Safari

When It Comes to Privacy, Safari Is Only the Fourth-Best Browser (yahoo.com) 36

Apple's elaborate new ad campaign promises that Safari is "a browser that protects your privacy." And the Washington Post says Apple "deserves credit for making many privacy protections automatic with Safari..."

"But Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, said Safari is no better than the fourth-best web browser for your privacy." "If browser privacy were a sport at the Olympics, Apple isn't getting on the medal stand," Cahn said. (Apple did not comment about this.)

Safari stops third-party cookies anywhere you go on the web. So do Mozilla's Firefox and the Brave browser... Chrome allows third-party cookies in most cases unless you turn them off... Even without cookies, a website can pull information like the resolution of your computer screen, the fonts you have installed, add-on software you use and other technical details that in aggregate can help identify your device and what you're doing on it. The measures, typically called "fingerprinting," are privacy-eroding tracking by another name. Nick Doty with the Center for Democracy & Technology said there's generally not much you can do about fingerprinting. Usually you don't know you're being tracked that way. Apple says it defends against common fingerprinting techniques but Cahn said Firefox, Brave and the Tor Browser all are better at protecting you from digital surveillance. That's why he said Safari is no better than the fourth-best browser for privacy.

Safari's does offer extra privacy protections in its "private" mode, the article points out. "When you use this option, Apple says it does more to block use of 'advanced' fingerprinting techniques. It also steps up defenses against tracking that adds bits of identifying information to the web links you click."

The article concludes that Safari users can "feel reasonably good about the privacy (and security) protections, but you can probably do better — either by tweaking your Apple settings or using a web browser that's even more private than Safari."
Mozilla

Mozilla Follows Google in Losing Trust in Entrust's TLS Certificates (theregister.com) 14

Mozilla is following in Google Chrome's footsteps in officially distrusting Entrust as a root certificate authority (CA) following what it says was a protracted period of compliance failures. From a report: A little over a month ago, Google was the first to make the bold step of dropping Entrust as a CA, saying it noted a "pattern of concerning behaviors" from the company. Entrust has apologized to Google, Mozilla, and the wider web community, outlining its plans to regain the trust of browsers, but these appear to be unsatisfactory to both Google and Mozilla.

In an email shared by Mozilla's Ben Wilson on Wednesday, the root store manager said the decision wasn't taken lightly, but equally Entrust's response to Mozilla's concerns didn't inspire confidence that the situation would materially change for the better. "Mozilla previously requested that Entrust provide a detailed report on these recent incidents and their root causes, an evaluation of Entrust's recent actions in light of their previous commitments given in the aftermath of similarly serious incidents in 2020, and a proposal for how Entrust will re-establish Mozilla's and the community's trust," said Wilson.

Security

DigiCert Revoking Certs With Less Than 24 Hours Notice (digicert.com) 61

In an incident report today, DigiCert says it discovered that some CNAME-based validations did not include the required underscore prefix, affecting about 0.4% of their domain validations. According to CA/Browser Forum (CABF) rules, certificates with validation issues must be revoked within 24 hours, prompting DigiCert to take immediate action. DigiCert says impacted customers "have been notified." New submitter jdastrup first shared the news, writing: Due to a mistake going back years that has recently been discovered, DigiCert is required by the CABF to revoke any certificate that used the improper Domain Control Validation (DCV) CNAME record in 24 hours. This could literally be thousands of SSL certs. This could take a lot of time and potentially cause outages worldwide starting July 30 at 19:30 UTC. Be prepared for a long night of cert renewals. DigiCert support line is completely jammed.
Firefox

Firefox 128 Criticized for Including Small Test of 'Privacy-Preserving' Ad Tech by Default (itsfoss.com) 57

"Many people over the past few days have been lashing out at Mozilla," writes the blog Its FOSS, "for enabling Privacy-Preserving Attribution by default on Firefox 128, and the lack of publicity surrounding its introduction."

Mozilla responded that the feature will only run "on a few sites in the U.S. under strict supervision" — adding that users can disable it at any time ("because this is a test"), and that it's only even enabled if telemetry is also enabled.

