choice is good" view when he says:

OMG, they give users a choice instead of assuming they are all morons...

Sure, there is a lot to be said for simplicity, but leaving the choice up to the user is equally valid.

But commenter RichB points out:

For example, OSX combines these two features into a single sleep feature which also hibernates in case your power dies (battery exhausted) during sleep.

This is clearly, plainly, obviously, the right way to implement the feature. And it amazes me that we've taken so long to see it. (Perhaps it's harder for Vista because it has to work on a much wider range of hardware.) But it also goes to show that you can improve things for a user by reducing choice. With apparently no irony, a Microsoft representative is quoted here as saying:

[R]edundancies and choice are the second most important reason to use Windows (the first being backwards compatibility), and without it, Windows would just be a Mac.

Well, exactly.

Looks like I'm echoing Joel here.

The Proprietarisation of Email

The mission of the Mozilla Foundation is to preserve choice and innovation on the Internet. Open standards and protocols are a big part of that, and the main focus of our work on that area is with Firefox, and things like the WHAT-WG. However, I also think we need to be aware of current attempts to make email closed and proprietary.

What am I talking about, I hear you ask? No-one's resurrected the idea of a spam-free email walled garden recently. Companies who tout their own secure mail protocols come and go and no-one notes their passing. The volume of legitimate email sent continues to grow. What's the worry?

I'm talking about the messaging systems built into sites like Facebook and LinkedIn. On several occasions recently, friends have chosen to get back in touch with me via one of these rather than by email. Another friend recently finished a conversation with a third party by saying "Facebook me"; when I asked her why she didn't just use email, she said "Oh, Facebook is so much easier".

And she's right. There's no spam, no risk of viruses or phishing, and you have a ready-made address book that you don't have to maintain. You can even do common mass email types like "Everyone, come to this event" using a much richer interface. Or other people can see what you say if you "write on their wall". In that light, the facts that the compose interface sucks even more than normal webmail, and that you don't have export access to a store of your own messages, don't seem quite so important.

But this is, nevertheless, a bad trend. It would be terrible if email were to descend into something like the multiple incompatible domains that afflict instant messaging - the heroic efforts of gateway providers and multi-protocol clients notwithstanding. Will we one day need accounts on every social website in order to stay in touch? Will someone need to write a Facebook/MySpace mail gateway?

What can be done? For these sites, keeping control of the communication is a win, due to increased page views and application lock-in. (This is one reason why they might be reluctant to support hCard, because it allows people to more easily take communication to another medium.) Have you noticed that email addresses on Facebook aren't hyperlinked as "mailto"s? I wonder why that is? So we shouldn't look for help from there.

Making real email easier to use is a first step. The fact that Thunderbird 2 has built-in support for accessing Gmail accounts is a good start; this should be extended to other email providers. Thunderbird could do with a Firefox-like UI simplification - several steps have been made in that area with QuickSearch and starring items. We need to improve search speed and quality to make single-folder operation more workable. There are some good points here too. And we need to solve the spam problem, although I'm not visionary enough to know how.

Weekly Status 2007-06-01

This Week

• Drafted a document outlining how a "CABForum Security Committee" might work (this is for reporting attempts to fraudulently obtain certificates, in order to reinforce the guidelines) and presented it to the group
• Resolved discussion about putting country-specific restrictions on CAs; we're not going to take this route
• Published a list of stale reviews; wrote a back-end simple data storage system so that people could collaborate on checking bugs off the list
• Further discussions about Link Fingerprints implementation in the newsgroups
• Another full pass through all 26 CA root cert inclusion applications
• Call with Sun people about LDAP C SDK documentation relicensing for devmo
• Call with NSS team about the schedule for EV implementation in NSS

Next Week

• I am travelling around the UK all week (Durham, Scarborough, Edinburgh and Cumbria), but I intend that this nomadic lifestyle won't affect my work
• Book conference passes for OSCON and Ubuntu Live (waiting on a fix to their website so that the booking process is actually secure)