Who We Are And How We Should Be

“Every kingdom divided against itself will be ruined, and every city or household divided against itself will not stand.” — Jesus

It has been said that “Mozilla has a long history of gathering people with a wide diversity of political, social, and religious beliefs to work with Mozilla.” This is very true (although perhaps not all beliefs are represented in the proportions they are in the wider world). And so, like any collection of people who agree on some things and disagree on others, we have historically needed to figure out how that works in practice, and how we can avoid being a “kingdom divided”.

Our most recent attempt to write this down was the Community Participation Guidelines. As I see it, the principle behind the CPGs was, in regard to non-mission things: leave it outside. We agreed to agree on the mission, and agreed to disagree on everything else. And, the hope was, that created a safe space for everyone to collaborate on what we agreed on, and put our combined efforts into keeping the Internet open and free.

That principle has taken a few knocks recently, and from more than one direction.

I suggest that, to move forward, we need to again figure out, as Debbie Cohen describes it, “how we are going to be, together”. In TRIBE terms, we need a Designed Alliance. And we need to understand its consequences, commit to it as a united community, and back it up forcefully when challenged. Is that CPG principle still the right one? Are the CPGs the best expression of it?

But before we figure out how to be, we need to figure out who we are. What is the mission around which we are uniting? What’s included, and what’s excluded? Does Mozilla have a strict or expansive interpretation of the Mozilla Manifesto? I have read many articles over the past few weeks which simply assume the answer to this question – and go on to draw quite far-reaching conclusions. But the assumptions made in various quarters have been significantly different, and therefore so have the conclusions.

Now everyone has had a chance to take a breath after recent events, and with an interim MoCo CEO in place and Mozilla moving forward, I think it’s time to start this conversation. I hope to post more over the next few days about who I think we are and how I think we should be, and I encourage others to do the same.

Copyright and Software

As part of our discussions on responding to the EU Copyright Consultation, Benjamin Smedberg made an interesting proposal about how copyright should apply to software. With Chris Riley’s help, I expanded that proposal into the text below. Mozilla’s final submission, after review by various parties, argued for a reduced term of copyright for software of 5-10 years, but did not include this full proposal. So I publish it here for comment.

I think the innovation, which came from Benjamin, is the idea that the spirit of copyright law means that proprietary software should not be eligible for copyright protections unless the source code is made freely available to the public by the time the copyright term expires.

We believe copyright terms should be much shorter for software, and that there should be a public benefit tradeoff for receiving legal protection, comparable to other areas of IP.

We start with the premise that the purpose of copyright is to promote new creation by giving to their authors an exclusive right, but that this right is necessary time-limited because the public as a whole benefits from the public domain and the free sharing and reproduction of works. Given this premise, copyright policy has failed in the domain of software. All software has a much, much shorter life than the standard copyright term; by the end of the period, there is no longer any public benefit to be gained from the software entering the public domain, unlike virtually all other categories of copyrighted works. There is already more obsolete software out there than anyone can enumerate, and software as a concept is barely even 50 years old, so none is in the public domain. Any which did fall into the public domain after 50 or 70 years would be useful to no-one, as it would have been written for systems long obsolete.

We suggest two ideas to help the spirit of copyright be more effectively realized in the software domain.

Proprietary software (that is, software for which the source code is not immediately available for reuse anyway) should not be eligible for copyright protections unless the source code is made freely available to the public by the time the copyright term expires. Unlike a book, which can be read and copied by anyone at any stage before or after its copyright expires, software is often distributed as binary code which is intelligible to computers but very hard for humans to understand. Therefore, in order for software to properly fall into the public domain at the end of the copyright term, the source code (the human-readable form) needs to be made available at that time – otherwise, the spirit of copyright law is not achieved, because the public cannot truly benefit from the copyrighted material. An escrow system would be ideal to implement this.

This is also similar to the tradeoff between patent law and trade secret protection; you receive a legal protection for your activity in exchange for making it available to be used effectively by the broader public at the end of that period. Failing to take that tradeoff risks the possibility that someone will reverse engineer your methods, at which point they are unprotected.

