Scott Kveton

The Mozilla Update service (a.k.a UMO) has been frozen for close to a month now for various reasons. We would like to take this opportunity to bring folks up to speed on where it is going and when it will get there.

Just a few weeks ago, the lead developer stepped down and so the Mozilla Foundation has taken the chance to re-evaluate the project and look at how to best move it forward. Looking over the existing v1.0 codebase, the remaining developers felt there were security concerns and scalability issues with the site that needed to be addressed. At this time, the site and CVS for updates to the UMO codebase are frozen.

However, the community awaits and we really want to get the the site back on-line so we can continue the momentum that the release of Firefox 1.0 has created. To that end, we are moving quickly to do the following:

• Next week we will be launching a security audit of the existing UMO code. The goal is to get the UMO site back to a known state so that we can feel comfortable with pushing out updates to end-users.
• Starting next week, we are going to start processing the pending requests in the UMO queue. We want to do updates for existing extension/theme developers via the UMO site admins.
• Upon completion of the security audit we will be starting to work up requirements for UMO v2.0 which will be a complete rewrite and will allow us to usethings like database abstraction and templating.
• To help scale the site, we have decoupled the services from one URL (http://update.mozilla.org) to several: http://aus.mozilla.org (Application Update Service) , http://pfs.mozilla.org (Plugin Finder Service) and http://addons.mozilla.org (Addons section with extensions/themes). This will allow us to upgrade the busiest parts of the site in the most cost effective manner.

The biggest concern right now is that we don’t know what we’re dealing with. Once we know what we have and have completed the security audit, we will turn the site back on in its existing state (with several bugs fixed). In the mean time, please bear with us as we hand audit each pending request and get the site back rolling (as slow as that may be).

We’re working hard to get UMO going again and we want to be sure to include everyone in our discussions.

The Mozilla Update service (a.k.a UMO) has been frozen for close to a month now for various reasons. I’d like to take this opportunity to bring folks up to speed on where it is going and some of our timelines.

As a background, I got involved in UMO because the Mozilla Foundation (MoFo) co-locates some of their equipment here at the OSL. More specifically the UMO service landed here because we offered the MoFo space and we had the expertise to help manage a service like this. At the outset, the application was managed by MoFo sysadmins but as it grew and subsequently was 1.0′d it melted under the weight of its own success. The OSL jumped in with hardware and application tweaking expertise to ressurect the application to its current state. This service is alive today because of the heroic actions of some of the Gentoo community and the tireless work of the OSL and MoFo sysadmins. But I digress.

I was asked by the MoFo to take on the UMO project and I agreed simply because I did not want it to be a poor reflection of the OSL. In addition, in looking over bits of the existing code, it was clear to me that this application was neither well thought out or ready for prime time. I’m not placing any blame on anyone; I honestly think Wolf did an amazing job in the time that he had.

Here is what keeps me up at night: some malicious extension developer discovers a flaw in the UMO site that allows him to trigger an update to all-things-Firefox-or-Thunderbird. This malicious dev points people at a set of mirrors that house his trojaned copy of Firefox that does all sorts of nasty things. The pundits of course would point to this as the increasing clarity about the failures of open source, etc so on and so forth. However, we could drill down for any service this far if we wanted to. When is secure, secure enough?

What we’re not going to do is open the site right back up. IMHO this would be a disservice to the Mozilla/Firefox community and would betray their trust in our ability to deliver them anything less than exceptional service and follow-through. That community that raised $250,000 to spread the word deserves more than “here-it-is-if-it-sucks-so-be-it”.

Firefox itself was the product of close to 3 years of development. Why would we expect something so critical as UMO to be created literally overnight? We can’t. However, the community awaits and we refuse to leave them hanging.

Our plans for UMO moving forward will be transparent and open to public scrutiny. We invite the community to review our plans and give input as necessary. I ask only this; if you have a comment or concern with our ideas for getting UMO out to the masses, don’t just post a comment and walk away. Participate. Engage. Post a bug. Submit a patch.

By next week we should have full plan for v1.0 and v2.0 of UMO. Before we can turn the existing code back on we’re going to undergo a security audit. v2.0 will most likely be a complete rewrite which will allow us to consider coding standards, architecture and tools that can speed/scale development.

When will UMO be back? All I can say is we’re working hard everyday and it will be be done when its done.

I am currently the Associate Director for the Oregon State University Open Source Lab. A graduate of Oregon State University and long-time user of Open Source and Linux, I have advocated the use of such tools on campus as well as in the community. I often participate in panels and give talks at conferences regarding open source in addition to doing business and technical consulting around the subject.

