[Moziax] Feedback

Scott Gifford sgifford at suspectclass.com
Mon Jul 10 02:43:36 EDT 2006 

Jean-Denis Girard <jd.girard at sysnux.pf> writes:

[...]

> Though I'm happy and encouraged to continue, the problem is that I get
> absolutely no feedback. People who took time to subscribe to the mailing
> list may be more involved, so I'd like to ask what you think about
> MozPhone. Does it work for you, is it useful, what needs to be done to
> improve it, what is really missing, what is useless...?

Hi Jean-Denis,

Since the Web site for sysnux.pf is in French, I'll be very frank in
my comments.  Some are positive and some are negative.  Please don't
take any of the negative ones personally, they're just the thoughts I
had as I learend more about Moziax and IAX in general.

First impression of MozPhone: A little flakey.  After installing it
and running it for the first time, the window wouldn't close, and I
had to kill Mozilla by hand.

Second impression: After that first glitch, it worked great!  In short
tests, I was able to make and receive calls, have URLs pop up
automatically with an incoming calls.  I was very impressed.

Third impression: Hrm...In longer tests, I keep getting disconnected
with no explanation.  I later found this to be a faulty iaxclient
library, as I mentioned in an earlier email to the list.  Maybe it
would be worthwhile to try and get the necessary fixes into iaxclient.

Fourth impression: Well, let's see if I can debug this.  Hey, what's
this?

        char txt[256];
        sprintf( txt, "m,%s,%s\r\n", type, data );

Wow, looks like horribly insecure code, a buffer overflow to be
specific.  Maybe it's not, but it will be a lot of work to find out.
I'll see if I can find something written more carefully and securely.

Fifth impression: Hrm, I can't find anything that works as well as
Moziax.  I guess I'll try Moziax again, and take a closer look this
time.

That's where I am right now.  I'm working on adding the features I
need, and if everything else works I'll try to do at least a small
security audit of the code and fix any problems I can find.

My suggestions:

  * Take a close look at the security of this code.  If there's a
    reason all of these sprintf's aren't security problems, document
    that.  Better yet,  code defensively and change them to snprintf.

  * Fix the weird problem where Moziax won't shut down the first time
    it's run.  This makes a bad first impression.

  * Ship a better iaxclient, and/or push for iaxclient to be fixed.
    Although it's not really Moziax's fault, it makes a bad third
    impression.  :)

  * An always-on-top feature, tray feature, or similar would be very
    useful for receiving calls.  Otherwise the phone tends to get lost
    behind other windows, and when you get a call it's hard to figure
    out what's going on.  I'm working on adding this, but I'm new to
    XUL so it's taking me a long time.  FoxyTunes does a nice job with
    some of this:

      http://www.foxytunes.com/

    see in particular FoxyTunes Mini:

      http://www.foxytunes.com/firefox/download/2.0-preview-1.html

  * I'm also working on adding a "Login" screen, for shared
    workstations, so that when you sit down you provide your IAX
    username and password to authenticate as soon as the phone starts.

  * I had a hard time getting MozIAX to install and build
    out-of-the-box on Windows.  The XPI script was missing some files,
    and I had to hunt around and poke at a lot of things to get it to
    work.

  * I also found it challenging to set up a Windows build environment
    (though Linux was easy).  Some good instructions (or a link to
    good instructions) would have been a huge help, and made me much
    more inclined to participate.

As I said, I'm working on some of these, and I'll send patches as I
get things working.

Overall, the software works well and I think this is a great project.
But it seems to me there are still some things that need fixed before
it's ready for a wider audience.

Thanks,

----ScottG.

More information about the Moziax mailing list