Separately, the term of software copyright protection should be made much shorter (through international processes as relevant), and fixed for software products. We suggest that 14 years is the most appropriate length. This would mean that, for example, Windows XP would enter the public domain in August 2015, which is a year after Microsoft ceases to support it (and so presumably no longer considers it commercially viable). Members of the public who wish to continue to run Windows XP therefore have an interest in the source code being available so technically-capable companies can support them.

Mozilla Voices

I invited people to email me; here’s what they have been saying.

I fear that Mozilla showed a weakness, when we replied to that initial complaint. We showed people we care about what they had to say about Brendan, and about politics. I think we shouldn’t. …

Although technically we are still good, I fear that our community is strained right now. We need to forget all politics, and focus on the mission. Only the mission. We shouldn’t care about other things. Hopefully we will pull through…


Recent events have made me very angry, and the more I think about it, the angrier I get. …

Brendan understood that for Mozilla to be successful in its mission, participants needed to check their prejudices at the door and work together to build this great thing. And he himself compartmentalized his prejudices away from his work life.

He awarded others this tolerance, but in the end was not awarded it himself by others.


While I am myself a strong supporter of equal marriage rights, I am shocked by what was done to Brendan. It was truly vindictive and intolerant, completely unbecoming of a movement that claims to fight for tolerance.


I am not sure what you will do with the feedback you get, but if you can, in the middle of the rest, express that there exists a point of view that the leadership does not listen well enough and needs to open up lines of communication to the leadership from employees, the community and even non-community users, that idea would be worth communicating.


I feel that Brendan was unfairly persecuted for expressing his views even though it seems evident he never allowed any personal views to affect his ability to function.

People have been justifying bashing his position on the basis that equality is normally and editorially required for any position of power. Unfortunately these people are either bordering on misinformed or purely idiotic.


I am surprised at how mean people can be toward Brendan. It is a big loss for Mozilla.

I have been using Firefox since it was called Phoenix. I have installed it on many PCs. I learned Javascript on Firefox. I was loyal to Firefox during the difficult years when it had memory and speed issues. I was generally impressed with Mozilla’s stance on the Open Web. Now, I am not so impressed with Mozilla.


Somebody has been forced to resign from Mozilla because of his beliefs/ideas/opinions. That is exactly the opposite of what Mozilla states to be its “mission” …


I find it horrific that this backlash is a repeat of what you experienced two years ago. And it’s deeply affected me in my impression of how welcomed Christians are at Mozilla.


If you want your voice heard, or just want to talk in confidence (say if so), please email me.

Your Ire Is Misdirected

Hi. My name is Gervase Markham. I’m a supporter of traditional marriage, and I work for Mozilla. In fact, as far as being on the record goes, I believe I’m now the only one.

Many people who agree with me on this issue are very upset about what happened to Brendan Eich, our co-founder and, for two weeks, CEO of the Mozilla Corporation. Brendan was appointed and then, after 10 days under the Internet’s lens of anger based on his donation in opposition to the redefinition of marriage, stepped down and stepped away from Mozilla – to our great loss.

I am assured by sources I trust that Brendan decided to leave of his own accord – he was not forced out. My understanding is that the senior management of Mozilla (many of whom disagree with him on this issue) worked very hard to support him, even if I would not agree with all the actions they took in doing so. However, he eventually felt that it was impossible for him to focus on leading if he was spending all of his time dealing with the continued, relentless news and social media storm surrounding the donation he made. In other words, he wasn’t forced out from the inside – he was dragged out from the outside.

So, here’s my plea: please don’t be angry with Mozilla. Mozilla and what it does and stands for is too important to the future of the free web to allow this to do it damage. It was us who brough innovation back to the web browser market and started the process which led to the awesome web you use today. And now, we’re trying to do the same with the closed smartphone market. I believe that connecting billions of people in the developing world to the web at minimal cost and with full fidelity will lead to the next great advance in human flourishing, as people can use the information they discover to make their own lives better. That’s our goal.

