Communication BreakdownCommunication Breakdown

Mozilla developer Ben Goodger may wish he had devoted his blog entry last Thursday to the weather, instead of tearing into Netscape's new browser. Goodger probably didn't expect his comments, which might have gone unnoticed a couple of years ago, to get so much media attention.

In fact, there's not much to Goodger's blog entry, which he published on May 19, the same day America Online's Netscape division shipped its Netscape 8 production release. In a single-sentence paragraph, Goodger points Netscape 8 users to an example of the security bug plaguing their browser--the same bug Mozilla found and fixed in Firefox the week before. (Netscape issued its own patch the next day, May 20.)

In the second (and last) 'graf, Goodger cites the episode as proof that browsers based on Mozilla code will always lag behind Firefox when it comes to security. That sounds like a reasonable statement, and in many cases it will probably be true. Yet I find Goodger's remarks less interesting than the questions they raise over how Mozilla and Netscape deal with shared security concerns.

For those of you who haven't followed the birth of Netscape's comeback kid (covered in Mitch Wagner's recent review), Netscape 8 uses the page-rendering engines from both Internet Explorer and Firefox. It can choose, on the fly, which engine to use for displaying Web pages, and users can also specify when to switch between the two.

Goodger's comments refer to the fact that Netscape incorporates some of Mozilla's open-source Firefox code in its new browser. When a security flaw surfaces in Gecko, the page-rendering engine Netscape shares with Firefox, developers can't simply slap a new name on the official Mozilla patch and tell users to come and get it. They have to optimize the patch for Netscape 8, and that invariably takes time.

Time is something developers don't have when a software security flaw goes public. If Netscape is always a day late and a dollar short when Mozilla issues Gecko security patches, that is, indeed, a serious problem.

Goodger's comments are most interesting, however, because of the questions they raise. First off, he assumes that Netscape's QA team won't catch its own share of Gecko bugs -- bugs that could, in turn, affect Firefox.

I wouldn't bet my own money (feel free to send me some of yours) against this happening: Netscape is part of America Online and, one assumes, capable of fielding a full-time QA team to test its products. It's still unlikely Netscape will ever be the first to find a major Gecko security bug, given the number of developers and security experts eyeballing Mozilla code. Yet Goodger might not want to tempt fate, lest he and his colleagues someday find themselves walking a few hot miles in their Netscape counterparts' shoes.

This leads to a related issue: communication, or lack thereof, between Mozilla and Netscape.

Common sense, concern for users, and basic karma all dictate that when one group finds a security bug that could affect both browsers, they'll alert the other group as quickly as possible. There's nothing in the timing of Netscape's own patch, which it delayed because a security consultant initially believed the Gecko bug wouldn't affect Netscape 8, to suggest this didn't happen, nor is there any business rationale for Mozilla to sit on the information.

If the two groups are communicating somewhere besides their developers' blog entries, they're doing the right thing: putting the welfare of users ahead of any personal rivalries or corporate politics. That's important, since Goodger's comments suggest that the two groups won't be planning a bowling league or weenie roast anytime soon.

This is a vital point, however, and I think both organizations should take every opportunity to deliver a clear, simple message: When one of them knows about a security threat involving Gecko, so will the other. The same message applies to Netscape and Microsoft, if a threat involves shared Internet Explorer code.

There's a final, related issue that leaves a lot more room for debate: whether Mozilla should actually wait to announce a new bug, and a new patch, until Netscape prepares its own patch. Given the same starting point for both organizations, I'm inclined to say that it's not Mozilla's problem (or Microsoft's in a similar situation) if Netscape can't keep up the pace. Mozilla would, after all, put its own users at risk by delaying any security-related patch release, and a commercial product based on open-source code simply doesn't deserve special consideration.

Once again, however, this works both ways -- if Netscape is ever the first to spot a bug in Gecko.

These are delicate and complicated issues; only time will tell how they play out in real-world situations. It will be fascinating to watch the results, as we see more companies adapting open-source code for use in their own products.

Matt McKenzie is editor of Linux Pipeline. A permanent link to this column is available here.