Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 3.5.1 Released

Posted by timothy on from the dot-oh-always-begs-for-fixes dept.

alek writes "A day after Slashdot reports about a self-inflicted vulnerability in Firefox 3.5, Mozilla releases 3.5.1. It addresses that security issue, but also fixes the annoying slow-startup on Windows. Bummer the UNIX wars have subsided, because apparently they also had to fix a problem where Firefox on a Sparc platform would crash when visiting www.hp.com!"

45 of 147 comments (clear)

  1. I'd fix bugs and contribute quality code by Anonymous Coward · · Score: 2, Informative

    But I need build instructions and test instructions and possibly a youtube video, written/made for a student, not for a programmer that already knows a number of things about firefox. That is the way I feel about most open-source projects. I don't want to contribute in huge quantities, but only bugfixes, in any area and not limited to any particular technology. Sadly, I see such build-instructions missing or the build-instructions are too complicated in major open-source projects that could use bug-fixers early in the cycle.

    1. Re:I'd fix bugs and contribute quality code by koreaman · · Score: 4, Interesting

      You should try fixing some bugs in Sunbird, if Mozilla interests you but the hugeness of Firefox is intimidating. I was able to contribute code (granted, only two lines) to Sunbird that fixed a real live bug, and I was in high school at the time.

      --
      Le français vous intéresse?
    2. Re:I'd fix bugs and contribute quality code by EsbenMoseHansen · · Score: 4, Informative

      Here, let me click on the top link for "firefox build instructions" in google: simple firefox build. Looks pretty standard to me. Tests, if there are any, are usually automated or findable by a similar exercise.

      --
      Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
    3. Re:I'd fix bugs and contribute quality code by Anonymous+Brave+Guy · · Score: 2, Interesting

      That's cute, but missing the point.

      The majority of us use Windows, and will therefore probably want to develop on that platform.

      If you read the Windows section of the page you linked to, the very first line is "Building on 64-bit Windows does not seem to be supported."

      If you read the rest, you get told about using Visual Studio Express Editions and Windows SDKs, but as anyone who's tried it will know, just finding and installing the right SDKs there can be tricky. (Microsoft's own web site had links to an out-of-date version for a while, which didn't help.)

      Then you get to the MozillaBuild bit. What, yet another proprietary build system? At that point, I really start to shudder, because even if an experienced Windows developer might already have Visual Studio, .Net and the Windows SDKs installed, they won't have this. Using Mercurial isn't so bad (at least it's not Git) but it's still going to be different to what most Windows developers are familiar with.

      Then there are the fiddly bits of actually building it, to do with the Windows user home directory stuff that approximately no-one actually uses.

      Seriously, if you think this is a "simple" build procedure that's going to get casual volunteers contributing small fixes, you're not part of the solution, you're part of the problem. A simple build consists of "get_source_code <directory>" followed by changing to that directory and "make". If yours is more complicated, it's a roadblock to casual contribution, by which I mean contribution by those who don't make a full-time hobby of working on the project but would be happy to help fix the odd bug or implementing a minor feature they really want.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    4. Re:I'd fix bugs and contribute quality code by RiotingPacifist · · Score: 2, Interesting

      If there is a browser/extention (they run at browser level)/plugin(yes even a flash or adobe exploit) or other program vulnerability they can perminantly modify your firefox binary to execute whatever code they want. In addition to having your user account, where all your data is, completely owned, no OS has a particularly good record on preventing malicious binaries from getting root (ubuntu with sudo is particularly bad as it can just request permisions just after you grant another process root using sudo) (and unless you've gone out of your way all your protection (apparmor in particular) is next to useless against a 3rd party binary).And I wouldn't dream of putting plugins in ~ either, even if it means it takes a few minutes they belong in /usr/share/mozilla/plugins/ (or /usr/lib64/m... for some reason on this fedora)

      So in summary, as i have no clue about security, i make sure my 3rd party binaries are safely locked away in /opt and can only be updated by root.

      --
      IranAir Flight 655 never forget!
    5. Re:I'd fix bugs and contribute quality code by turgid · · Score: 2, Insightful

      The majority of us use Windows, and will therefore probably want to develop on that platform.

      Right...

      Seriously, if you think this is a "simple" build procedure that's going to get casual volunteers contributing small fixes, you're not part of the solution, you're part of the problem.

      All that proprietary closed-source software required to build Open Source software (any software, really). Difficult to obtain, difficult to install and difficult to configure.

      It sounds like Windows is the problem. All of those development tools are standard on Linux (your distro comes with them) and they're all configured ready to use "out of the box" when you install them (if they're not installed by default).

