
MOSS supports four more open source projects in Q3 2016 with $300k - edmorley
https://blog.mozilla.org/blog/2016/10/03/moss-supports-four-more-open-source-projects-with-300k/
======
chubot
Are there open source projects who are not prepared to receive this kind of
contribution?

What are the funds used for? Hosting? Paying developers?

If it's for paying developers, then I imagine there could be political issues
where some contributors are working for free, and some are paid. How do you
apportion the funds?

~~~
lkjhgfdsa57
Freenet is facing this. They got a 25k donation from duckduckgo and for the
last couple of months debate on how to spend it, whether the previous paid
developer gets to continue, etc. They're running a poll at the moment to
decide on projects and priorities. The developer mailing list is the details.

~~~
seibelj
Do not use Freenet without additional precautions like VPN. Merely using
Freenet is enough to have the cops raid your house, whether guilty or
innocent.[0]

[0][https://news.ycombinator.com/item?id=11590880](https://news.ycombinator.com/item?id=11590880)

------
mastazi
The Mozilla Foundation need to clarify their long term commitment to the
Thunderbird project; in my opinion this is not enough:
[https://blog.mozilla.org/thunderbird/2015/12/thunderbird-
act...](https://blog.mozilla.org/thunderbird/2015/12/thunderbird-active-daily-
inquiries-surpass-10-million/) because it is unclear what the long term plans
will be.

Let's be honest, the "temporary home" solution is not really what the users'
community wants to hear.

~~~
Illniyar
I think they've been very clear in their actions. Thunderbird is dead. RIP.

~~~
mintplant
Eh, I wouldn't say that. Most everyone I know inside Mozilla uses Thunderbird.

~~~
stonogo
That is not enough to keep the software maintained.

------
hannob
Just skimmed through the zlib report.

Summary:

* They tested on binary level with CRS from Trail of Bits and on source level with TIS Interpreter from Pascal Cuoq.

* CRS found no bugs, TIS Interpreter found 5 from which they classified 4 as low and one as medium severity. All are C undefined behavior issues.

This doesn't necessarily mean CRS is bad, it may just mean that there are no
bugs of the classes CRS finds in zlib.

Also notable that zlib hasn't released the fixes yet, they're just in the
github repo. The last version is from 2013.

~~~
dguido
Close! tis-interpreter requires inputs to drive it, so we fed it inputs that
the CRS generated, that AFL generated, and some existing test cases. tis-
interpreter found 4 bugs and clang found 1.

> This doesn't necessarily mean CRS is bad, it may just mean that there are no
> bugs of the classes CRS finds in zlib.

Yes, exactly! This is why we included so much detail about coverage in the
report. Basically, "stop looking for these kinds of bugs in these places,
focus your efforts elsewhere in the code."

------
van_gaal
Considering how important Open Source is to modern tech companies, 300k is
just a drop in an ocean.

~~~
mynameislegion
Most modern tech companies are contributing to open source, via both
sponsorship and developer time. It would be great if they did more of course.

------
dfc
I was browsing through the Mozilla security blog and saw that they did some
work on OWASP's "alternative" to Burpsuite, ZAP. Which was a little
surprising. That project could certainly use a little influx of cash/developer
time.

~~~
grungleshnorts
The ZAP project lead, Simon Bennetts, works for Mozilla:
[https://www.owasp.org/index.php/User:Simon_Bennetts](https://www.owasp.org/index.php/User:Simon_Bennetts)

I believe Mozilla pays him to spend a substantial amount of his time (like 50%
or more) working on ZAP.

------
butwhy321
When will you support Wayland?