If you can’t find it in your heart to forgive them (the course I would recommend), then your anger is best directed at those outside Mozilla who made his position untenable. The press that twist and sensationalize without investigation, social media which magnifies and over-simplifies without consideration, and those who rush to judgement without understanding. I’m not going to name names or organizations. But as far as Mozilla itself goes, please, please continue to support us.

I am determined to work to make all Mozillians of whatever beliefs – and whatever actions they take outside of Mozilla in support of those beliefs – confident that, if they can work with other Mozillians as Brendan did so well for 15 years, Mozilla is a place for them. How successful we’ll be at that depends on how our community deals with what just happened – but it also depends on you. If you jump to paint Mozilla in the colours of ‘the opposition’, that will become a self-fulfilling prophecy. And the world will be poorer for it.

Mozilla is caught in the middle of a worldview war. Let’s not make the free web a casualty.

Recent Events

It’s possible some people may want to discuss or give their view on recent events but, given the strength and tone of opinion expressed already, may not feel safe doing so in public. If that’s true of you, please feel free to email me at gerv@mozilla.org. I’m available to talk.

I may produce anonymous summaries of what people are saying to me so that others can understand how people are feeling; I want everyone to feel their voices can be heard. But if you want that not to happen for you, just say.

If you need it, you can find my PGP public key here.

IE11, Certificates and Privacy

Microsoft recently announced that they were enhancing their “SmartScreen” system to send back to Microsoft every SSL certificate that every IE user encounters. They will use this information to try and detect SSL misissuances on their back end servers.

They may or may not be successful in doing that, but this implementation raises significant questions of privacy.

SmartScreen is a service to submit the full URLs you visited in IE (including query strings) to Microsoft for reputation testing and possible blocking. While Microsoft tries to reassure users by saying that this information passes to them over SSL, that doesn’t help much. It means an attacker with control of the network can’t see where you are browsing from this information – but if they have control of your network, they can see a lot about where you are browsing anyway. And Microsoft has full access to the data. The link to “our privacy statement” in the original SmartScreen announcement is, rather worryingly, broken. This is the current one, and it also tells us Each SmartScreen request comes with a unique identifier. That doesn’t contain any personal information, but it does allow Microsoft, or someone else with a subpoena, to reconstruct an IE user’s browsing history. The privacy policy also says nothing about whether Microsoft might use this information to e.g. find out what’s currently trending on the web. It seems they don’t need to provide a popular analytics service to get that sort of insight.

You might say that if you are already using SmartScreen, then sending the certificates as well doesn’t reveal much more information to Microsoft about your browsing than they already have. I’d say that’s not much comfort – but it’s also not quite true. SmartScreen does have a local whitelist for high traffic sites and so they don’t find out when you visit those sites. However (I assume), every certificate you encounter is sent to Microsoft, including high-traffic sites – as they are the most likely to be victims of misissuance. So Microsoft now know every site your browser visits, not just the less common ones.

By contrast, Firefox’s (and Chrome’s) implementation of the original function of SmartScreen, SafeBrowsing, uses a downloaded list of attack sites, so that the URLs you visit are not sent to Google or anyone else. And Certificate Transparency, the Google approach to detecting certificate misissuance after the fact which is now being standardized at the IETF, also does not violate the privacy of web users, because it does not require the browser to provide information to a third-party site. (Mozilla is currently evaluating CT.)

If I were someone who wanted to keep my privacy, I know which solution I’d prefer.

Performance Comparison

Mozilla 1.0 was released 12 years ago, in 2002. We did a new start page for the browser, using cutting-edge web technology. It can still be found on www-archive.mozilla.org. (It’s suffered a little bit in the archiving… The transparent PNG dino tail is broken, and www-archive claims wrongly that it’s UTF-8 so you have to pick “Western” in the Character Encoding menu to fix the � characters.)

There’s a little easter egg in it. If you mouse over the word “Party”, then it launches little “DHTML” (that’s what we called it back then, when I were a lad) fireworks. It only fires one firework at a time. We tried it with more, but we discovered performance problems with manipulating more than a dozen “particles” smoothly at once.

How far we’ve come.