      You will find that unix-like OSes are far more user-friendly as development environments. It's no accident that GNU chose unix to embrace and extend. That's why all of this open source stuff is for Linux first and foremost.

      As more of you come to find this out first-hand, more of you will switch away from Windows to a Linux, Mac OS X or *BSD.

      --
      Stick Men
  2. Re:FROSTY PISS by theheadlessrabbit · · Score: 2, Insightful

    I have yet to see a single blue screen on Linux.

    FOSS isn't perfect, it's just a whole lot better than one of the competitors.

    and I enjoy my FOSS haven very much, thank you.

    --
    -I only code in BASIC.-
  3. slow start for _some_ by asa · · Score: 4, Informative

    Your post says "but also fixes the annoying slow-startup on Windows." which suggests that all Windows users were experiencing slow starts. That's not the case at all. It was only a small fraction of users affected by the now fixed issue. And for the record, the security flaw was already fixed, even before it was lifted from our bug database and turned into a public exploit. It just takes a few days to get everything in order for a release to users.

    1. Re:slow start for _some_ by BadAnalogyGuy · · Score: 4, Funny

      slow start for _some_. Miniature Type-R stickers for others.

    2. Re:slow start for _some_ by Toonol · · Score: 2, Interesting

      From the link, it appears that files (probably having an excessive amount of files) in the IE cache was slowing down Firefox cache? Isn't the Firefox cache entirely separate? Does it look in the IE cache to try to be friendly and helpful, and if so, can that behavior be turned off?

    3. Re:slow start for _some_ by cratermoon · · Score: 2, Informative

      No less a personage than Brendan Eich says the whole issue with slow startup in the NSS module is snake oil that does nothing but "waste users' time at startup pretending to scrape entropy off the filesystem."

    4. Re:slow start for _some_ by ahecht · · Score: 4, Interesting

      NSS (Network Security Services) 3.12.3 is using IE temporary internet files to generate seeds. Sounds thoroughly stupid to me, as it means that if you never use Internet Explorer, your cryptographic seeds won't change. How about using the process list or something not Hard Drive dependent to generate the seeds instead?

    5. Re:slow start for _some_ by TheSeer2 · · Score: 2, Informative

      It was user situation dependent. Firefox was reading all of a user's temp files to seed its RNG or something along those lines so if you had a lot of large temp files your startup time would be quite large.

      Regardless, it still takes 5x Chrome's startup time with the fix so... peh.

    6. Re:slow start for _some_ by ahecht · · Score: 5, Informative

      On further study, it NSS DOES use process IDs and many, many other factors to generate the seeds. Searching the additional file locations ("C:\Documents and Settings\*user*\Local Settings\History", "C:\Documents and Settings\*user*\Local Settings\Temporary Internet Files", "C:\Documents and Settings\*user*\My Recent Documents", "C:\Documents and Settings\*user*\Temp\", "Recycle Bin", and "Network Neighborhood") were added because some older OSs (Win2k and WinCE) didn't have strong enough build-in pseudo-random number generators.

      This patch changed NSS to use the built-in PRNG in Windows XP and up which uses "process ID and thread ID, the system clock, the system time, the system counter, memory status, free disk clusters, andthe hashed user environment block".

    7. Re:slow start for _some_ by klui · · Score: 4, Informative

      OS dependent. They coded for the case where Windows CE/2000 did not have a certain call and they wanted to get good entropy for their RNG in NSS. https://bugzilla.mozilla.org/show_bug.cgi?id=501605

    8. Re:slow start for _some_ by bunratty · · Score: 2, Insightful

      I have never understood why people make such a big deal over Firefox startup times. It's a few seconds. On my two-year-old laptop, Firefox 3.5.1 starts in two seconds. Granted, Chrome starts in less than one second, but in absolute difference it's about a second.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
  4. Re:FROSTY PISS by basementman · · Score: 5, Funny

    So what your saying is Microsoft could fix all of their problems by changing the color of the screen?

    --
    A Magic the Gathering Article and Forum Aggregator
  5. Good. by xlotlu · · Score: 4, Insightful

    Now I can re-enable TraceMonkey and slashdot will be fast again... sorta.

  6. Re:Blue screen by EsbenMoseHansen · · Score: 4, Informative

    Actually, the linux blue screen of death is blinking of 2 (or is it three?) of the keyboard leds. Though support for blue screen of death is coming, by the name of kernel mode-settting. It is pretty rare, though.

    Lockups I have seen, too, in both linux and windows. Lots of cases is hardware problems, but your problem sounds like a driver issue. Using proprietary drivers, perhaps?

