Re: Ongoing Firefox (and Thunderbird) Trademark problems
Simon Huggins wrote:
Do you have a few ideas off the top of your head now of definite things
that cannot be touched?
Everything's subject to negotiation and discussion - see, for example,
my change in position on the SPI cert after consultation within the
project. But here's an attempt to answer your question.
We want Firefox to be a mark of quality; we still want Firefox to be
Firefox, if you see what I mean. Some of Firefox's key distinguishing
features are a clean, simple UI, an extensibility mechanism, and good
security. So the following would be among the "hot buttons":
- Installing significant numbers of extensions by default, particularly
if they had intrusive UI or were considered by the community to be of
- Loosening the security rules significantly (for example, disabling
security.checkloaduri to allow http:// content to access file:// URLs
- Breaking the extensions mechanism such that significant numbers of
XPIs off the web stopped working;
- Making a change which led to a marked increase in application crashes.
[Obviously, if you accidentally did either of these last two things and
then went "oops" and issued a fixed package, then that's just a mistake.
They happen. No problem, assuming that it doesn't happen every time :-)]
I'm still under the impression, waiting to be corrected, that Debian's
policy for including new root certs is "we include the root cert of
anyone who asks"... If we say that it's not acceptable for such a
store to be used as the basis of Firefox's SSL, is that silly?
Perhaps anyone the Firefox maintainer/Debian respects and trusts.
But just because the Firefox maintainer respects and trusts them doesn't
mean they take ridiculously careful care of their private key. The
Firefox maintainer has no way of verifying that one way or the other.
Why can't we leave this to the maintainer or even local admins though?
These are two very different cases, though. If a local admin installs a
new root cert, that's cool - they are taking responsibility for the
security of those users, and they have extreme BOFH power over them
anyway. However, having the root appear by default, so that no-one at
the remote site really knows it's there (who consults the root list) and
it's now on Y thousand or million desktops - that is a different kettle
A quick reminder of what's at risk here: if the private key of a root
cert trusted by Firefox became compromised, _any_ SSL transaction that
any user trusting that cert performed could be silently MITMed and
Nagios is a trademark. We don't have any issues with Nagios because
it's a trademark in the spirit of Free Software where the owner is
trying to protect the name from being used by others for his software
and avoid legal problems/issues having been burnt before using NetSaint.
So the difference between this and the MoFo's policy is the quality
Why does the Mozilla Foundation feel the need to enforce quality through
this blunt tool of stopping us using the trademark?
Because we can't do it using a copyright licence? ;-P
Why can't you just
produce the best browser? Surely if you produce the best code we'll use
Indeed - almost certainly, _you_ will. Hence we are doing what we see as
the absolulte minimum required by trademark law in your case. However,
other people are not so nice. I keep using it as it's a convenient
example, but: if there were no trademark, a spyware vendor could trojan
a Firefox, put it up for download, then buy AdWords "Official Firefox
Download Site!". Even if we make the best browser, _they_ will not use
the best code.