Firefox OS Brand Requirements Brown Bag: Today, 9am PDT (4pm UTC)

[Update: A recording is available for vouched Mozillians]

Late-breaking news – spread the word to anyone interested in the requirements we put on carriers in order to sell phones branded Firefox OS; i.e. the way we bring our values into the mobile world.

Pete Scanlon writes:

Hello Mozilla Community

Wanted to extend an invitation to have you join a brown bag session tomorrow[today -- Gerv], March 25th at 9am PDT to discuss the requirements for device manufacturer and network operator partners to use the Firefox OS name and word mark in their efforts to bring the mobile web to more people in more places.

Given the size of the opportunity and the associated scope, we will focus our conversation on the level of devices that represent a web based operating system only. This group includes smartphones, tablets, smart televisions, and the emerging “Internet of Things” category.

The discussion will be live streamed on Air Mozilla for all Mozillians (you will need to sign in with your LDAP[Mozillians, I hope -- Gerv] credentials) and will be available afterward for your reference.

Join us on IRC in the #townhall channel. [There's a password; ask a staff member who got the original email -- Gerv].

Many thanks for your interest.

Pete Scanlon

Mozilla and the Future

I am delighted that Brendan Eich has been named the new CEO of the Mozilla Corporation.

At this time of transition, I would like to encourage Mozilla community members to focus on, and to blog about, the future they’d like to see for the project. I’d love to read where others think we should be going, and I hope Brendan would too.

Here are my thoughts:

Strategy

  • We should make sure that our requirements on Firefox OS carriers and OEMs for openness, transparency and Mozilla-ness are stringent enough that least a few say “No, we can’t do that; we’ll go elsewhere”. If everyone agrees to your terms, you aren’t asking for enough.
  • We should have a community conversation about what those requirements should be. (Some of what I think is outlined by implication in my recent post Mozilla and Proprietary Software.) To that end, I’m delighted that today there’s a brown bag on the Firefox OS Brand Requirements, which is the document which defines them. (It’s not currently clear who can come to this brown bag; I’m trying to get clarity.)
  • We should get down to a price point for our lowest-end phone – say $25 – and then ride Moore’s Law up the hardware spec scale at that price point. That is to say, at some point we should stop trying to make Gecko smaller and focus on improving the capabilities without growing it faster than the hardware is growing at that price point. Let’s not bet against Moore’s Law.
  • We shouldn’t try and compete at the high end, but we do need to move into the mid market, because that’s where there’s both global volume and money. (At the low end there’s volume but little money, and at the high end there’s money but less volume.) If we can’t make our ecosystem pay for developers and operators, it won’t grow.

Technical

  • Brendan has talked about differentiating Firefox in the “trust” area. We should ship Collusion as part of Firefox for desktop, with surrounding explanation of what it means. We should build and ship Tor on Firefox OS (and find a way to extend the Tor network while doing so).
  • The average network connection of the average customer is getting worse, because more people are coming online in places where the networks suck – both in bandwidth and latency. We need to make that less painful. HTTP/2 is one way; perhaps there are others, in collaboration with operators and sites. And our offline app support needs to be awesome.
  • We’d probably need a consensus to do it, but we should try and build one, and make some new web features HTTPS-only.

Governance and Community

  • We need to figure out how our project should be governed, and how those governance structures mesh with the org chart of the Mozilla Corporation. Having clear community governance is vital if we want to grow the community and allow non-employees to take on positions of responsibility. You can’t take a position which doesn’t exist.
  • Our community governance structures need to cover all that we do, not just a portion as now, and they probably need to change to meet the needs of the Mozilla of 2014.
  • We need to help our new mobile partners live in our world and become fully-fledged participants and contributors. If we end up just being an upstream code source, that’s a loss for us.

Mozilla and Proprietary Software

Mozilla is both a principled organization and a pragmatic one.

Mozilla products run on proprietary operating systems, and on proprietary hardware. We are in the mobile OS business, and no-one, not even the mighty Google, has yet been able to make a 100% open source phone available in commercial quantities. So proprietary software is part of Mozilla’s life. But I think most people in our community would be rightly upset if Mozilla decided, for example, to take advantage of the provision in the MPL which would allow us to ship proprietary builds of Firefox on the desktop.

