Mozilla Will Fund Code Audits For Open Source Software

Reader Orome1 writes: The Mozilla Foundation has set up the Secure Open Source (SOS) Fund, whose aim is to help open source software projects get rid their code of vulnerabilities. Projects that want Mozilla's help must be open source/free software and must be actively maintained, but they have a much better probability to being chosen if their software is commonly used and is vital to the continued functioning of the Internet or the Web. Three open source projects -- PCRE, libjpeg-turbo, and phpMyAdmin -- have already gone through the process, and the result was removal of 43 vulnerabilities (including one critical).

Obligatory

[Merk42]

I didn't read the article. This is bad because it's Mozilla.
Mozilla, much like Microsoft, can do no right, even when they do the exact opposite of the thing we called them out on before.

Re:

[bluefoxlucid]

Well they *are* responsible for Firefox.

Re:

[bondsbw]

Well Firefox *is* the browser that started the demise of IE.

Re:

[bluefoxlucid]

Firefox has become the tyrant it has replaced.

Re:

[Anonymous Coward]

Firefox has become the tyrant it has replaced.

Really?

Let me guess... you prefer Chrome?

Because Google hasn't shown any monopolistic, anti-competitive or embrace-extend-extinguish tactics at all in recent years, have they?

Re:

[bondsbw]

Even if it were as bad as IE 6 (which it isn't), it now has competition. If you don't like it, you can choose from several other browsers that will likely work just as well.

And we have Firefox to thank for doing the hard thing and standing up to Goliath.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[xxxJonBoyxxx]

I'll bite. Mozilla was once a force for good because it promised to do one thing really well (make a browser) and to keep the cruft out of the code (especially its browser). Today, Mozilla has a bloated and increasingly irrelevant browser, can't keep its hands to itself (e.g., this project), and seems a little whore-ish after Google completed its mission to develop its own browser.

Perhaps, much like AT&T, Mozilla's best bet would be to just carve itself up into 3+ units, some of which would continue on

Re:

[NotInHere]

Tell me how Rust is a failure. Have you even coded a single line in Rust?

Re:

[Raenex]

The only implementation of Rust is very buggy (over 2,000 open bugs right now!), despite it being written in Rust, which is a language that's supposed to make it harder to write buggier code!

It removes a class of bugs that are common in C and C++ that are the #1 cause of security bugs in those languages (and also cause weird behavior that can be hard to track down due to random corruption).

Any program of significant complexity is going to have bugs. There is no silver bullet. That doesn't mean the improvement Rust brings isn't worthwhile.

Rust's supposed benefits are typically no better than what you get when using C++11 or C++14, and modern C++ techniques.

Can you point to a notable open source C++ program, then, that follows these techniques?

Re:

[Raenex]

So do Perl, Ruby, Python, Java, C#, PHP, Tcl, Lua, Erlang, Go, Swift, Haskell, OCaml, JavaScript, and numerous other languages with garbage collection or other forms of automatic memory management. So Rust is nothing special.

But Rust is special, because it was designed to be used without garbage collection. Garbage collection isn't free and this is one of the main reasons that C/C++ is still used today.

At least you're admitting there's nothing special about Rust. That's more than most of its supporters are smart enough to do. Most of them just keep on insisting it's "safer", despite the Rust implementation itself being bogged down with bugs.

You clearly have a problem with reading comprehension. It is safer with the class of bugs I mentioned, the #1 source of security bugs and memory corruption bugs that waste a lot of time tracking down.

The newer parts of many C++ projects are written using these techniques. Some examples you may have heard of are LLVM (funny, Rust's implementation uses this!), Boost, and Qt.

Oh, so you won't get problems like this [llvm.org]:

"This was precisely the root cause of the memory problem: MDNodeFwdDecl's constructor alway

Re:

[Raenex]

It uses ownership [rust-lang.org]. It's not anything that can't be done in C++, but the difference in the compiler enforces it.

Re:

[NotInHere]

Here we go again...

- Rust is essentially a proprietary language, even if the source code is available.

I'd guess you say this because there is no standards committee for Rust? Well yeah, maybe that makes it "proprietary", but that isn't something bad. Linux has a dictator as well, just like many other projects. In the context of programming languages, at least Go, Java and Swift are "proprietary but open source" as well.

The great thing about open source is that if upstream fucks up, people create a fork. Think of LibreOffice for example.

- There is only one implementation of Rust. You're fucked if there's a problem with it. You can't use an alternative compiler, even temporarily, because none exist!

Does Go have an alternative compiler? Does Swift have

Re:

[DidgetMaster]

Is it a question of money? Lots of Open Source projects start out being what users want because the original developers were also its users. They had an itch to scratch so they built something that solved their problem. But once the developers moved on or got bored with it, the only ones interested in developing it were guys who wanted to make money off it somehow. All the new features concentrate around monetizing the program instead of making life easier for those who get it for free.

Firefox?

[CrashNBrn]

So when does Firefox get to go through "The Process."

Re:

[neo-mkrey]

My thought exactly.

Real Link

[Anonymous Coward]

Mozilla announcement: https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/

Stop Focusing On Security!

[Anonymous Coward]

There's more important things like making sure my 301 tabs left open for two months straight with a dozen extensions and plugins run in less that 1GB memory!!!

Blah blah version bloat blah memory leak blah blah!

Mozilla SJW-ism

[Anonymous Coward]

Mozilla? The same company that just threw away $15k to remove [mozilla.org] the term "slave" from documentation [mozilla.org]?

I wonder what kind of damage their "audits" will do to these projects.

Re:

[NotInHere]

Damn shit. This is the most SJW thing mozilla has ever done, I've thought kicking out Brendan Eich was already bad enough.

Interesting

[93 Escort Wagon]

Projects that want Mozilla's help must be open source/free software and must be actively maintained, but they have a much better probability to being chosen if their software is commonly used and is vital to the continued functioning of the Internet or the Web.

Ironically, this means Firefox may not be considered eligible due to the latter two conditions. /rimshot

Considering other news today, they should

[kheldan]

Considering that Microsoft's own compiler is inserting spyware into people's code by default [slashdot.org], I'd say this is a smart move on the part of Mozilla.

Oh and by the way are you all going to get on the prosecute-Microsoft-bandwagon, now? Because now they're violating anti-hacking laws by inserting unwanted and malicious spyware into other people's software.

Not for UX design I hope

[sciengin]

As long as they dont fund audits for proper UX designs I can live with that.

This is amazing news

[ThatsNotPudding]

Mozilla has money!