So, I’m gonna step back and take the long view for a moment here. This could be a boon if you look at it differently.
They rolled out a totally harmless extension bundled into Firefox by default. This highlighted the fact that they didn’t really have a good process around ensuring that the integrity of the base browser was maintained and that anybody in the org could ship add ons with the base build without much in the way of formal process.
So as a result of this serious but ultimately harmless gaff, we now get more rigorous process around what gets bundled with the base build.
I see this as a “They lost the skirmish but won the war” situation.
You can say that about every fuck up. It’s a learning opportunity! Losing count of the number of people who can force push an update to something as important as a browser to millions of people shouldn’t be a rookie mistake.
I worked with a guy who didn’t like pluses and negatives in retrospectives. So instead we had pluses and deltas. Nothing bad ever happened, just things we’d do “differently”.
Sure, every fuck up begets a learning opportunity, but not every opportunity is seized. Do we think Mozilla will seize this opportunity? It sounds like feoh thinks so. Doesn’t seem that unreasonable, but of course, we don’t know for sure that they will. :)
So what would you suggest? Seriously, what action should we all take as conscientious users? Abandon the web browser market to Google, where Chrome is closed source so we have no hope of this degree of transparency? Or perhaps Microsoft?
Honestly I’m wondering what constructive steps you think we should take. From my perspective, they botched big time and have learned from that mistake, and we as users of the platform will benefit from it.
I’m not advocating any particular action, but I think trying to reframe this as a good thing is a bit much. If you like Firefox, sure, carry on using it.
If you want my take, people have been acting like Firefox is a perfect 100/100 on the security and privacy front. Maybe this is a reminder that there is no browser that’s 100. Perhaps a chance to recalibrate our scoring function. What if the best browser you can get is not great, but merely not that bad? Does this affect how you use a browser or its role in your life?
This add-on was installed and set to ‘OFF’ and made no changes in the user experience unless it was explicitly turned on by a user, but it was added. Even when turned on no user data was collected or shared.
Dear Chief Marketing Officer, you know better than to hide behind passive voice sentences. Did you ask legal to write this? I strongly urge you to resign effective immediately.
I love that they launched this collaboration with Comcast the same week as net neutrality was killed. It must have taken some coordination to have their heads that far up their asses.
In the heat of this discussion I’ve also made a comment that was uncalled for. When you take a step back from the outrage (regarding a org close to many of us) you’ll see that no harm was intentioned (well meant != well done), no harm was done and we’ll get better processes out of that situation.
To the Mozilla devs in here, shall any of you see this: I’m sorry for stirring the outrage and thereby also attacking your work.
I think there’s a question that should be asked. Would this be found if firefox was a GPL project, and should we be primarily contributing to GPL projects since ALL of it must be shared?
That is irrelevant. The Linux kernel is GPL and yet you don’t get immediate access to all development done by companies around it. Most will throw you a tarball of the source code over the wall once in a while (see Google Android). They can develop an auto install feature, use it to distribute a payload and show you the code months later, heck they don’t even have to if the payload is a loadable Linux kernel module.
In this specific case, the extension is actually shared and open source. So was the code used to deploy the plugin/shield study. However that doesn’t prevent a valid use-case (deploying opt-in user studies) being misused as an advertising channel (TV show tie-in piggy backing on your consent to help with user studies).
Firefox is the closest to a non-corporate browser you can get. Essentially there are only 4 serious web rendering engines still in active development:
WebKit (derived from KHTML) maintained & developed mainly by Apple
Blink forked of off WebKit by Google
Gecko maintained & developed by Mozilla
Trident/Edge developed by Microsoft
Those companies have the resources to push development and keep up with security updates. Developing a web browser rendering engine is a very resource intensive process. If you switch to a browser that just consumes one of those then you are really not changing anything - that browser is at the mercy of the upstream vendor and will lag with security updates. If you find a browser that actually forks one of the above then you run with the risk of them not keeping up with security & development.
This is true, but it’s very important to note that if you install Firefox or Chromium from a distro like Debian, they will do the work of stripping out the tracking misfeatures while still applying critical security updates from upstream. The whole job of the Debian maintainers in this case is to protect users from exactly this situation, and they do a good job at it.
The code was open source (https://github.com/mozilla/addon-wr) and even if it wasn’t addon code is shipped in source form so you can inspect it on your end.