So, the question arises: where’s the line? Where in the big picture is it OK for proprietary software to be, and where is it not OK?

“You don’t have to make a case for open. You have to make a case for not open.” — Johnathan Nightingale

Over time, this question has been arising in a number of different contexts. And I think the answers we might give at the Mozilla project would be different to those you might hear from the FSF, or the Apache project, or the Android project, to name but three points on a wide spectrum of opinion. So I think it would be a productive conversation to try and work out some principles in this area – or, at least, to gauge the range of opinion. As johnath says, if we are using or distributing closed software, we need to make an active case for why we are doing it.

This post is therefore a discussion starter, and outlines where I currently think the line is – i.e. where a reasonable case can be made for closed, and where it cannot. It could be in the future, a case can be made for additions to, removals from or modifications of this list. But having a defined list at least helps to make it more clear what is a new situation where a case needs to be made, what is another example of something we’ve done before.

Note that this post represents my opinion only, and is not official Mozilla policy. Although it speaks of things that currently are, as well as things that currently are not, for ease of reading, I will write directly rather than using conditional language (i.e. “will” rather than “should”).

    Mozilla

  1. The basic rule is that software written by Mozilla will be open source. Mozilla is a public benefit organization; we do not use money given to us to write proprietary software.

    Rationale: Manifesto Principle 7.

  2. Mozilla may distribute proprietary software written by others with its own software under the following circumstances:
    1. If it’s a missing important piece of functionality provided by an OS vendor for a proprietary operating system on which our software runs;
    2. If the software is required to make use of the hardware on which the product runs, and there is no open source alternative driver of sufficient quality.

    Example of A): the Direct3D DLL, included under the Binary Components policy. Example of B): hardware drivers for Firefox OS.

    These situations are seen as sub-optimal and we look for opportunities to eliminate them, as opportunity and market power permit. They are not seen as precedent-setting. This is a negotiating point in discussions with hardware manufacturers, particularly for reference devices.

    In the past, we shipped the “Talkback” crash-reporting software, which did not fall under either of these exceptions. We now use the open source Breakpad. This replacement took seven long years to arrive. Now that Talkback is gone, we should not go back there.

    Rationale: without such exceptions, we can’t ship competitive products (or, in the case of B, any products at all). But we need to define them tightly.

  3. Mozilla’s products will execute proprietary code in web content.

    Example: most JavaScript on the web today.

    Rationale: without this, our products would effectively not browse the web at all.

  4. Partners

  5. Mozilla may permit its partners to distribute proprietary software in a product using a Mozilla brand under the circumstances above. Mozilla’s partners may also ship proprietary apps in their versions of Firefox OS. Such apps must be uninstallable. Additions to the platform not falling under one of the exceptions above must be open source.

    Rationale: same as above, plus requiring that all default partner apps be free software means many popular apps could not be bundled, making our offering much less compelling. If we allow users to install proprietary apps, there is not significant additional harm in bundling (uninstallable) ones. Requiring arbitrary platform additions to be open source is necessary to allow users to build updated versions of the software for their phones. (Binary driver blobs use a known API and, while it’s sub-optimal, can be copied from official builds into user ones.)

  6. Mozilla will only allow Mozilla brands to be used for software on phones which are bootloader-unlockable.

    Rationale: Mozilla stands up for user freedom, including the freedom to hack one’s phone, and update the OS even when the vendor has ceased support.

  7. Software Added Later

  8. Mozilla’s products may sometimes automatically download and install deterministically-built binary builds of other open source software where we would prefer not to distribute it ourselves, e.g. for patent license reasons. However, there may be additional requirements we would want to be met before we solved a problem using this solution.

    Example: Cisco’s H.264 binary builds made from OpenH264. (Note: the exact user experience in this case has not yet been determined. I am just saying that I think it would be OK if Firefox downloaded and installed this software automatically.)

    Rationale: Software patents suck. Because Cisco have made H.264 free-as-in-price at the point of use for everyone, we managed to get a draw in this particular round of the codec wars. (The other options were much worse.) But fighting patents is done at the standards and industry level, not at the “make every user click a button” level. If the source is open and the binaries are deterministically built, then users are using binaries of free software which is bit-for-bit identical to that we could build for them ourselves, and so requiring a user confirmation here gains us nothing.

