I know this ship has basically sailed and the conversation has moved on, but wanted to add my $0.02 to the mix. First off, I'm basically a dilbertonian Pointy-Haired-Boss. I'm also not going to get into the issue that you used your insider knowledge to custom taylor a statement of work to present to me. I have engineers who write stuff in their own time, like you have done. Most of the time it pisses me off. Not because they took the initiative, not because they wrote it in Ruby when we're a java shop, but because it didn't align with my priorities. I'd be angry at myself, because that means I wasn't clear what the priorities are. I'd be angry at the individual because they weren't listening and/or didn't come and ask for clarification if they didn't understand. So my questions to you would be: When your boss gets his ass chewed, is it because his team isn't efficient and streamlined? Has he ever mentioned your team spends too much time on process and workflow and not enough time "their respective punch lists" as you state? Does your tool leverage languages and software packages that you already have in house (care and feeding after your gone)?

For me, unless you're solving a problem that I have stated as a problem or in some way eluded to I'd say, no thanks, you're fired. Of all the holes in the leaking IT Bucket, is the one you plugged the same one your boss would plug?

Why bother mucking with the real source tree? Just make a clone on your mozilla.org-impostor site with an update that has all the appropriate back doors in it.

Just deliver a DNS spoof/change (like dns cache poison, etc) via another exploit, get the browser to self-update (and clean up your previous exploit tracks) and then sit back and wait to spring your trap. The only code change you need to insert at first is to get future updates from the impostor site.

Later on you can 'update' the browser to proxy all $MONEY web traffic through you and your proxy farm. You could even add a new trusted CA to your code base to make it all the more convincing and to cover tracks from the 'imposter-mozilla.org' cert in case it's discovered and revoked.

Funny thing about the 'act' that was passed is it has a clause about congressional review. So at some point, congress could have said "This is stupid" and undone the DST change. Everyone was waiting for the fall session to start, I suspect, to ensure the DST change was going to stick.

Further, if your running Solaris it's not just a TZ patch. There's libc changes:

http://src.opensolaris.org/source/diff/onnv/onnv-g ate/usr/src/lib/libc/port/gen/localtime.c?r1=1138& r2=0

There's also glibc issues in RHEL 2.1 but they're not quite the same as Solaris.
http://kbase.redhat.com/faq/FAQ_41_9949

Cheers,
Rich