[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ongoing Firefox (and Thunderbird) Trademark problems

Simon Huggins wrote:
Do you have a few ideas off the top of your head now of definite things
that cannot be touched?

Everything's subject to negotiation and discussion - see, for example, my change in position on the SPI cert after consultation within the project. But here's an attempt to answer your question.

We want Firefox to be a mark of quality; we still want Firefox to be Firefox, if you see what I mean. Some of Firefox's key distinguishing features are a clean, simple UI, an extensibility mechanism, and good security. So the following would be among the "hot buttons":

- Installing significant numbers of extensions by default, particularly if they had intrusive UI or were considered by the community to be of poor quality; - Loosening the security rules significantly (for example, disabling security.checkloaduri to allow http:// content to access file:// URLs for convenience). - Breaking the extensions mechanism such that significant numbers of XPIs off the web stopped working;
- Making a change which led to a marked increase in application crashes.

[Obviously, if you accidentally did either of these last two things and then went "oops" and issued a fixed package, then that's just a mistake. They happen. No problem, assuming that it doesn't happen every time :-)]

I'm still under the impression, waiting to be corrected, that Debian's
policy for including new root certs is "we include the root cert of
anyone who asks"... If we say that it's not acceptable for such a
store to be used as the basis of Firefox's SSL, is that silly?

Perhaps anyone the Firefox maintainer/Debian respects and trusts.

But just because the Firefox maintainer respects and trusts them doesn't mean they take ridiculously careful care of their private key. The Firefox maintainer has no way of verifying that one way or the other.

Why can't we leave this to the maintainer or even local admins though?

These are two very different cases, though. If a local admin installs a new root cert, that's cool - they are taking responsibility for the security of those users, and they have extreme BOFH power over them anyway. However, having the root appear by default, so that no-one at the remote site really knows it's there (who consults the root list) and it's now on Y thousand or million desktops - that is a different kettle of fish.

A quick reminder of what's at risk here: if the private key of a root cert trusted by Firefox became compromised, _any_ SSL transaction that any user trusting that cert performed could be silently MITMed and eavesdropped on.

Nagios is a trademark.  We don't have any issues with Nagios because
it's a trademark in the spirit of Free Software where the owner is
trying to protect the name from being used by others for his software
and avoid legal problems/issues having been burnt before using NetSaint.

So the difference between this and the MoFo's policy is the quality requirement?

Why does the Mozilla Foundation feel the need to enforce quality through
this blunt tool of stopping us using the trademark?

Because we can't do it using a copyright licence? ;-P

Why can't you just
produce the best browser?  Surely if you produce the best code we'll use

Indeed - almost certainly, _you_ will. Hence we are doing what we see as the absolulte minimum required by trademark law in your case. However, other people are not so nice. I keep using it as it's a convenient example, but: if there were no trademark, a spyware vendor could trojan a Firefox, put it up for download, then buy AdWords "Official Firefox Download Site!". Even if we make the best browser, _they_ will not use the best code.


Reply to: