Comment Re:Bad Idea (Score 1) 73
A public benefit corporation wholly owned by a non-profit foundation. If you don't think this approach furthers the mission please let us know.
A public benefit corporation wholly owned by a non-profit foundation. If you don't think this approach furthers the mission please let us know.
SSLed checksums for the binaries... oh, wait, Mozilla doesn't bother publishing those, for some reason.
Really? So what are these, then? https://archive.mozilla.org/pub/mozilla.org/firefox/releases/3.6/SHA1SUMS
We don't advertise it because anyone competent to check SHA1 hashes should be able to check PGP signatures, and the mirror network scales unlike hosting everything ourselves. Obviously the SSL server is not mirrored because giving out the cert would make it pointless.
Much better to use the Add-on Compatibility Reporter https://addons.mozilla.org/en-US/firefox/addon/15003
It will enable all your officially incompatible addons just like the pref, and you can help by reporting your add-ons as working fine or not compatible (reporting is completely optional).
The issue at hand is the CEO of a for-profit organization backed by a non-profit organization, and hence pays no taxes whatsoever on the $66 million some of which goes into obscene CEO profits.
The Mozilla Corporation pays taxes on everything it earns just like every other taxable corporation. It is not allowed to share money back with the Foundation or risk costing the Foundation its non-profit status.
It _does_ work unless you hit some bug (and there have been some that affect some people). If you were an early adopter in particular there were some database corruption issues. If that's the case deleting the places database is often the best fix (especially if there's nothing in there you care about -- you're clearing private data, right?). Instructions at http://support.mozilla.com/ for this and other common problems.
The other issue is that the url bar shows both history and bookmarks. Obviously people don't want to clear their bookmarks so some data still shows up even after clearing history. This issue has been addressed in Firefox 3.5 with an option to not show bookmarks in the URL bar (on the Privacy tab in Options).
Firefox 3.5 is _not_ vulnerable to this attack.
The reason something like this scares me is that it lulls users into a higher level of trust... and doesn't protect them from hacked sites, or sites that choose not to implement this.
This mechanism isn't intended for users -- this is a tool for site authors, to cooperate with them in enforcing their policies. The site still has to make a best effort at implementing those policies themselves to protect all their visitors using browsers that don't support CSP (which includes every officially released version of Firefox to date). This is an extra layer of protection for users of CSP-compliant browsers, and a benefit to the site through the reporting function.
Please do continue running NoScript if you like. CSP is a mechanism for site authors to declare their policy, add-ons like NoScript and AdBlock are tools for users to declare their policies.
Even if this was never implemented in any other browser sites still benefit through early detection of active attacks. If your site implements a security policy with a report URI then every Firefox visitor will be conducting a passive security scan on every page they visit, at least for the types of security problems CSP targets (primarily XSS).
If you really don't want any upgrades just go into the options and toggle the "Check for updates" box. The default auto-upgrade is appropriate for 99% of internet users, but if you're one of the 1% please use the preference we put in just for you. No need to get all hostile about it.
Any program which runs right is obsolete.