A while back, somebody noticed that password managers in browsers generally check only the URL of the page that has a login form before filling in stored passwords - they don't check where the form actually sends data. This is because historically, you could be reasonably sure that if some HTML was present on a page, the page's author put it there. Nowadays, you have lots of poorly thought-out sites that allow user contributions of HTML. It turns out that many sites allow you to have login inputs (HTML "password" inputs) and forms created by users.
Because of this, users can add login forms to pages that actually send the submitted data to another location. The person who noticed this filed a bug in the mozilla.org bugzilla. That bug now has hundreds of comments, about a third of which are from the original submitter. Just to put this in perspective, a normal bug has a comment count in the low double-digits. The bug submitter responded to nearly every comment made by other people, giving his opinion.
This brings to mind the quote, "opinions are like a__holes - everybody's got one". As it turns out, the bug reporter was a particularly self-important individual, and shared his opinion frequently even though he knows nothing about the way Firefox actually works. The desire to be part of the bugfixing process is understandable. It feels good to contribute to something that will positively affect millions of people. However, in general, the developers and security team are pretty smart and can come up with the right solution themselves. They also have a much better "big picture" idea than newcomers.
I'm not suggesting that people should never provide their thoughts on issues they discover, but at times, the right thing to do is be quiet so the developers can get work done rather than read incredibly long comments.
The bug was eventually fixed in one of the fairly obvious and adequate ways: by checking that a login form is going to send data to the right place before automatically filling saved passwords.
Now, the bug reporter had presented numerous opinions, and the developers implemented a reasonable solution rather than everything he'd suggested.
The result was this awful article. Please don't let it deceive you into feeling unsafe using Firefox 2.0.0.2. It's full of made-up statistics, such as arbitrarily-assigned weightings of various issue, irrelevant information (for example, privately-known but unfixed bugs are not disclosed publicly by Mozilla...for obvious reasons), and errors (some issues marked "open" have been resolved). Keep in mind that the person writing it seems to believe his thoughts are more valuable than they are in reality (where "valuable" is defined as "not obvious to developers").
The Firefox developers are smart people and generally do the right thing. I just wanted to post my thoughts before the Opera / anti-firefox fanboys start trolling.
edit: Gavin Sharp wrote a good explanation of what happened here.
Because of this, users can add login forms to pages that actually send the submitted data to another location. The person who noticed this filed a bug in the mozilla.org bugzilla. That bug now has hundreds of comments, about a third of which are from the original submitter. Just to put this in perspective, a normal bug has a comment count in the low double-digits. The bug submitter responded to nearly every comment made by other people, giving his opinion.
This brings to mind the quote, "opinions are like a__holes - everybody's got one". As it turns out, the bug reporter was a particularly self-important individual, and shared his opinion frequently even though he knows nothing about the way Firefox actually works. The desire to be part of the bugfixing process is understandable. It feels good to contribute to something that will positively affect millions of people. However, in general, the developers and security team are pretty smart and can come up with the right solution themselves. They also have a much better "big picture" idea than newcomers.
I'm not suggesting that people should never provide their thoughts on issues they discover, but at times, the right thing to do is be quiet so the developers can get work done rather than read incredibly long comments.
The bug was eventually fixed in one of the fairly obvious and adequate ways: by checking that a login form is going to send data to the right place before automatically filling saved passwords.
Now, the bug reporter had presented numerous opinions, and the developers implemented a reasonable solution rather than everything he'd suggested.
The result was this awful article. Please don't let it deceive you into feeling unsafe using Firefox 2.0.0.2. It's full of made-up statistics, such as arbitrarily-assigned weightings of various issue, irrelevant information (for example, privately-known but unfixed bugs are not disclosed publicly by Mozilla...for obvious reasons), and errors (some issues marked "open" have been resolved). Keep in mind that the person writing it seems to believe his thoughts are more valuable than they are in reality (where "valuable" is defined as "not obvious to developers").
The Firefox developers are smart people and generally do the right thing. I just wanted to post my thoughts before the Opera / anti-firefox fanboys start trolling.
edit: Gavin Sharp wrote a good explanation of what happened here.
Facebook
Twitter