My Professional Life Story in Three Paragraphs

A native of the Mid-West I moved out to Oregon in 1980 with my family and never looked back. Graduated from Beaverton High School in 1992, Oregon State University in 1997 and somehow just can’t shake the University life. I worked for a couple of dot com’s (amazon.com, rulespace.com, pdaverticals.com) and am now happily back at Oregon State University. (Note: I’d like to point out that all of those companies are still in business; and yes, it totally had to do with me … I’m kidding you know)

My work with open source began while I was at PDA Verticals where I was introduced to many different open source tools via Debian GNU/Linux. I wrote a few tools and open sourced them and then started actively engaging the open source community. This led to the creation of the Open Source Lab after talking with Jason McKerr during one of my infamous backyard BBQ’s.

I am really enjoying the work here at the Open Source Lab and especially that of helping with economic development around open technology in Oregon. I love my State and want to see it do well. The opportunities around open technology are limitless in my humble opinion.

Memberships

• Portland Open Source Software Entrepreneurs (POSSE).
• Board of Technical Advisors, LinuxFund.org

Professional Bio

I’m sometimes asked to provide a professional bio for conference websites or publications. I’m doing that here so I can direct people to it in the future:

“Scott Kveton is an industry leader passionately focused on building successful teams and bridging communities within the public and private sector. Scott’s experience with companies like Amazon.com and Rulespace have given him a pragmatic understanding of the fast-paced IT industry. Scott returned to his alma mater Oregon State University in 2001 to head up their open source efforts in the form of the Open Source Lab. In addition to the OSL, Scott is a active member of the Portland Open Source Software Entrepeneurs organization in addition to being one of the many people who can say they were ordained on the Internet.”

Red Hat is trying to re-energize the Fedora community in hopes of spurring some growth in the use of the distribution.

Red Hat is the flag-bearer for the Open Source community. I believe Matt Szulik has done a fantastic job of making Red Hat a profitable company as well as capturing the vision about what open source is all about. I attended his Linux World Expo keynote in San Franciso this past year and the only way to describe it was stirring. I could even see it in the eyes of the attendees as they left; they were fired up and knew they were in the right place. At the end of the day, Red Hat has to survive and it’s going to do what it has to to make that happen.

I look across the changes in licensing/pricing at Red Hat over the last two years and I see that it was critical to their continued sustainability. It is working for them right now because there is a critical mass in the FOSS world and they are able to stand on the shoulders of many giants in the community to make it happen.

IMHO – Red Hat is a product company. The product is a packaged software developed mostly by people outside of the Red Hat corporate umbrella. Their value is in packaging software and guaranteeing access to updates to their subscribers and customers. To me, this is a step back … a step in the direction of what Sun and Microsoft are. Ironically, Red Hat will meet somewhere in the middle with Sun and Microsoft as recent announcements show they are headed in the other direction. Red Hat is a Sun or Microsoft just with slightly lower costs. I don’t see a lot of innovation there. But as I said before, Red Hat has to survive and they have to do what it takes to get there.

Unfortunately, they are still having a hard time getting buy in from the community on Fedora. Why is that?

While I was at LWE 2004 in San Francisco I got to go to the Gentoo Linux community meeting. There were 50+ people there. This is for a distribution that is less than 3 years old. The energy and enthusiasm was palpable in the room. Just down the hall was the Fedora community meeting. In attendence? 7 people.

So what’s the difference?! We know there are more Fedora users in the world than Gentoo users. Maybe there are just more per-capita in the SFO-area. Maybe Gentoo was more organized, etc. Maybe it was because the OSL was handing out bitchin’ t-shirts. I think the problem is more deeply rooted in the difference between Gentoo and Fedora; community participation and ownership.

Red Hat has announced that they were going to be making changes to help people get more ownership and access to the development of Fedora. This would include access to the latest CVS updates and possibly more in the future. Is this enough? I don’t think so.

What would I do if I were Red Hat?

The FOSS community is hesitent to embrace a distribution that is driven by a company with profits in mind. I’m not trying to get hoity toity on everybody; you’ve got to make a living somehow. However, if you are going to depend on the volunteer work of others, you have to find a way to ease the mind of possible developers in the community if you’re going to get people on board with your distribution. Limiting participation in development and decision making will hurt the prospects for your distro in the future.

I look across the Linux distribution landscape and I see several distributions that have been born specifically because people wanted an alternative to Red Hat. Look at Gentoo Linux and more importantly cAos Linux. These distros are gaining momentum because users are able to participate immediately, make an impact and have ownership in its direction. This comes back to ownership of your own destiny; if Red Hat controls the direction of Fedora, how can a user have piece of mind in investing their time and effort in it?

I would create a Fedora Foundation that would be the non-profit organization that would control the direction of the distro. On its board of directors would be members of the FOSS community and representatives from Red Hat. The stated mission of this Foundation would be to build a community that would be the early adopters of Red Hat’s new technologies that will eventually find their way into RHEL.