And they also emphasize that it's "not tracking." The way it works is there's an "aggregation service" that can periodically send advertisers a summary of ad-related actions — again, aggregated data, from a mass of many other users. (And Mozilla says that aggregated summary even includes "noise that provides differential privacy.") This Privacy-Preserving Attribution concept "does not involve sending information about your browsing activities to anyone... Advertisers only receive aggregate information that answers basic questions about the effectiveness of their advertising."

More from It's FOSS: Even though Mozilla mentioned that PPA would be enabled by default on Firefox 128 in a few of its past blog posts, they failed to communicate this decision clearly, to a wider audience... In response to the public outcry, Firefox CTO, Bobby Holley, had to step in to clarify what was going on.

He started with how the internet has become a massive cesspool of surveillance, and doing something about it was the primary reason many people are part of Mozilla. He then expanded on their approach with Firefox, which, historically speaking, has been to ship a browser with anti-tracking features baked in to tackle the most common surveillance techniques. But, there were two limitations with this approach. One was that advertisers would try to bypass these countermeasures. The second, most users just accept the default options that they are shown...

Bas Schouten, Principal Software Engineer at Mozilla, made it clear at the end of a heated Mastodon thread that "[opt-in features are] making privacy a privilege for the people that work to inform and educate themselves on the topic. People shouldn't need to do that, everyone deserves a more private browser. Privacy features, in Firefox, are not meant to be opt-in. They need to be the default.

"If you are 'completely anti-ads' (i.e. even if their implementation is private), you probably use an ad blocker. So are unaffected by this."

This has already provoked a discussion among Slashdot readers. "It doesn't seem that evil to me," argues Slashdot reader geekprime. "Seems like the elimination of cross site cookies is a privacy enhancing idea." (They cite Mozilla's statement that their goal is "to inform an emerging Web standard designed to help sites understand how their ads perform without collecting data about individual people. By offering sites a non-invasive alternative to cross-site tracking, we hope to achieve a significant reduction in this harmful practice across the web.")

But Slashdot reader TheNameOfNick disagrees. "How realistic is the part where advertisers stop tracking you because they get less information from the browser maker...?"

Mozilla has provided simple instructions for disabling the feature:
  • Click the menu button and select Settings.
  • In the Privacy & Security panel, find the Website Advertising Preferences section.
  • Uncheck the box labeled Allow websites to perform privacy-preserving ad measurement.

Mozilla

Thunderbird 128: Annual ESR Brings New Features and 'a Rust Revolution' (thunderbird.net) 78

Thunderbird's annual Extended Support Release was revealed Friday, promising "significant" improvements to the overall user experience and "the speed at which we can deliver new features to you," according to the Thunderbird blog: We've devoted significant development time integrating Rust — a modern programming language originally created by Mozilla Research — into Thunderbird. Even though this is a seemingly invisible change, it is a major leap forward because it enhances our code quality and performance. This overhaul will allow us to share features between the desktop and future mobile versions of Thunderbird, and speed up our development process. It's a win for our developers and a win for you.
More from the blog OMG Ubuntu: I'm also stoked to see that Thunderbird 128 makes 'newest first' the default sort order for messages in message list. While some prefer the old way, I always found it strange that the oldest mails were shown first — team reverse chronology, represent!
They also cite "a number of OpenPGP improvements," plus a new preference option for displaying full names and email addresses of all recipients in the message list. (Plus, threaded-message views now display a "New Message" count.)

Other new features in this release:
  • A new and more attractive layout for Cards View (with adjustable heights) that "makes it easier to scan your email threads and glean information."
  • The folder pane has better recall of message thread states
  • Improved theme compatibility. "Your Thunderbird should blend seamlessly with your desktop environment, matching the system's accent colors perfectly." (Especially beneficial on Ubuntu and Mint.)
  • You can now customize the color of your account icon.

The Thunderbird blog also mentions that "We plan to launch the first phase of built-in support for Exchange, as well as Mozilla Sync, in a future Nebula point release (e.g. Thunderbird 128.X)."


Firefox

Mozilla Releases FireFox 128 57

williamyf writes: Mozilla has released version 128 of the Firefox web browser. Some noteworthy features include: "Firefox can now translate selections of text and hyperlinked text to other languages from the context menu. [...] Firefox now has a simpler and more unified dialog for clearing user data. In addition to streamlining data categories, the new dialog also provides insights into the site data size corresponding to the selected time range. [...] On macOS, microphone capture through getUserMedia will now use system-provided voice processing when applicable, improving audio quality." More info in the release notes here.

