OS X and Windows have licensed encoders, right? Is it possible for Firefox and others to use those on OS X and Windows and use a less-than-legal decoder on Linux as is, AFAIK, done for MP3s and DVDs?
The first time there is an exploit in system-provided video decoder (any decoder, not just H.264), you can be sure, who will get blamed for that - the browser, of course. So any browser maker wants to make sure, that they can update anything, that is being touched by web.
In case of Apple and Microsoft, they both can update the system provided H.264 decoder. In case of Opera, Mozilla and Google, they can not. This is one of reasons, why all three browsers bundle their own decoders (the another one is multi-platform consistency).
I think there's a certain irony in this. Isn't FOSS a big proponent of these sort of dependencies? I mean, whenever you discuss Windows or MacOS way of installing software, you'll hear how Linux does it better because each component is separate and therefore they can fix something upstream and your software will automatically use it.
But suddenly now people complain because a piece of software doesn't have control of their pieces...
How are these two views consistent?
(incidentally: I like the Linux's way, and try to replicate it as possible with Macport).
I think this has more to do with GNU/Unix design philosophy rather than being an explicit part of FLOSS ideology.
Also, you need to remember that GNU/Linux projects do have a certain amount of control over upstream, seeing as the source is publicly available and can be forked/modified. On the other hand, if Firefox relied on proprietary software, they would be completely at the mercy of decisions made upstream.
Do you think so little of the vendors that you believe they won't want to fix an error in a widely-used security-critical OS component?
Do you think so little of the ability of the Mozilla team to communicate on the details on a matter of platform security?
When programming anything, you have to decide what components you're going to depend on, and what you're going to write and maintain yourself. On a codec, or C library, or whatever.
And if there are issues with the foundation, then applications will have issues. Other applications will have issues, too.
And if you're rolling your own code for common tasks, there will still be issues. You'll all of them, too. And you'll have a much larger project.
> Do you think so little of the vendors that you believe they won't want to fix an error in a widely-used security-critical OS component?
Considering he never said that... no?
> Do you think so little of the ability of the Mozilla team to communicate on the details on a matter of platform security?
Pointless, that'll still get them blamed.
> And if you're rolling your own code for common tasks, there will still be issues. You'll all of them, too. And you'll have a much larger project.
You have a larger project but you control all the variables, or as many as you can anyway. And you can handle everything on your schedule, you don't have to depend on a third party which may or may not play ball with you (and may have absolutely no interest in playing ball).
> How are they doing now with Flash? Any record of users complaining with Firefox for a Flash bug?
Uh yes? Users complain about the browser when Flash crashes it, why do you think Firefox finally moved Flash to an external process, following the lead of Chrome and Safari (and MSIE?). Sure Flash having no 64b support plays a role, but it's not like most users realize it when Flash is involved in making their browser burst in flames or crawl to a halt.
The first time there is an exploit in system-provided video decoder (any decoder, not just H.264), you can be sure, who will get blamed for that - the browser, of course.
Is this really the case? Aren't there security flaws in platform code all the time that affect browsers along with other apps on the platform? Are those blamed on a specific browser? If both Firefox and Safari use Mac OS X's built-in h.264 and there's a hole in it, is there going to be significant widespread outrage against Firefox?
Err, I fail to see any bug in the in the Windows 'shell:' protocol handler. But other parts of the article indicate that the bug was in Firefox and was fixed in there.
>Current versions of Mozilla and Firefox pass unknown protocol handlers to the operating system shell to handle. In this case, the location passed to the shell is a program name that the shell executes.
>Internet Explorer is reported as being less vulnerable. When the user clicks on the link, it opens an "open/save" dialog box in which the user is allowed either to run the program, save it to disk or cancel. Mozilla and Firefox simply run the program without any further user action.
OS X and Windows have accelerated H.264 decoders that are available to programmers. Firefox is an application on each of these platforms. Firefox can use the native decoders like every other developer. They are already using a third-party's H.264 license (Adobe with Flash) to play this sort of video on many sites. I have a hard time seeing why using Flash is any different than using the built in.
For platforms that haven't paid the license, leave a plug-in way to do it and let others fill it just like they are letting Adobe do now.
It would be possible for Firefox to do use the system video codecs. This is the approach Microsoft has chosen to go with for IE9. Mozilla has chosen not to do this partly to prevent h.264 in Firefox from catching on, but also because doing so would surely lead to to the same problem as before: Requiring end users to install things to play video. We're back in the codec nightmares we had that flash replaced when people stopped using <object> and <embed> for video on web pages.
They originally were going to only use H.264, and only provide IE9 on operating systems where they themselves had provided the H.264 codec (Vista & 7).
They've since committed to supporting a user install of WebM but I've seen no technical details of how this will pan out e.g. what if you install more than one WebM codec from different sources? They have been clear that no other codecs (e.g. DivX, WMV, Dirac, Theora) will be picked up regardless of built in support or user installation.
As you rightly note Mozilla, particularly on XP which makes up about 60% of their user base, would be relying on god knows what kinds of codec packs that users have acquired over time, a known malware vector and so bundle their own codecs.
The "vectors" aren't installed, vectors are the way that they get installed. Training people to install codec packs when prompted in order to see a video is considered risky, since the next time they see a similar message it's likely to be someone up to no good.
My impression is that everyone will have support for h.264 on the computer anyway (it's such a common codec). And even if they don't WebM could be used as a fallback. There is no reason why we could not have support for both, and Firefox will only support h.264 via the OS.
Realistically Firefox will play H.264 via Flash just the same as IE 6, 7, 8 and so will play any video on the net (including those in old Flash formats) till those 3 browsers collectively drop below 5% or so. By which time the conversation will be about H.26_5_ and a royalty-free successor to VP8.
The solution is that IE 6, 7, & 8 won't load Flash for the HTML5 video tag either, so the same Flash fallback (probably delivering the same H.264 file given to HTML5 browsers) works for all of these highly popular browsers which currently account for something like 80-90% of all browsers between them.
Firefox only has to worry about niche, tech-forward sites that feel they can disregard all pre HTML5 browsers and also actively choose to ignore Firefox (and Opera) as well by not providing a WebM fallback video. No ordinary business can afford to simply refuse to deliver a Flash video to 1/3rd of their audience when they've already built it and are serving it to another 1/3rd on older version of IE. (This obviously occurring at some future time when the HTML5 video delivery is preferred over Flash for any platform other than the Apple ones that don't have Flash, otherwise the Flash would be going out to 99% of browsers anyway).
There's not much downside for Firefox except pissing off people who really passionately hate Flash, but are quite happy with H.264's patent situation. I'm thinking the crossover is pretty small on those two populations and probably shrinking greatly now that Apple has let Adobe use their hardware acceleration API for H.264 decode, certainly not big enough to derail a browser used by tens of millions of ordinary people.
The GIF fiasco illustrated very visibly what cans of worms can be opened when propriatary, patented technologies undermine open standards.
I tend to agree with the author that it's more of a pr coup then anything else.