    --
    Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
  7. Re:Someone tell Canonical. by xaxa · · Score: 4, Informative

    I installed it ages ago:

    aptitude install firefox-3.5

    http://packages.ubuntu.com/search?searchon=names&keywords=firefox-3.5

  8. Re:Someone tell it to Canonical. by Eighty7 · · Score: 3, Informative

    https://launchpad.net/~fta/+archive/ppa

    Just add the fta repository & install "firefox-3.5". They even link to a mozilla daily build repository if that's your thing.

  9. Re:Blue screen by Zancarius · · Score: 4, Interesting

    Lockups I have seen, too, in both linux and windows. Lots of cases is hardware problems, but your problem sounds like a driver issue. Using proprietary drivers, perhaps?

    This is true. I've had my share of complete freezes under Linux. Ironically though, SSH access to the box still typically works and I can kill X if ctrl+alt+backspace doesn't work. It's rare to have a freeze that completely evicts all sense of response from the system (though I've had this happen before).

    Interestingly, the last unusual behavior I had under Linux was when a video card blew 4 out of 7 or 8 capacitors. That was a real treat.

    --
    He who has no .plan has small finger. ~ Confucius on UNIX
  10. Re:FROSTY PISS by Opportunist · · Score: 5, Funny

    Make it black and hope people just think they accidently turned their computer off.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Google Gears disabled again?! by sakis · · Score: 5, Insightful

    Kind of offtopic, but by upgrading to FF 3.5.1, Google Gears is again disabled. Why did Google allowed it to be compatible with only 3.5.0?!

    1. Re:Google Gears disabled again?! by Threni · · Score: 2, Insightful

      Perhaps their time machine isn't working and they couldn't check that future releases worked, and decided it was safer to only support version of Firefox they're sure about. You can always wait, if it's important for you, or upgrade then downgrade again if you didn't want to check first and have to have it working for you. It's better than the alternative - Google allowing what is essentially an untested upgrade.

    2. Re:Google Gears disabled again?! by BZ · · Score: 2, Informative

      Becuase Gears uses low-level binary hooks (e.g. completely replacing the Firefox HTTP cache with its own) and presumably doesn't want to worry about your browser crashing due to a code change on the Firefox end?

  12. Re:Someone tell it to Canonical. by Haiyadragon · · Score: 2, Informative

    Scroll down to firefox-3.5. Stupidly, this package doesn't overwrite the firefox package, meaning that applications will still use 3.0 to open links. Even if you remove the firefox package, firefox-3.5 is still not used. Changing the webbrowser in preferred applications seems to work on some applications...

    Anyway, in the end I just simlinked like so: ln -s /usr/bin/firefox-3.5 /usr/bin/firefox, and everything worked great.

  13. Holy negatives Batman! by XanC · · Score: 2, Funny

    "Now correct me if I'm incorrect, but was I told it's untrue that people in Springfield have no faith? Was I not misinformed?"

  14. Re:Blue screen by Anonymous Coward · · Score: 2, Insightful

    You can hardly call it a complete freeze if "only" X is frozen. Still pretty annoying but as you say you can usually recover by killing and restarting X.

  15. Re:Someone tell it to Canonical. by Runaway1956 · · Score: 2

    So - who got brave, and installed FF 3.6? Am I that brave, or am I not? Hmmmm........

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  16. Re:Blue screen by msuarezalvarez · · Score: 4, Insightful

    Ironically though, SSH access to the box still typically works...

    That is not ironic: it is good design...

  17. And from Unix wars... by Fotograf · · Score: 2, Funny

    will obviously rise the new Desktop OS, the Unix peace will mark year of BSD on desktop!!

    --
    God's gift to chicks
  18. Re:Blue screen by Anonymous Coward · · Score: 2, Interesting

    If you can't bring it back and you're not doing something stupid then it's probably hardware

    As I said in the "Blue screen" post, I can't even use the "Magic SysRq key". I've invested several days in solving this. I'm definitely not doing something stupid. It definitely isn't the hardware. It's a problem between ATI's drivers and the rest of the OS.

  19. problem? by shacky003 · · Score: 3, Funny

    "...fix a problem where Firefox on a Sparc platform would crash when visiting www.hp.com!" Much like the memory leak to nowhere, It wasn't a problem - it was a feature!

  20. Re:Someone tell it to Canonical. by Anonymous Coward · · Score: 3, Informative

    Ubuntu uses update-alternatives to select between different packages providing the same functionality

    to see which browsers are installed:

    update-alternatives --list x-www-browser

    to select firefox-3.5:

    update-alternatives --set x-www-browser /usr/bin/firefox-3.5

  21. Re:Blue screen by TheLink · · Score: 4, Insightful

    > Still pretty annoying but as you say you can usually recover by killing and restarting X.

    a) If you are a "Desktop Linux" user running actual Desktop applications, that means you lose most of your unsaved work (if there is a way to not lose the unsaved work, please let me know).
    b) If you use X as just a way to run screen/vi/emacs and browsers, then you are less affected.