So, I’m gonna step back and take the long view for a moment here. This could be a boon if you look at it differently.
They rolled out a totally harmless extension bundled into Firefox by default. This highlighted the fact that they didn’t really have a good process around ensuring that the integrity of the base browser was maintained and that anybody in the org could ship add ons with the base build without much in the way of formal process.
So as a result of this serious but ultimately harmless gaff, we now get more rigorous process around what gets bundled with the base build.
I see this as a “They lost the skirmish but won the war” situation.
You can say that about every fuck up. It’s a learning opportunity! Losing count of the number of people who can force push an update to something as important as a browser to millions of people shouldn’t be a rookie mistake.
I worked with a guy who didn’t like pluses and negatives in retrospectives. So instead we had pluses and deltas. Nothing bad ever happened, just things we’d do “differently”.
Sure, every fuck up begets a learning opportunity, but not every opportunity is seized. Do we think Mozilla will seize this opportunity? It sounds like feoh thinks so. Doesn’t seem that unreasonable, but of course, we don’t know for sure that they will. :)
So what would you suggest? Seriously, what action should we all take as conscientious users? Abandon the web browser market to Google, where Chrome is closed source so we have no hope of this degree of transparency? Or perhaps Microsoft?
Honestly I’m wondering what constructive steps you think we should take. From my perspective, they botched big time and have learned from that mistake, and we as users of the platform will benefit from it.
I’m not advocating any particular action, but I think trying to reframe this as a good thing is a bit much. If you like Firefox, sure, carry on using it.
If you want my take, people have been acting like Firefox is a perfect 100/100 on the security and privacy front. Maybe this is a reminder that there is no browser that’s 100. Perhaps a chance to recalibrate our scoring function. What if the best browser you can get is not great, but merely not that bad? Does this affect how you use a browser or its role in your life?
Dear Chief Marketing Officer, you know better than to hide behind passive voice sentences. Did you ask legal to write this? I strongly urge you to resign effective immediately.
Sincerely, Yours truly
Painful. But as much as I’d love to see it, it is rare for institutions to fully own their mistakes, no matter how obvious.
I feel like I’m missing something. Can someone highlight how this is skewing the truth?
I love that they launched this collaboration with Comcast the same week as net neutrality was killed. It must have taken some coordination to have their heads that far up their asses.
In the heat of this discussion I’ve also made a comment that was uncalled for. When you take a step back from the outrage (regarding a org close to many of us) you’ll see that no harm was intentioned (well meant != well done), no harm was done and we’ll get better processes out of that situation.
To the Mozilla devs in here, shall any of you see this: I’m sorry for stirring the outrage and thereby also attacking your work.
I think there’s a question that should be asked. Would this be found if firefox was a GPL project, and should we be primarily contributing to GPL projects since ALL of it must be shared?
That is irrelevant. The Linux kernel is GPL and yet you don’t get immediate access to all development done by companies around it. Most will throw you a tarball of the source code over the wall once in a while (see Google Android). They can develop an auto install feature, use it to distribute a payload and show you the code months later, heck they don’t even have to if the payload is a loadable Linux kernel module.
In this specific case, the extension is actually shared and open source. So was the code used to deploy the plugin/shield study. However that doesn’t prevent a valid use-case (deploying opt-in user studies) being misused as an advertising channel (TV show tie-in piggy backing on your consent to help with user studies).
I guess then the answer is don’t contribute to corporate maintained repositories and that we should be using a non-corporate browser.
Firefox is the closest to a non-corporate browser you can get. Essentially there are only 4 serious web rendering engines still in active development:
Those companies have the resources to push development and keep up with security updates. Developing a web browser rendering engine is a very resource intensive process. If you switch to a browser that just consumes one of those then you are really not changing anything - that browser is at the mercy of the upstream vendor and will lag with security updates. If you find a browser that actually forks one of the above then you run with the risk of them not keeping up with security & development.
This is true, but it’s very important to note that if you install Firefox or Chromium from a distro like Debian, they will do the work of stripping out the tracking misfeatures while still applying critical security updates from upstream. The whole job of the Debian maintainers in this case is to protect users from exactly this situation, and they do a good job at it.
Yes, I guess this is the heart of the problem. There really should be a community driven browser just as there is a community driven operating system.
The code was open source (https://github.com/mozilla/addon-wr) and even if it wasn’t addon code is shipped in source form so you can inspect it on your end.