  9. Mozilla will allow proprietary software in the app stores and addons stores that it runs. Mozilla will make sure the license terms for software are clearly marked, and are searchable as a metadata field.

    Example: Firefox OS Marketplace, addons.mozilla.org. (Unfortunately, license metadata is not currently collected or available for searching.)

    Rationale: some people, including members of our community and vocal Mozilla supporters, wish to avoid using proprietary software; we should help them make choices in line with their ethics.

  10. Mozilla’s products may give the user the UI option of downloading, installing and running binary builds of proprietary software (e.g. an addon or plugin) but will not get to the point of executing such software without getting explicit or implicit user consent somewhere along the way. “Implicit consent” means that the user has taken some action (e.g. installing the Flash plugin themselves) which was not mediated by Firefox but which we know must have happened.

    Example: Mozilla allows users to download proprietary Firefox add-ons through the Add-On Manager UI. The Plugin Finder Service will point users at downloads of proprietary plugins such as Flash. But all require at least one explicit confirming click to install.

    Rationale: some people, including members of our community and vocal Mozilla supporters, wish to avoid executing proprietary software; we should not sneakily run it on their systems. However, even offering it is enough for Firefox to not be in the FSF’s directory of free software. :-|

  11. Network Services

  12. Mozilla prefers to use open source software for end-user network services it builds into its products. However, we are willing to partner with companies who use proprietary software and/or data. Such proprietary services must be able to be disabled by the user, and the API endpoint must be configurable by the user or 3rd party software such as an extension (e.g. an about:config setting in Desktop Firefox).

    Examples: Safe Browsing, geolocation.

    Rationale: Mozilla is starting efforts in geolocation, speech recognition and translation to either replace or avoid depending on proprietary services in these areas. But building e.g. a replacement for Google Safe Browsing, which protects many, many Firefox users from malware and phishing every day, would be a mammoth undertaking. And removing it would put our users at significant risk. Endpoint URL configurability allows people to reverse-engineer service APIs and implement alternatives which Firefox can then easily use.

  13. Development

  14. Mozilla’s products will run on proprietary operating systems, and therefore may require proprietary software, such as a compiler or SDK, as part of the build process for such systems. Mozilla’s products will not require proprietary tools to build on free operating systems.

    Example: Release builds of Firefox on Windows are built using Microsoft Visual Studio, and most developers on Windows use it for their builds too.

    Rationale: if one is using a proprietary OS, there seems no additional harm in using proprietary build tools.

  15. Mozilla strongly prefers to use open source software for network services it stands up for use by the Mozilla developer community, but may use proprietary software if no open source software of equivalent functionality is available. In such cases, Mozilla provides some resources (money or people) to help rectify that situation.

    Example: Mozilla uses Vidyo, and so Mozillians who want to use it have to use the proprietary Vidyo client, or Flash. But we are developing WebRTC in the browser, and hope that thereby solutions will emerge where people can participate in multi-party video using only open source software. We are also trying to get the SIP gateway working (that bug is restricted to the ‘infra’ group so you may not be able to see it) so people can video-call in using free software.

    Rationale: we should not compromise our effectiveness by using significantly sub-standard tools; but as a member of the wider open source community and as a public benefit organization, we have a responsibility to grow the commons in areas where we have an interest.

  16. Mozilla community members are free to use proprietary desktop software if they wish. Mozilla may therefore pay for licenses for particular bits of proprietary software for the use of Mozilla employees, contractors or interns. Mozilla will not implement systems which require non-employees to use proprietary desktop software to be part of the community.

    Example: Windows, Office, internal payroll or HR systems. (Vidyo doesn’t quite break that last rule, as someone can still dial in to any meeting by phone.)

    Rationale: there are no effective substitutes for some of this software. However, we should not lock free software advocates out of full participation in our community.