This may be difficult for a public company to stomach. The big concern from a developers standpoint is that Red Hat may decide to change direction of the Fedora product tomorrow and then leave people out in the cold that have invested their time and energy into the product. This is all about control of destiny. If Fedora is in the hands of the community, then the community and developers will follow. I would be willing to bet so would the energy and excitement too.

In the release notes of the latest grsecurity, Brad Spengler mentions the fact that Linus and then Andrew Morton did not respond to his emails regarding security vulnerabilities found during December. Included in the notes was a proof-of-concept as well as patches that fix the exploits.

I’m left wondering what the motivation is behind the release of these exploits. Is Brad looking to help the Linux community? Maybe continue to promote full-disclosure? If he is doing either of these, then I would say that is most admirable and definitely the “right thing to do”.

However, in recent months, Brad has done some less than savory things with grsecurity. In reading over the reasoning behind his removal of the grsecurity source from his site at that time, it was because he was trying to prompt a sponsor to pay up and more importantly maybe find another sponser that could help pay for the continued development.

Again, I’m left wondering, what is the motivation behind the pulling of grsecurity? I don’t see this as a good thing for users of the grsecurity or Linux communities. It sounds to me like Brad believes he “deserves” something for his continued development of grsecurity. If funding dries up in the future Brad, I would suggest walking away from grsecurity completely. I’ll bet a pint of my fine Oregon handcrafted homebrew that somebody would pickup the project and do it with a lot less grief.

Did Linus ever complain that people were using Linux and then pull the source on it if he couldn’t pay to develop it? More importantly, do you think he ever would? Of course not. In that respect, I can understand why Linus and Andrew may have decided not to listen to Brad at that time. Either that, or it was the holidays and they were just busy with other things …

The OSDL has presented a paper on its website which is an IDC report about Linux in the Marketplace. This report is about future trends and growth opportunities for Linux to 2008.

Overall, they see a great deal of growth; upwards of 26% growth end-over-end to 2008. The largest growth is in the “packaged software” market which they are projecting will become an $16 billion market by 2008. Very exciting times.

One statement on slide #5 that surprised me a bit was: “Free” Linux deployments are attractive, but the reality is more commercial and government organizations will move toward paid, supported copies. To me, the numbers don’t really show this. What I read there is that the “Free” Linux deployments are growing at a much greater pace than the paid subscription and support versions. This also does not take into account that some vendors do pay for support for the “Free” Linux distributions.

I would say that this is a great opportunity for a company to form that would address the support question for the “Free” distributions out there. If you can build it in such a way that you give plenty of joy to the community and not just re-package an old business model on a “new thing” then I think you’d make a fortune. Heck, I’ll even work there …

NOTE: If you are trying to find Jesus Justus Christ, this is not his website. This is the posting of someone (read: me) annoyed by all of his relentless spamming to countless people across the globe. Fortunately, I am not alone. I’ve deleted the comments because this guy wants to use my site as his pulpit … to be fair, I’ve even deleted the posts of people saying “yes, this guy is a retard” … like I said, get yourself a blog my man.

I don’t mind spammers. Honestly, I think they are taking advantage of a poorly written protocol to make money. I would be willing to bet the anti-spam folks don’t mind them that much either.

But there is this one guy that has been driving me bonkers for the last couple of years and he’s not even trying to make money (at least from what I can tell).

Having been a sysadmin in a former life, I’m still on several mailing lists that I probably don’t need to be on anymore. One of those mailing lists is a fairly well-known top-level email alias; webmaster. Well, over the last couple of years I have been receiving these emails to that alias here at OSU from a gentleman who calls himself Jesus Justus Christ and constantly waxes philosophical about any and all things quoting more passages from the bible than I actually knew existed. His insanely long emails are addressed to every webmaster alias that you can imagine from every school, company and organization that this guy could muster the energy to remember.

Now technically, this guy isn’t doing anything worse than the people yelling holy passages in the streets of your favorite urban center. So I should just hit ‘delete’ and move on. But for some reason, no matter what I do to my spam filters, etc. the mail keeps coming in. I do have to give props to this guy being the most prolific and persistent spammer I have ever seen. Of course now my curiosity is piqued and I must learn more.

Digging into the emails themselves I uncovered a link to his personal website. I can’t quite tell what the site is all about but maybe his emails are to generate traffic to this fairly obscure site. Who knows. Looking even further, I can see this guy was sending emails from LAX (probably found an open hot-spot somewhere) and now via T-Mobile Internet services. My money is on him sending these 302 Kilobyte diatribes from the cozy comfort of a “Starbucks” somewhere in the labyrinth that is known as LAX.

Oh yeah, and I figure I should put a link to every email address I have ever seen from him just for “informational purposes”.

So I say to you Jesus Justus Christ, aka William Stewart Gerald Eddins; save some bandwidth and get a frickin’ blog.