What’s happening to Mozilla Update

The Mozilla Update service (a.k.a UMO) has been frozen for close to a month now for various reasons. I’d like to take this opportunity to bring folks up to speed on where it is going and some of our timelines.

As a background, I got involved in UMO because the Mozilla Foundation (MoFo) co-locates some of their equipment here at the OSL. More specifically the UMO service landed here because we offered the MoFo space and we had the expertise to help manage a service like this. At the outset, the application was managed by MoFo sysadmins but as it grew and subsequently was 1.0′d it melted under the weight of its own success. The OSL jumped in with hardware and application tweaking expertise to ressurect the application to its current state. This service is alive today because of the heroic actions of some of the Gentoo community and the tireless work of the OSL and MoFo sysadmins. But I digress.

I was asked by the MoFo to take on the UMO project and I agreed simply because I did not want it to be a poor reflection of the OSL. In addition, in looking over bits of the existing code, it was clear to me that this application was neither well thought out or ready for prime time. I’m not placing any blame on anyone; I honestly think Wolf did an amazing job in the time that he had.

Here is what keeps me up at night: some malicious extension developer discovers a flaw in the UMO site that allows him to trigger an update to all-things-Firefox-or-Thunderbird. This malicious dev points people at a set of mirrors that house his trojaned copy of Firefox that does all sorts of nasty things. The pundits of course would point to this as the increasing clarity about the failures of open source, etc so on and so forth. However, we could drill down for any service this far if we wanted to. When is secure, secure enough?

What we’re not going to do is open the site right back up. IMHO this would be a disservice to the Mozilla/Firefox community and would betray their trust in our ability to deliver them anything less than exceptional service and follow-through. That community that raised $250,000 to spread the word deserves more than “here-it-is-if-it-sucks-so-be-it”.

Firefox itself was the product of close to 3 years of development. Why would we expect something so critical as UMO to be created literally overnight? We can’t. However, the community awaits and we refuse to leave them hanging.

Our plans for UMO moving forward will be transparent and open to public scrutiny. We invite the community to review our plans and give input as necessary. I ask only this; if you have a comment or concern with our ideas for getting UMO out to the masses, don’t just post a comment and walk away. Participate. Engage. Post a bug. Submit a patch.

By next week we should have full plan for v1.0 and v2.0 of UMO. Before we can turn the existing code back on we’re going to undergo a security audit. v2.0 will most likely be a complete rewrite which will allow us to consider coding standards, architecture and tools that can speed/scale development.

When will UMO be back? All I can say is we’re working hard everyday and it will be be done when its done.