But the most important feature of 128 is that it is the newest ESR. Why is this important? Glad you asked:

* Firefox ESR is the browser of choice for many Linux distros (including Debian), so this is important for the Linux community at large.
* Many downstream projects (like Thunderbird or KAiOS) use Firefox ESR as their base, so whatever is included in 128 will determine the capabilities of those projects for the next year.
* Many ISVs (software makers), both big and small, test/certify their software only against the ESR version of Firefox. For users of such software, the new ESR is very important.
* Many companies and individuals value stability of the UI/Workflow over new bells and whistles, for them, ESR is important.
* When an OS is discontinued, Mozilla lets the ESR be the last browser on the platform, exceeding the support window of the likes of Alphabeth, Apple or Microsoft, so for people on older OSs, ESR is important.

Link to download (the ESR) here.
Chrome

Google Cuts Ties With Entrust in Chrome Over Trust Issues (theregister.com) 12

Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements. From a report: Entrust is one of the many certificate authorities (CA) used by Chrome to verify that the websites end users visit are trustworthy. From November 1 in Chrome 127, which recently entered beta, TLS server authentication certificates validating to Entrust or AffirmTrust roots won't be trusted by default.

Google pointed to a series of incident reports over the past few years concerning Entrust, saying they "highlighted a pattern of concerning behaviors" that have ultimately seen the security company fall down in Google's estimations. The incidents have "eroded confidence in [Entrust's] competence, reliability, and integrity as a publicly trusted CA owner," Google stated in a blog.
The move follows a May publication by Mozilla, which compiled a sprawling list of Entrust's certificate issues between March and May this year. Entrust -- after an initial PR disaster -- acknowledged its procedural failures and said it was treating the feedback as a learning opportunity.
The Courts

Mozilla's CPO Sues Over Discrimination Post-Cancer Diagnosis (theregister.com) 43

Thomas Claburn reports via The Register: Mozilla Corporation was sued this month in the US, along with three of its executives, for alleged disability discrimination and retaliation against Chief Product Officer Steve Teixeira. Teixeira, according to a complaint filed in King County Superior Court in the State of Washington, had been tapped to become CEO when he was diagnosed with ocular melanoma on October 3, 2023. Teixeira then took medical leave for cancer treatment from October 30, 2023, through February 1, 2024. "Immediately, upon his return, Mozilla campaigned to demote or terminate Mr Teixeira citing groundless concerns and assumptions about his capabilities as an individual living with cancer," the complaint [PDF] says. "Interim Chief Executive Officer Laura Chambers and Chief People Officer Dani Chehak were clear with Mr Teixeira: He could not continue as Chief Product Officer -- and could not continue as a Mozilla employee in any capacity beyond 2024 -- because of his diagnosis."

Chambers and Chehak are both named in the complaint, along with Mitchell Baker, the former CEO of Mozilla who stepped down in February and announced Chambers as her successor. "Mr Teixeira was enthusiastic to resume his critical role after treatment, but Mozilla would not tolerate an executive with cancer," said Amy Kangas Alexander, an attorney with law firm Stokes Lawrence who is representing the plaintiff, in an email to The Register. "When Mr Teixeira refused to be marginalized because of his disability, Mozilla retaliated and placed him on leave against his will. Mozilla has sidelined Mr Teixeira at the very moment he needs to be preparing his family for the possibility of a future without him."

