Mozilla claimed that it fixed the flaw in its most recent Firefox 2.0.0.2 update. Chapin doesn't quite agree.
Chapin has issued an advisory noting some 22 risks associated with the Mozilla Password manager and that in his estimation, less than 25 percent of the risk represented by these problems has been resolved in the release of version 2.0.0.2.
A Mozilla spokesperson was not immediately available for comment.
According to Chapin, Mozilla has requested discussion of all remaining matters be separate from the original bug as posted by Chapin on the Mozilla Bugzilla system.
"I think to a large extent Mozilla wants to start dividing this bug into separate issues due to limitations of the Bugzilla system," Chapin told internetnews.com. "This particular bug received a healthy amount of attention and three hundred ninety message replies. To continue in the same thread would mean downloading all of the messages and scrolling to the bottom of the list on each visit."
Chapin went on to explain that some decisions about the bug were made outside of the open discussion on the bugzilla report. In his view, the lack of openness is contrary to the entire concept of open-source development.
"The decision-making process could be much smoother and involve the participants more," Chapin said. "I do think it is premature to describe this bug as "fixed", but Mozilla seems to define this bug in terms of what the patch fixes, rather than what problems have been identified."
The issues identified by Chapin and how Mozilla dealt with them or didn't could well be indicative of a larger problem within the Mozilla development process.
"When I look at each of the 22 risks we identified, the messages about them, and their status, it seems that Mozilla is treating them all as separate issues," Chapin explained. "We tried to show in our analysis that there is a bigger picture."
The way Chapin sees it there is a large number of minor flaws contributing to the underlying problem. By dismissing each minor flaw as being theoretical or not exploitable leads to having what Chapin called 'a toxic brew of code' that works in theory, but breaks down in practice.
"In several instances, we demonstrated that two or more of these flaws were interacting with each other to multiply the security risk," Chapin said. "These examples become increasingly complex and difficult to predict with the number of flaws at play."
