

Introducing Mozilla Winter of Security 2014 - jvehent
https://blog.mozilla.org/security/2014/05/15/introducing-mozilla-winter-of-security-2014/

======
yalogin
This sounds like a great way for students to do some real work. Are there any
legal issues to this? Are students allowed to work on Mozilla projects while
at school when they are not paid (not an internship)? Or is it alright since
the whole thing is open source? The question becomes more relevant because a
good percentage of the students (especially masters students) are on student
visas and are not allowed to work outside the campus. Am I over thinking this?

~~~
Morgawr
Not sure how it works in the US, especially because every country has its own
rules, but I don't think there will be any problem. There seems to be no
mention of any pay so it can be treated as any other University project (I
guess).

In my Master's programme (Studying in Amsterdam, so not an american) we can
choose to work on University-approved projects(it's up to the professor) and
can receive credits for them. A few friends of mine have worked at GSoC
projects and got credits from those, I'm currently doing some independent
research with a mentor/tutor and will get credits once I finish (and hopefully
publish). This doesn't sound any different.

~~~
jvehent
This is exactly what MWoS is about.

------
higherpurpose
Winter _is_ coming at Mozilla, but only because they've chosen to betray their
community and adopt DRM, too.

~~~
Ygg2
Riiight. Unlike other browser vendors with more than >5% marketshare, which
all voted NO on DRM.

Anyway the message is frivolous and OFF TOPIC.

~~~
pjc50
Not entirely: the DRM code modules are necessarily closed-source and cannot
easily be audited for security vulnerabilities. Given that _Adobe_ is
apparently supplying one, and given the number of remote exploits provided by
the PDF reader plugin, I think it's reasonable to assume that the DRM modules
can present a security risk.

~~~
pcwalton
The CDM is strictly sandboxed.

~~~
pjc50
So it's not native code? Interesting.

~~~
pcwalton
It's native code, but it's strictly contained within an open source sandbox
that implements all the interfaces it can use to communicate with the outside
world.

~~~
justinschuh
Could you provide a link to the source for the sandbox implementation?

~~~
pcwalton
I'm not on that team so I'll have to get back to you—it's quite possible that
the code hasn't been written yet. Currently, we use the Chromium sandbox [1]
for sandboxing where it's supported.

[1]: [http://mxr.mozilla.org/mozilla-
central/source/security/sandb...](http://mxr.mozilla.org/mozilla-
central/source/security/sandbox/)