The complaint claims that Teixeira, appointed in August 2022, helped reverse the decade-long decline of Firefox, which generates about 90 percent of Mozilla's revenue and is the company's only profitable product. He's further credited with growing Mozilla's advertising business, and AI capabilities, and with reducing investment in the money-losing Pocket service. These and other successes, it's alleged, led to conversation in September 2023 when Baker outlined a plan for Teixeira to become CEO. Then he took medical leave and before he could return, the complaint says, Chambers was appointed interim CEO and Baker was removed, becoming Executive Chair of the Board of Directors. [...]
A Mozilla spokesperson said in a statement: "We are aware of the lawsuit filed against Mozilla. We deny the allegations and intend to vigorously defend against this lawsuit. Mozilla has a 25-plus-year track record of maintaining the highest standards of integrity and compliance with all applicable laws. We look forward to presenting our defense in court and are confident that the facts will demonstrate that we have acted appropriately. As this is an ongoing legal matter, we will not be providing further comments at this time."
Mozilla

Mozilla Acquires Ad Metrics Firm Anonym (theregister.com) 29

Mozilla has acquired ad metrics firm Anonym in a move to "support user privacy" while delivering effective online advertising. Anonym, founded by former Meta executives in 2022, helps advertisers and ad networks measure the performance of online ads while preserving user privacy. The acquisition comes amid growing consumer concerns and regulatory scrutiny over current data practices in the advertising industry.

Mozilla CEO Laura Chambers sees this as a pivotal shift in the coexistence of privacy and advertising. Mozilla maintains that advertising is the underlying business model of the web, but it can be reformed to minimize societal harms.
Privacy

Proton Seeks To Secure Its Privacy-Focused Future With a Nonprofit Model (arstechnica.com) 19

Proton, the secure-minded email and productivity suite, is becoming a nonprofit foundation, but it doesn't want you to think about it in the way you think about other notable privacy and web foundations. From a report: "We believe that if we want to bring about large-scale change, Proton can't be billionaire-subsidized (like Signal), Google-subsidized (like Mozilla), government-subsidized (like Tor), donation-subsidized (like Wikipedia), or even speculation-subsidized (like the plethora of crypto "foundations")," Proton CEO Andy Yen wrote in a blog post announcing the transition. "Instead, Proton must have a profitable and healthy business at its core."

The announcement comes exactly 10 years to the day after a crowdfunding campaign saw 10,000 people give more than $500,000 to launch Proton Mail. To make it happen, Yen, along with co-founder Jason Stockman and first employee Dingchao Lu, endowed the Proton Foundation with some of their shares. The Proton Foundation is now the primary shareholder of the business Proton, which Yen states will "make irrevocable our wish that Proton remains in perpetuity an organization that places people ahead of profits." Among other members of the Foundation's board is Sir Tim Berners-Lee, inventor of HTML, HTTP, and almost everything else about the web.

Of particular importance is where Proton and the Proton Foundation are located: Switzerland. As Yen noted, Swiss foundations do not have shareholders and are instead obligated to act "in accordance with the purpose for which they were established." While the for-profit entity Proton AG can still do things like offer stock options to recruits and even raise its own capital on private markets, the Foundation serves as a backstop against moving too far from Proton's founding mission, Yen wrote.

Mozilla

Mozilla Defies Kremlin, Restores Banned Firefox Add-ons in Russia (theregister.com) 18

Mozilla has reinstated certain add-ons for Firefox that earlier this week had been banned in Russia by the Kremlin. From a report: The browser extensions, which are hosted on the Mozilla store, were made unavailable in the Land of Putin on or around June 8 after a request by the Russian government and its internet censorship agency, Roskomnadzor. Among those extensions were three pieces of code that were explicitly designed to circumvent state censorship -- including a VPN and Censor Tracker, a multi-purpose add-on that allowed users to see what websites shared user data, and a tool to access Tor websites. The day the ban went into effect, Roskomsvoboda -- the developer of Censor Tracker -- took to the official Mozilla forums and asked why his extension was suddenly banned in Russia with no warning.
Microsoft

Microsoft Postpones Windows Recall After Major Backlash (windowscentral.com) 96

In an unprecedented move, Microsoft has announced that its big Copilot+ PC initiative that was unveiled last month will launch without its headlining "Windows Recall" AI feature next week on June 18. From a report: The feature, which captures snapshots of your screen every few seconds, was revealed to store sensitive user data in an unencrypted state, raising serious concerns among security researchers and experts.

Last week, Microsoft addressed these concerns by announcing that it would make changes to Windows Recall to ensure the feature handles data securely on device. At that time, the company insisted that Windows Recall would launch alongside Copilot+ PCs on June 18, with an update being made available at launch to address the concerns with Windows Recall. Now, Microsoft is saying Windows Recall will launch at a later date, beyond the general availability of Copilot+ PCs. This means these new devices will be missing their headlining AI feature at launch, as Windows Recall is now delayed indefinitely. The company says Windows Recall will be added in a future Windows update, but has not given a timeframe for when this will be.
Further reading:
'Microsoft Has Lost Trust With Its Users and Windows Recall is the Straw That Broke the Camel's Back'
Windows 11's New Recall Feature Has Been Cracked To Run On Unsupported Hardware
Is the New 'Recall' Feature in Windows a Security and Privacy Nightmare?
Mozilla Says It's Concerned About Windows Recall.
Censorship

Firefox Browser Blocks Anti-Censorship Add-Ons At Russia's Request (theintercept.com) 129

An anonymous reader quotes a report from The Intercept: The Mozilla Foundation,the entity behind the web browser Firefox, is blocking various censorship circumvention add-ons for its browser, including ones specifically to help those in Russia bypass state censorship. The add-ons were blocked at the request of Russia's federal censorship agency, Roskomnadzor -- the Federal Service for Supervision of Communications, Information Technology, and Mass Media -- according to a statement by Mozilla to The Intercept. "Following recent regulatory changes in Russia, we received persistent requests from Roskomnadzor demanding that five add-ons be removed from the Mozilla add-on store," a Mozilla spokesperson told The Intercept in response to a request for comment. "After careful consideration, we've temporarily restricted their availability within Russia. Recognizing the implications of these actions, we are closely evaluating our next steps while keeping in mind our local community."

Developers of digital tools designed to get around censorship began noticing recently that their Firefox add-ons were no longer available in Russia. On June 8, the developer of Censor Tracker, an add-on for bypassing internet censorship restrictions in Russia and other former Soviet countries, made a post on the Mozilla Foundation's discussion forums saying that their extension was unavailable to users in Russia. The developer of another add-on, Runet Censorship Bypass, which is specifically designed to bypass Roskomnadzor censorship, posted in the thread that their extension was also blocked. The developer said they did not receive any notification from Mozilla regarding the block. Two VPN add-ons, Planet VPN and FastProxy -- the latter explicitly designed for Russian users to bypass Russian censorship -- are also blocked. VPNs, or virtual private networks, are designed to obscure internet users' locations by routing users' traffic through servers in other countries.
"It's a kind of unpleasant surprise because we thought the values of this corporation were very clear in terms of access to information, and its policy was somewhat different," said Stanislav Shakirov, the chief technical officer of Roskomsvoboda, a Russian open internet group. "And due to these values, it should not be so simple to comply with state censors and fulfill the requirements of laws that have little to do with common sense."
Mozilla

Mozilla Says It's Concerned About Windows Recall (theregister.com) 67

Microsoft's Windows Recall feature is attracting controversy before even venturing out of preview. From a report: The principle is simple. Windows takes a snapshot of a user's active screen every few seconds and dumps it to disk. The user can then scroll through the snapshots and, when something is selected, the user is given options to interact with the content.

Mozilla's Chief Product Officer, Steve Teixeira, told The Register: "Mozilla is concerned about Windows Recall. From a browser perspective, some data should be saved, and some shouldn't. Recall stores not just browser history, but also data that users type into the browser with only very coarse control over what gets stored. While the data is stored in encrypted format, this stored data represents a new vector of attack for cybercriminals and a new privacy worry for shared computers.

"Microsoft is also once again playing gatekeeper and picking which browsers get to win and lose on Windows -- favoring, of course, Microsoft Edge. Microsoft's Edge allows users to block specific websites and private browsing activity from being seen by Recall. Other Chromium-based browsers can filter out private browsing activity but lose the ability to block sensitive websites (such as financial sites) from Recall. "Right now, there's no documentation on how a non-Chromium based, third-party browser, such as Firefox, can protect user privacy from Recall. Microsoft did not engage our cooperation on Recall, but we would have loved for that to be the case, which would have enabled us to partner on giving users true agency over their privacy, regardless of the browser they choose."

Programming

Apple Geofences Third-Party Browser Engine Work for EU Devices (theregister.com) 81

Apple's grudging accommodation of European law -- allowing third-party browser engines on its mobile devices -- apparently comes with a restriction that makes it difficult to develop and support third-party browser engines for the region. From a report: The Register has learned from those involved in the browser trade that Apple has limited the development and testing of third-party browser engines to devices physically located in the EU. That requirement adds an additional barrier to anyone planning to develop and support a browser with an alternative engine in the EU.

It effectively geofences the development team. Browser-makers whose dev teams are located in the US will only be able to work on simulators. While some testing can be done in a simulator, there's no substitute for testing on device -- which means developers will have to work within Apple's prescribed geographical boundary. Prior to iOS 17.4, Apple required all web browsers on iOS or iPadOS to use Apple's WebKit rendering engine. Alternatives like Gecko (used by Mozilla Firefox) or Blink (used by Google and other Chromium-based browsers) were not permitted. Whatever brand of browser you thought you were using on your iPhone, under the hood it was basically Safari. Browser makers have objected to this for years, because it limits competitive differentiation and reduces the incentive for Apple owners to use non-Safari browsers.

Firefox

Firefox Power User Keeps 7,400+ Browser Tabs Open for 2 Years (pcmag.com) 116

An anonymous reader shares a report: A software engineer has been keeping nearly 7,500 Firefox tabs open on her Mac computer for over two years -- and doesn't plan on closing them anytime soon. The Firefox power user, who goes by the pseudonym "Hazel" online, posted a screenshot showing 7,470 tabs open earlier this week after finding the browser initially unable to restore all the tabs. Hazel was able to bring the tabs back to life via a Firefox profile cache, however, and tells PCMag that reloading the full session took "no more than a minute."

"I feel like a part of me is restored," Hazel wrote on X once the Firefox tabs had returned. The Firefox fan tells PCMag in a message that she keeps so many tabs open for nostalgia reasons. "I like to scroll back and see clusters of tabs from months ago -- it's like a trip down memory lane on whatever I was doing/learning about/thinking about," she says. Surprisingly, all those tabs haven't impacted the computer's performance. "Firefox is quite memory efficient and isn't actually loading the websites unless I click on the tab -- so it's not very resource intensive," Hazel says.

Ubuntu

Ubuntu 24.04 LTS 'Noble Numbat' Officially Released (9to5linux.com) 34

prisoninmate shares a report from 9to5Linux: Canonical released today Ubuntu 24.04 LTS (Noble Numbat) as the latest version of its popular Linux-based operating system featuring some of the latest GNU/Linux technologies and Open Source software. Powered by Linux kernel 6.8, Ubuntu 24.04 LTS features the latest GNOME 46 desktop environment, an all-new graphical firmware update tool called Firmware Updater, Netplan 1.0 for state-of-the-art network management, updated Ubuntu font, support for the deb822 format for software sources, increased vm.max_map_count for better gaming, and Mozilla Thunderbird as a Snap by default.

It also comes with an updated Flutter-based graphical desktop installer that's now capable of updating itself and features a bunch of changes like support for accessibility features, guided (unencrypted) ZFS installations, a new option to import auto-install configurations for templated custom provisioning, as well as new default installation options, such as Default selection (previously Minimal) and Extended selection (previously Normal)."

Firefox

Firefox Nightly Expands To Linux On ARM64 (betanews.com) 4

BrianFagioli shares a report from BetaNews: Mozilla has announced Firefox Nightly for ARM64. This release will cater to the growing demand for support on ARM64 platforms, commonly referred to as AArch64. Feedback from the community has led Mozilla to expand the availability of Firefox Nightly. Users can now access the browser as both .tar archives and .deb packages, depending on their preference and requirements for installation.

For those who favor traditional methods, the .tar.bz2 binaries are accessible through Mozilla's downloads page by selecting the option for Firefox Nightly for Linux ARM64/AArch64. Meanwhile, users looking to utilize updates and installation through Mozilla's APT repository can follow specific instructions to install the firefox-nightly package.

Open Source

The Linux Foundation's 'OpenTofu' Project Denies HashiCorp's Allegations of Code Theft (devops.com) 33

The Linux Foundation-backed project OpenTofu "has gotten legal pushback from HashiCorp," according to a report — just seven months after forking OpenTofu's code from HashiCorp's IT deployment software Terraform: On April 3, HashiCorp issued a strongly-worded Cease and Desist letter to OpenTofu, accusing that the project has "repeatedly taken code HashiCorp provided only under the Business Software License (BSL) and used it in a manner that violates those license terms and HashiCorp's intellectual property rights." It goes on to note that "In at least some instances, OpenTofu has incorrectly re-labeled HashiCorp's code to make it appear as if it was made available by HashiCorp originally under a different license." Last August, HashiCorp announced that it would be transitioning its software from the open source Mozilla Public License (MPL 2.0) to the Business Source License (BSL), a license that permits the source to be viewed, but not run in production environments without explicit approval by the license owner. HashiCorp gave OpenTofu until April 10 to remove any allegedly copied code from the OpenTofu repository, threatening litigation if the project fails to do so.
Others are also covering the fracas, including Steven J. Vaughan-Nichols at DevOps.com: OpenTofu replied, "The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp's BSL code. All such statements have zero basis in facts." In addition, it said, HashiCorp's claims of copyright infringement are completely unsubstantiated. As for the code in question, OpenTofu claims it can clearly be shown to have been copied from older code under the Mozilla Public License (MPL) 2.0. "HashiCorp seems to have copied the same code itself when they implemented their version of this feature. All of this is easily visible in our detailed SCO analysis, as well as their own comments."

In a detailed source code origination (SCO) examination of the problematic source code, OpenTofu stated that HashiCorp was mistaken. "We believe that this is just a case of a misunderstanding where the code came from." OpenTofu maintains the code was originally licensed under the MPL, not the BSL. If so, then OpenTofu was perfectly within its right to use the code in its codebase...

[OpenTofu's lawyer] concluded, "In the future, if you should have any concerns or questions about how source code in OpenTofu is developed, we would ask that you contact us first. Immediately issuing DMCA takedown notices and igniting salacious negative press articles is not the most helpful path to resolving concerns like this."

Advertising

Mozilla Asks: Will Google's Privacy Sandbox Protect Advertisers (and Google) More than You? (mozilla.org) 56

On Mozilla's blog, engineer Martin Thomson explores Google's "Privacy Sandbox" initiative (which proposes sharing a subset of private user information — but without third-party cookies).

The blog post concludes that Google's Protected Audience "protects advertisers (and Google) more than it protects you." But it's not all bad — in theory: The idea behind Protected Audience is that it creates something like an alternative information dimension inside of your (Chrome) browser... Any website can push information into that dimension. While we normally avoid mixing data from multiple sites, those rules are changed to allow that. Sites can then process that data in order to select advertisements. However, no one can see into this dimension, except you. Sites can only open a window for you to peek into that dimension, but only to see the ads they chose...

Protected Audience might be flawed, but it demonstrates real potential. If this is possible, that might give people more of a say in how their data is used. Rather than just have someone spy on your every action then use that information as they like, you might be able to specify what they can and cannot do. The technology could guarantee that your choice is respected. Maybe advertising is not the first thing you would do with this newfound power, but maybe if the advertising industry is willing to fund investments in new technology that others could eventually use, that could be a good thing.

But here's some of the blog post's key criticisms:
  • "[E]ntities like Google who operate large sites, might rely less on information from other sites. Losing the information that comes from tracking people might affect them far less when they can use information they gather from their many services... [W]e have a company that dominates both the advertising and browser markets, proposing a change that comes with clear privacy benefits, but it will also further entrench its own dominance in the massively profitable online advertising market..."
  • "[T]he proposal fails to meet its own privacy goals. The technical privacy measures in Protected Audience fail to prevent sites from abusing the API to learn about what you did on other sites.... Google loosened privacy protections in a number of places to make it easier to use. Of course, by weakening protections, the current proposal provides no privacy. In other words, to help make Protected Audience easier to use, they made the design even leakier..."
  • "A lot of these leaks are temporary. Google has a plan and even a timeline for closing most of the holes that were added to make Protected Audience easier to use for advertisers. The problem is that there is no credible fix for some of the information leaks embedded in Protected Audience's architecture... In failing to achieve its own privacy goals, Protected Audience is not now — and maybe not ever — a good addition to the Web."

Slashdot Top Deals