    Basically if I let my mom/uncle/aunt use "Desktop Linux" and X locks up, it's effectively as bad as a BSOD for them.

    Saying X freezing is not a problem since you can usually recover by killing and restarting it is like saying that Windows 95 is stable as long as you regularly shutdown/exit to dos and type win to restart it[1].

    [1] you could actually do that in the old days of Win 95 :).

    --
  22. Re:version numbers by Rhapsody+Scarlet · · Score: 4, Informative

    Going by previous versions of firefox, shouldn't it be 3.5.0.1 rather than 3.5.1?

    Mozilla decided to simplify that with Firefox 3 (note that the upcoming security release for Firefox 3 is 3.0.12, not 3.0.0.12). Exactly why they used four numbers in the first place is something I don't know, it seems it started with Firefox 1.5. I know that one advantage touted of XPCOM was the ability to easily make incremental updates, so maybe there was a plan for a Firefox 1.5.1 and 1.5.2 (with the final number for each being used for security updates). Of course that would've been complicated and silly, so it seems the plan was abandoned and the version number compacted.

  23. Re:FROSTY PISS by Anonymous Coward · · Score: 5, Funny

    Make it black and hope

    Obama-mode

  24. Firefox 3.5.1 released by Anonymous Coward · · Score: 3, Insightful

    so can anyone tell me why Firefox felt like it had to scan my hard drive in the first place? i had it set to delete history on exit. why then did it feel like it had to go looking in *other* programs' folders for history files?

  25. gpg: Note: This key has expired! by Anonymous Coward · · Score: 3, Interesting

    gpg --verify "Firefox Setup 3.5.1.exe.asc"
    gpg: Signature made 07/15/09 19:56:19 using DSA key ID 17785FE8
    gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"
    gpg: Note: This key has expired!
    Primary key fingerprint: 8D6F 1BA4 A340 4DDB 3F2F  D080 7447 4499 8123 47DD
         Subkey fingerprint: 3338 E6BA FF10 3B3D A6A9  E424 B57B 5484 1778 5FE8

  26. In case you can't find it... by wembley+fraggle · · Score: 2, Informative

    On the macintosh version at least, the 'check for updates' menu item is in the Help menu. Because that's clearly where it belongs. I only found it because I was just about to search the help for advice on where to find it.

  27. Re:Yet more links to IE by thejynxed · · Score: 2, Interesting

    If you think that is bad enough, just use Process Explorer and click on Firefox.exe in the process list. You'll be extremely saddened by all the IE-specific nonsense that Firefox apparently is now reliant on.

    Firefox even decides to load driver files (.dll files and others) for Windows services I specifically have disabled.

    Firefox, do you honestly need to start winspool.drv, dnsapi.dll, rasadhlp.dll, rasapi32.dll, ieframe.dll, ieframe.dll.mui, etc? Really? Even with the associated services disabled? When the associated hardware is not installed (printer, 56k modem)?

    Note: I've checked the process threads of Opera and other browsers, and they don't load half of the shit that Firefox.exe does.

    We won't even go into why Firefox would load sound drivers. A second time. After the OS already has them loaded.

    And people wonder why Firefox has memory leaks from hell.

    Still, this is my browser of choice, because Opera is just horribly hideous to look at and doesn't work on half of the websites I visit. IE8 at least is a serious improvement over any previous version of IE. Chrome is just...let us just say I don't need Google recording every single link I click on and selling the information or providing me with targeted advertising 24/7. It's bad enough I use GMail (at least for unimportant things).

    --
    @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  28. Green and red indicators of death by tepples · · Score: 3, Funny

    So what your saying is Microsoft could fix all of their problems by changing the color of the screen?

    Microsoft tried that twice on the Xbox 360, and people continued to complain about the red ring of death (general hardware failure) and the green screen of death (E74 error).

  29. Does it finally have paste and go? by Snaller · · Score: 3, Interesting

    I mean, I've given up on scaling fonts lager on the fly (as opposed to zoom), but how about 'paste and go' for urls - like opera has had for years (and now chrome)

    --
    If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
  30. Re:Blue screen by geekboy642 · · Score: 3, Insightful

    tee? Really? What the hell sort of DESKTOP APPLICATIONS produce all of their output on the terminal? OpenOffice? GIMP? KMail? GVim?

    No, the only solution is the Jesus rule. Save your files. Save them early, save them often. Not just because the system is going to crash, but because you never know when the power will fail, lightning will strike, or a cow-orker will trip over your power cord.

    --
    Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio