Que Mozilla Corp. protège ses marques et ses logos, soit. Mais que cela rende leurs logiciels non distribuables, ça me gratouille sévère.

Il y a quelques temps de ça, le projet Debian avait été obligé de supprimer le logo de Firefox (vous pouvez le constater en ouvrant la fenêtre d'à propos). A ce même moment, le copyright protégeant le nom Firefox empêchait Debian d'appliquer des patches au logiciel sans en changer l'appellation. Du coup, il avait été envisagé de renommer le navigateur Iceweasel, ce qui avait beaucoup fait rire (jaune). Après médiation, les choses s'étaient arrangées, et un accord avait été trouvé.

Et un beau jour, un nouveau bug est ouvert. Le ton est donné d'office :

(Mike Conner for mozilla): Firefox (the name) is equally protected and controlled by the same trademark policy and legal requirements as the Firefox logo. You're free to use any other name for the browser bits, but calling the browser Firefox requires the same approvals as are required for using the logo and other artwork.

(...)

To my knowledge, each patchset that deviates from what we ship should be run by whoever is doing licensing approvals (this is in progress with various distributions already). Its hard, if not impossible, to define a set of guidelines that is crystal clear and doesn't need human oversight. Novell and Red Hat already do this.

(...)

In that light, you should consider this, as I previously said, notice that your usage of the trademark is not permitted in this way, and we are expecting a resolution. If your choice is to cease usage of the trademark rather than bend the DFSG a little, that is your decision to make.

Ennuyeux. Irritant, même. Les mainteneurs demandent donc si la situation peut être résolue après la sortie de Etch, qui pour une fois semble suivre un planning serré. Il y a quelques chances pour qu'Etch soit finalisée en Décembre 2006, et personne n'a vraiment envie de repousser sa sortie. Réponse catégorique de M. Mozilla :

(Mike Conner for mozilla): I would think it makes much more sense to resolve this before you put another long-lived release into the wild, unless your aim is to delay compliance. Ignoring the logo issue entirely, I have grave concerns around the nature and quality of some of the changes the patchset contains, and I would like to see the changes as a set of specific patches before I could make any recommendation as to whether we should continue to allow use of the trademark. If we were forced to revoke your permission to use the trademark, freeze state would not matter, you would be required to change all affected packages as soon as possible. Its not a nice thing to do, but we would do it if necessary, and we have done so before.

Bon, voilà que ça tourne à l'insulte. Debian a donc perdu la confiance que lui avait accordée le projet Mozilla ? Bon, mais alors, quid des patches de sécurité ?

(Mike Conner for mozilla): Yes, if you are shipping a browser called Firefox, we should be signing off on every deviation from what we ship. Yes, its time consuming, and yes, I can find more entertaining ways to spend my time, but its a necessary evil.

As for your straw man about security bugs, what security bugs would you be fixing with your own patches? If there are security bugs, they should be fixed upstream, not in your own tree.

Voilà qui colle bien avec le logiciel libre, ne trouvez-vous pas ? Je veux dire, sans vouloir jouer le zoulou linuxfr'ien, si Debian ne peut garantir à ses utilisateurs que leur distribution stable est à jour en terme de sécurité, c'est gênant. Conclusion ?

(Steve Langasek for Debian): Given your subsequent comments indicating that the Mozilla Foundation reserves the right to revoke trademark grants for released versions of Debian, I don't see that we have any choice but to discontinue our use of the marks.

Super non ? Alors quoi, c'est spécifique à Debian, tout ce bordel ? Chez Fedora, voilà ce qu'on en dit :

Also you have to take into account that firefox.org doesn't care about Linux. They produce "updates" that are first Windows precompiled binaries. Their Linux stuff is still in CVS, not even tarball released yet, so we have to try and take a CVS snapshot or troll through CVS logs to find the right patch. They also don't seem to care about vendorsec, or if they do its a token notice and nonsensical embargo dates. The last one I noticed was set to be released in the middle of a global holiday (Easter).

Encourageant toujours. Et chez Ubuntu ?

Together with the desupport upstream of 1.0.x, (...) Breezy's Firefox has no security support from upstream and contains a significant amount of code which has never been given security support, nor released, by anyone else.

For upstream-supported versions this isn't true; the Mozilla organisation is the best channel for reporting bugs in Mozilla products and there is evidence that although their release and documentation processes are poor, they do actually fix bugs. Furthermore, as a highly visible and central player, they have a reputation to maintain on this point.

So, the code our users are running is substantially different from any code that has anything like a well-supported a mechanism for capturing and dealing with reports of security problems. Indeed, if someone discovers a vulnerability in Firefox 1.0.8 I have no confidence that Mozilla would deal with it appropriately or that we would hear about it.

Nous vivons dans un monde merveilleux.

[via LWN, the return of the Iceweasel]