Firefox release cycle hits warp factor 8

-Too fast for corporate use:

By releasing small, focused updates more often, we are able to deliver improved security and stability even as we introduce new features, which is better for our users, and for the Web.

We recognize that this shift may not be compatible with a large organization's IT policy and understand that it is challenging to organizations that have effort-intensive certification polices [But] tying Firefox product development to an organizational process we do not control would make it difficult for us to continue to innovate for our users and the betterment of the Web.

Kev Needham, Mozilla's channel manager, on computerworld.com.

Asa Dotzler, director of Firefox, puts it more bluntly:

I don't care about making Firefox enterprise-friendly.

computerworld.com again.

How will this affect corporate uptake of FOSS?

Mozilla has basically said that they aren't interested, at all, in corporate deployments. Oh good, a medium-sized business investigating a switch to FOSS now has a strong disincentive to make the switch. Mozilla's rejection of corporate deployments almost certainly hurts other FOSS projects, most notably Linux.

dasein, writing on the Debian forum.

What about Debian users? Squeeze came with Firefox 3.5- by the time Wheezy arrives, Mozilla could have issued Firefox 12. Well, Debian users can get the latest release from the Debian Mozilla team, as mentioned in a previous post.

Libreoffice arrives in Squeeze backports

I'm using an old Lenny machine at the moment and not my usually Squeeze laptop, but this is something I'm going to try as soon as I get back to it.

Details on the Debian forum.

Update: Official announcement and installation instructions on debian.org.

Mouse pointer highligher trail in GIMP

The default setting in the GIMP has a mouse pointer highlighter active. It makes working in GIMP difficult- to the point that it's been mistaken for a bug. I came across this issue before- and disabled the highlighter immediately. Using another computer today, I came across the same issue, but I'd forgotten how I'd fixed it- and it took me a while to find the solution. Eventually I found it on Pimp my GIMP.

Go to File>Preferences>Image Windows and untick Show brush outline.

Update: this looks like a Debian Lenny issue: my Debian Squeeze machine doesn't have this problem. Time to update the old laptop I was using when I wrote this post, probably.

Do I need an Anti-virus program on Linux?

This is a question often asked by new users of Linux. (See here.) The short answer often given is no, but that answer often stirs controversy. (See here.)
I haven't used an anti-virus program in Linux for years (although I've tried all the free ones). My answer to the question, as a home user of Linux only computers who doesn't share files with Windows users is also no. Obviously I've caveated that answer, and there are plenty more caveats, so here are some points to beware.

• Saying that you don't need an anti-virus doesn't mean that Linux malware doesn't exist. It does.
• Saying that you don't need an anti-virus doesn't mean that you don't need to be careful about security in Linux. You do.
• For new users of Linux, that attention to security means getting software from the distributions digitally signed software repository, or trusted sources. (For example, I have installed software from Opera and HP in addition to software from the Debian repository.) This guide is not intended for or likely to be useful to more advanced users of Linux.
• Linux malware exists, but Linux users are very unlikely to encounter it. Don't go downloading packages form the internet and you won't. (Obviously, with so much free software available in distribution repositories, Linux users won't be on crack sites or peer-to-peer networks downloading dodgy executables that claim to unlock Windows programs.)
• Most Linux anti-virus programs don't do the background scanning of files that Windows anti-virus programs do. If you want to scan a file, you have to do it manually.
• Why use one installed scanner to scan a file when you could send it to Virustotal and have 30 or so scanner check it? (And please see the point above about not downloading packages from untrusted sources in the first place.)
• Linux users are simply not affected by the web-borne exploits that install software willy-nilly on Windows systems.
• Most Linux anti-viruses are primarily intended for file servers, not desktop environments. Yes, an anti-virus is recommended in that situation- beyond the scope of this simple guide. But if you have a dual partition with Windows, or share files with Windows users, yes, an anti-virus is useful- but you'll be looking for Windows viruses.
• There is no certainty that anti-virus programs will detect a malicious file, as I demonstrated here and here.
• Linux anti-virus programs are meant as file scanners, not system scanners- scanning the /root (system) directory is likely to result in a lot of frightening warnings (for the new user) which actually don't indicate any sort of infection. See here and here.
• Institutional network users running Linux may well be asked to use an anti-virus program- I'm not here to contradict your system administrator. Mostly the concern is that Linux users will pass Windows malware around. But there is also the possibility that these users will have valuable information and may be targeted by criminals- and receive a Linux Trojan in their email inbox, for example.
• Where untrusted and possibly malicious people have physical access to a computer, there is the possibility that they may try to run malicious software. This area is outside my experience. Untrusted people don't use my computer. In institutional situations like this, the answer may be yes, an anti-virus might be a good idea. Listen to your system administrator or consult a more advanced guide.
• Most of the people advising that home users of Linux need an anti-virus program are Microsoft shills spreading FUD. The idea that you can run a computer connected to the internet without anti-virus protection or risk of infection tempts users away from Windows, and Microsoft has never been above a little black propaganda. More importantly, these people don't actually look at the evidence when they tell you it's not safe to run Linux without an anti-virus.

Google country settings

I'm abroad for a while, using my old Lenny laptop, and doing some Googling this morning, I noticed I was getting results from google.com- not what I wanted as I was looking specifically for UK based advice pages on a certain topic and was seeing US pages. I remembered that I'd been able to set Firefox to use google.co.uk on my other laptop while abroad- fortunately I found the link again. The Mycroft Project has a page that allows you to set Google search in Firefox to get results from just about any country's own Google page.

Virtual browsing

My two previous posts remind me of this site somebody pointed me to recently. It purports to test recent malware against quite a few if not most of the best Windows security products. I think these tests are a better indication of the effectiveness of security products (anti-virus, anti-spyware etc.) than tests against a huge bank of malware samples. In such tests, security products often score 96-97% in detecting malware; in tests like this, they score far lower- 40-60%- because "0-day" malware is designed to evade detection- and largely does.
This is why the results obtained by DefenseWall (a product I'd never heard of) impressed me: 100% protection. How do they do it? Well I checked the product web site, and it seems DefenseWall is a virtual system: a computer within a computer. av-comapratives.org has a review. (The DefenseWall site seems to have disappeared, so I don't know if the product still exists.)
Running a virtual system is one way to beat malware- until the virtual system is breached, and you need to run the virtual system in a virtual system to remain secure- but it must carry a performance penalty.
While Windows users are running virtual machines and sandboxes to remain secure, I'm running Linux with no layers of virtualisation, no sandboxes, no HIPS or behaviour blocker- indeed, no security products at all to slow down my computer. Of course it's possible to argue that this security is down to Linux's low profile rather than inherent superior security, but for the moment at least Linux is ipso facto more secure.

Chrome's sandbox compromised?

A French security research firm boasted today that it has discovered a two-step process for defeating Google Chrome‘s sandbox, reports Brian Krebs.

A comment has a solution:

Chrome is in fact one of several browsers that I utilize, but each Internet facing application on my system also runs in an “untrusted” state in a DefenseWall sandbox. So when I’m running Chrome, it’s like having a sandbox encapsulated in another sandbox.

And so ad infinitum.