It Just Keeps Working

One of the great things about desktop software, and mobile apps, is that once you have some software, if you don’t do anything it generally just keeps working. Now there are exceptions to this – if you live in the iOS gilded cage, your cojones and your apps still belong to Apple, and they can yank them any time they like. But they don’t do that all that often. And if your app requires network interactions, perhaps the thing it interacts with will change, requiring an app update. But generally speaking, if I get a text editor app, it’ll still be able to edit text until my phone dies or I delete it. And that gives me a great sense of confidence and stability in my use of my technology.

The same is not true of web pages. They can go away at any time. As can cached copies, archive.org copies, or whatever.

So, as we build Firefox OS, and the line between apps and websites gets blurred, let’s make sure we don’t lose this feature. Once the user’s mental model of what’s going on suggests to them that an app is “theirs” (and that doesn’t just mean “they paid for it”), then we need to make sure that it just keeps working. Even if the original source goes offline.

My Travel Tips

There are internal discussions going on among Mozilla employees about how best to save money when travelling. Inspired by that, here are my travel tips. Some of them are money savers, some are just, well, good advice. Chris Heilmann has given us his; most are good, although I’m no fan of layovers.

Packing List

I have a “packing-list.txt” file on my computer, organized by “context” (Clothes, Tech, Abroad, Cold, Hot, etc). Before each trip, I print a copy 2-up on a side of A4, then go through and cross out the things I’m not planning to take. I then go and gather up what’s left. This requires so little “er, do I want to take this?” brainpower that I can normally pack for any trip in about 20 minutes, and it’s extremely rare that I forget anything important. If I notice myself writing the same thing on more than a couple of times, it gets added to the file. If I notice myself crossing something off almost every time, it gets removed.

Airbnb

Although I’ve had one less-than-stellar experience, I’ve also made 2 good friends through Airbnb. There are Airbnbs in walking distance of many of our offices (they are a bit thin on the ground in Mountain View). And you normally get nicer conditions at a cheaper price than a hotel.

Misc

  • Never leave you passport anywhere except in your bag or, while using it, your pocket. This particularly applies to on tables, in plane seatback pockets, etc.
  • Why rush onto the plane? You end up queueing for ages, and the worst that can happen if you’re last on is that there’s no room for your bag and the stewardess has to put it somewhere else and give it back to you when you get off.
  • While parked at the gate in your home country, use the Internet on your phone to check out reviews of the available films. Gotta be quick…
  • Online checkin and no hold luggage means that you can arrive at the airport as little as 1h 15m in advance and still be very relaxed going to the gate.
  • Buy a Thinkpad X-series and an extended battery. The 9-hour battery life is great for Europe-to-West-Coast.
  • If travelling for only a few days, don’t attempt to cross all the timezones. Get up early/late and go to bed early/late instead. Just because it’s 3am local time doesn’t mean you can’t be doing useful work, or calling your wife, or preparing a Bible study, or something else productive.
  • Arriving at Brussels on Eurostar, your ticket is valid to go to any station in the city. So don’t get a taxi, just go upstairs and head for the Central Station, 7 minutes away.

How Mozilla Is Different

We’re replacing Firefox Sync with something different… and not only did we publish the technical documentation of how the crypto works, but it contains a careful and clear analysis of the security improvements and weaknesses compared with the old one. We don’t just tell you “Trust us, it’s better, it’s the new shiny.”

The bottom line is in order get easier account recovery and device addition, and to allow the system to work on slower devices, e.g. Firefox OS phones, your security has become dependent on the strength of your chosen Sync password when it was not before. (Before, Sync didn’t even have passwords.) This post is not about whether that’s the right trade-off or not – I just want to say that it’s awesome that we are open and up front about it.

Uses of the Public Suffix List

For several years, Mozilla has maintained the Public Suffix List, a “map” of responsibilities within the DNS, as a service to the greater Internet community. We originally created it for browsers, but it has seen wider use in a surprising variety of places. There is now renewed interest in replacing it with something DNS-based and more robust. As a precursor to that work, I’m collecting a list of all the things the PSL is used for.

If you are a Mozilla hacker and know of somewhere we are using the PSL that isn’t listed, or if you know of uses of the PSL outside Mozilla, please add them.