Comments on: UMO Bits N Bytes http://snarkfest.net/blog/2005/01/25/umo-bits-n-bytes/ Fun and games with the politics of open source Tue, 28 Sep 2010 20:03:53 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: investing option http://snarkfest.net/blog/2005/01/25/umo-bits-n-bytes/comment-page-1/#comment-292 investing option Wed, 24 Jan 2007 15:17:52 +0000 http://www.steelgryphon.com/blog/?p=28#comment-292 <strong>investing option...</strong> ... investing option…

]]> By: michaell http://snarkfest.net/blog/2005/01/25/umo-bits-n-bytes/comment-page-1/#comment-291 michaell Wed, 26 Jan 2005 20:40:26 +0000 http://www.steelgryphon.com/blog/?p=28#comment-291 "Hindsight being 20/20, that was a mistake" On what grounds was it a mistake only in hindsight? AIUI (not that I was involved), everyone knew it wasn't ready at the time, but it was decided to launch anyway. What is it that's been seen with hindsight that wasn't seen at the time? Or is it just different people's views of the same thing? The site itself says that it's "undergoing a design update and rewrite based on user input", which doesn't sound like the whole story to say the least... “Hindsight being 20/20, that was a mistake”

On what grounds was it a mistake only in hindsight? AIUI (not that I was involved), everyone knew it wasn’t ready at the time, but it was decided to launch anyway.

What is it that’s been seen with hindsight that wasn’t seen at the time? Or is it just different people’s views of the same thing?

The site itself says that it’s “undergoing a design update and rewrite based on user input”, which doesn’t sound like the whole story to say the least…

]]> By: Mike http://snarkfest.net/blog/2005/01/25/umo-bits-n-bytes/comment-page-1/#comment-290 Mike Wed, 26 Jan 2005 17:51:17 +0000 http://www.steelgryphon.com/blog/?p=28#comment-290 >The checkins to branch argue that you’re not simply > addressing security (Feature additions ("site offline") > have been added to a supposedly stable branch. ), as > does having a peer doing code reviews that is known > to be very inexperienced with PHP (in fact, the past has > shown mostly copy/paste PHP experience at best.). Actually, we've frozen all CVS commits while we sort things out, and the review process will not remain as-is. >“When its ready” is simply not justifiable with a site that’s > already in production, you already have users depending on > you, because the client does. If mozilla.org dropped the ball by > not monitoring UMO more closely prior to now, and therefore > has absolutely no clue how it works, then that needs to be > stated. By leaving the status-quo, you’re also saying that > Update 0.9 shouldn’t have been enabled either, which means > why should anybody trust Mozilla Update if it’s been untrustable > without anybody at mozilla.org noticing for 6+ months? Our reputation for security is not simply "no holes here" its how aggressive and focused we are when a hole is found. The lack of oversight was unfortunate, but isn't justification for continuing to expose ourselves to potential problems. That's like saying "Wow, my wheels are pretty loose, but since I've been driving on this for months, I'm just going to take the chance." Its not ready. It wasn't ready when it went live. Hindsight being 20/20, that was a mistake. We can't change the past, we can only change the present. >The checkins to branch argue that you’re not simply
> addressing security (Feature additions (“site offline”)
> have been added to a supposedly stable branch. ), as
> does having a peer doing code reviews that is known
> to be very inexperienced with PHP (in fact, the past has
> shown mostly copy/paste PHP experience at best.).

Actually, we’ve frozen all CVS commits while we sort things out, and the review process will not remain as-is.

>“When its ready” is simply not justifiable with a site that’s
> already in production, you already have users depending on
> you, because the client does. If mozilla.org dropped the ball by
> not monitoring UMO more closely prior to now, and therefore
> has absolutely no clue how it works, then that needs to be
> stated. By leaving the status-quo, you’re also saying that
> Update 0.9 shouldn’t have been enabled either, which means
> why should anybody trust Mozilla Update if it’s been untrustable
> without anybody at mozilla.org noticing for 6+ months?

Our reputation for security is not simply “no holes here” its how aggressive and focused we are when a hole is found. The lack of oversight was unfortunate, but isn’t justification for continuing to expose ourselves to potential problems. That’s like saying “Wow, my wheels are pretty loose, but since I’ve been driving on this for months, I’m just going to take the chance.”

Its not ready. It wasn’t ready when it went live. Hindsight being 20/20, that was a mistake. We can’t change the past, we can only change the present.

