August 4, 2006

The state of Firefox

Author: Joe 'Zonker' Brockmeier

At the O'Reilly Open Source Convention in Portland, Ore., last week, I had the opportunity to sit down for a few minutes with Mozilla Corp.'s Mike Schroepfer to talk about Firefox development, security, updates to JavaScript, and cooperation with Linux vendors and other downstream providers of Firefox.

By adding an automatic update feature to Firefox, its developers have made huge progress towards ensuring that security updates are pushed out quickly to all users of the browser. However, the automatic update feature is useful only for users who get the browser directly from Mozilla; users who get Firefox packaged with their Linux distribution have to rely on their vendor to push out a release, and these often trail the official Mozilla release by up to a week.

It's likely that there will always be some lag time between the official Firefox release and the update from Linux distributors, but Schroepfer says that the developers are doing what they can to narrow the gap.

In particular, Schroepfer says that they're now publishing source tarballs "in lockstep" with release candidates to provide wider access for testing, and to make it easier for vendors to apply the changes. In the past, the source tarballs would trail the release candidates, tying the hands of package maintainers for projects like Debian, Ubuntu, and Fedora.

That covers the most recent Firefox releases, but what about legacy Firefox releases, such as the now-defunct 1.0.x series that ended with the 1.0.8 release? While Firefox has officially put an end to support for the 1.0.x series, that series is still part of a number of Linux distributions that will be supported for years to come. As the codebases diverge, it will become more and more difficult for vendors to backport security fixes to the 1.0.x series.

Schroepfer says that the Mozilla project is "inclined to help in any way we can," but that the project doesn't have the resources "to support multiple branches and compete and innovate the way that people expect us to."

While Novell, Red Hat, and others may be looking at the enterprise desktop, Schroepfer says that "we're more of a consumer-focused organization," and that the "vast majority" of Firefox users have upgraded to the 1.5.x branch.

"We're a small organization, fighting the good fight, and there's only so many things we can do at once. We don't have enterprise contracts, we don't get paid for support, so we don't have the resources to do enterprise support."

However, he did say that Mozilla is trying to avoid unnecessary incompatibilities between branches, so that new releases don't break compatibility with sites or extensions for Firefox unless it's absolutely necessary. He also says that the 2.0 branch was developed on an API freeze from 1.5, so there should be very little breakage between releases.

Schroepfer also predicts that security will continue to be a problem "for anything written in native code," such as C and C++. For example, he notes that security problems caused by memory issues have evolved over the years; from stack-based exploits, to heap-based, to null pointer exploits.

Mike Schroepfer talks about Firefox 2 - click on picture to view video

A couple of things can help minimize these problems. First, Schroepfer notes that the Mozilla project has "hundreds and thousands of people around the world" viewing the code and looking for potential problems. In addition, analysis tools like those produced by Coverity have been used to analyze Firefox code for possible vulnerabilities and coding errors.

The other approach is to move as much Firefox code as possible out of "native" code to JavaScript. Writing much of Firefox in JavaScript will "basically eliminate an entire class of coding errors," says Schroepfer.

Will Firefox take a performance hit if most of its code is written in JavaScript? Much of the user interface is already written in JavaScript, says Schroepfer, and "98 percent of the code doesn't run in performance-intensive" areas anyway.

Moving toward JavaScript 2.0

Remember when JavaScript was essentially a toy language, just good for adding a little glitz to your Web pages, but not for much else? Those days are long over, and Schroepfer says that the language is going to be even more robust in the future.

Firefox 2.0 will include JavaScript 1.7, which Schroepfer says is the first major update to JavaScript in about six years.

JavaScript 2.0 is also under development, and Schroepfer says that it's "going through the standards bodies now." Specifically, JavaScript 2.0 is being worked on by Ecma International under the name ECMAScript. (It's little wonder that the Mozilla project prefers the original name, as ECMAScript sounds rather like an acne medication.)

When it's finished, Schroepfer says JavaScript 2.0 will be a major upgrade, and will include class-based inheritance, static type checking, and loop iterator syntax. He also says that the redesign will make it "easier to catch errors at compile time, rather than run time." JavaScript 1.7, says Schroepfer, will be a "slimmed-down" version of JavaScript 2.0, with "some of the syntactic sugar that makes it easier to write JavaScript applications."

The upside to the long period between major upgrades to JavaScript/ECMAScript is that the language has stabilized somewhat. It's not hard to remember the days when sites using JavaScript would function properly only in Internet Explorer or Mozilla/Netscape, depending on which browser the developer cared to support. The Firefox developers are on board, but what about the other browsers?

Schroepfer says that the specification has had "wide participation," and that he "fully expects" most of the browser vendors to implement the standard once it's finished. Microsoft, he says, has been having a go at being a good supporter of industry standards of late, and he's "highly encouraged" that they would adopt the standard. But, he admits, he's had no specific assurances from Microsoft.

Firefox timelines

The release timeline isn't written in stone just yet, but Schroepfer says that Firefox 2.0 will "definitely ship by the end of this year," with beta 2 out sometime in August.

At the same time, development is continuing on the 3.0 release as well, which should be out sometime in 2007. The feature set for 3.0 is still somewhat nebulous, but Schroepfer says that there will be some architectural changes in 3.0 to upgrade the graphics subsystem, and it's likely that 3.0 will include a revamped bookmark system that didn't make the cut for the 2.0 series.

Click Here!