]]> By: Wolf http://snarkfest.net/blog/2005/01/25/umo-bits-n-bytes/comment-page-1/#comment-289 Wolf Wed, 26 Jan 2005 12:32:31 +0000 http://www.steelgryphon.com/blog/?p=28#comment-289 The checkins to branch argue that you're not simply addressing security (Feature additions ("site offline") have been added to a supposedly stable branch. ), as does having a peer doing code reviews that is known to be very inexperienced with PHP (in fact, the past has shown mostly copy/paste PHP experience at best.). "When its ready" is simply not justifiable with a site that's already in production, you already have users depending on you, because the client does. If mozilla.org dropped the ball by not monitoring UMO more closely prior to now, and therefore has absolutely no clue how it works, then that needs to be stated. By leaving the status-quo, you're also saying that Update 0.9 shouldn't have been enabled either, which means why should anybody trust Mozilla Update if it's been untrustable without anybody at mozilla.org noticing for 6+ months? The checkins to branch argue that you’re not simply addressing security (Feature additions (“site offline”) have been added to a supposedly stable branch. ), as does having a peer doing code reviews that is known to be very inexperienced with PHP (in fact, the past has shown mostly copy/paste PHP experience at best.).

“When its ready” is simply not justifiable with a site that’s already in production, you already have users depending on you, because the client does. If mozilla.org dropped the ball by not monitoring UMO more closely prior to now, and therefore has absolutely no clue how it works, then that needs to be stated. By leaving the status-quo, you’re also saying that Update 0.9 shouldn’t have been enabled either, which means why should anybody trust Mozilla Update if it’s been untrustable without anybody at mozilla.org noticing for 6+ months?

]]> By: Bram! http://snarkfest.net/blog/2005/01/25/umo-bits-n-bytes/comment-page-1/#comment-288 Bram! Tue, 25 Jan 2005 19:11:12 +0000 http://www.steelgryphon.com/blog/?p=28#comment-288 Why does open sourcing work for client-side software and not for web-apps? UMO could be in beta (or alpha) too, just: - make sure every visitors has to click a font-size:24pt "Yes, I accept the risks!" link before browsing UMO - add a CVS module - add a bugzilla component - add a UMO category in which anyone can try to hack their entries. Why does open sourcing work for client-side software and not for web-apps? UMO could be in beta (or alpha) too, just:
- make sure every visitors has to click a font-size:24pt “Yes, I accept the risks!” link before browsing UMO
- add a CVS module
- add a bugzilla component
- add a UMO category in which anyone can try to hack their entries.

]]> By: michaell http://snarkfest.net/blog/2005/01/25/umo-bits-n-bytes/comment-page-1/#comment-287 michaell Tue, 25 Jan 2005 19:10:54 +0000 http://www.steelgryphon.com/blog/?p=28#comment-287 Sorry - read things in the wrong order. I should've read <a href="http://www.psychoticwolf.net/archives/2005/01/what_happened_t.php" rel="nofollow"> the post you were referring to</a> first. I can kind of see his point - it's obviously not true that you can't compromise on security, as the site was up and running with known security flaws for a couple of months. I also don't see much logic in shutting down to avoid potential future flaws. Applied to Firefox itself, would that not mean cancelling 1.1 if any flaws are found in Firefox 1.0? There may be good reasons for this, but I'm not really getting a sense of what they are. Surely a bigger risk in any case is the extensions themselves - they're not (AIUI) audited, which is surely a bigger risk that someone slipping some dodgy HTML into a comment. Sorry – read things in the wrong order. I should’ve read the post you were referring to first.

I can kind of see his point – it’s obviously not true that you can’t compromise on security, as the site was up and running with known security flaws for a couple of months.

I also don’t see much logic in shutting down to avoid potential future flaws. Applied to Firefox itself, would that not mean cancelling 1.1 if any flaws are found in Firefox 1.0?

There may be good reasons for this, but I’m not really getting a sense of what they are.

Surely a bigger risk in any case is the extensions themselves – they’re not (AIUI) audited, which is surely a bigger risk that someone slipping some dodgy HTML into a comment.

]]> By: michaell http://snarkfest.net/blog/2005/01/25/umo-bits-n-bytes/comment-page-1/#comment-286 michaell Tue, 25 Jan 2005 18:42:44 +0000 http://www.steelgryphon.com/blog/?p=28#comment-286 The "when it's ready" answer for Firefox was replaced last October (IIRC) by a release date which was met. UMO may still not be ready now, but it was launched 3 months ago, and it's been letting the side down since. I hope the Foundation are devoting some resources to getting things going... there are <a href="http://www.blakeross.com/archives/000282.html" rel="nofollow">no free rides</a> :) The “when it’s ready” answer for Firefox was replaced last October (IIRC) by a release date which was met. UMO may still not be ready now, but it was launched 3 months ago, and it’s been letting the side down since.

I hope the Foundation are devoting some resources to getting things going… there are no free rides :)

]]>