Slashdot Mirror
Like Google's Chrome, Mozilla To Silently Update Firefox 4
CWmike writes "Taking a page from rival Google's playbook, Mozilla plans to introduce silent, behind-the-scenes security updating to Firefox 4. The feature, which has gotten little attention from Mozilla, is currently 'on track' for Firefox 4, slated to ship before the end of the year. Firefox 4's silent update will only be offered on Windows, Mozilla has said. Most updates will be downloaded and installed automatically without asking the user or requiring a confirmation. 'We'll only be using the major update dialog box for changes like [version] 4 to 4.5 or 5," said Alex Faaborg, a principal designer on Firefox, in the 'mozilla.dev.apps.firefox' forum. 'Unfortunately users will still see the updating progress bar on load, but this is an implementation issue as opposed to a [user interface] one; ideally the update could be applied in the background.' Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update."
They're doing it right, by making it a toggle. Silent mode is perfect for Grandma, since every single damn dialogue box turns into a phone call for me.
Man is she losing it. Last week she called me "Schtopi" (her nickname for my deceased grandfather) and tried to cup my balls.
Thanks,
Bruce
I don't know about you, but IMHO, Firefox is suffering from it's increasing popularity. At least since Version 3.
to be honest, I'm not so worried about this - its only a browser, and I install all those security updates anyway. What I'm not so keen on is the "silent, in the background, don't bother the user" implementation. I'd like to know that it is doing it, pop a little UI element on the status bar that says "updating latest version now" and then gets on with it, and then puts a little version marker somewhere so I know its been done.
Be polite to your users, be open in your communication, inform us. (and a link to the things that were fixed if you click the version number would be a nice to have)
... silent updates suck.
"I love my job, but I hate talking to people like you" (Freddie Mercury)
I love Mozilla. They can do no wrong! If Apple fanboys and MSFT apologists can do it, so can I!
Using a bigger number has got to make the app better, right?
I realise firefox can be installed per user as opposed to system wide but this isn't how the majority of people are running it. Who exactly is running their web browser with the priviledges required to install an update?
why would this be considered a bad idea?
"It would be wrong to refuse to face the fact that everything is fundamentally sick and sad."
I like that a lot of what makes Firefox different from Chrome is due to the "we'll let users decide how they want it" approach instead of just telling them how it's going to be done.
It's SOOOOO generous of Mozilla to set my options BACK to the way I want, after Mozilla changes them without my permission.
Puts them right up there with Mother Teresa.
unless it wants to install a updater service for administrator, WHICH WON'T HAPPEN
and even that won't work on windows 7
Mozilla is stealing our freedoms with communist security updates!
How can I believe you when you tell me what I don't want to hear?
I get more complaints from family and friends about "slow computers" than anything else, and usually these are all about silent background updates in the end. It's damned near impossible to explain to someone that's not computer literate what and update is, how it's affecting their computer, why it's necessary that the update gets installed, etc. They don't even know what Firefox is ("You mean my Internet?") much less any of the other things. Even my wife struggles to comprehend why there's always an update running; she tends to think I'm lying or dismissing her concerns. Every single application running on her computer does silent background updates:
Windows
Office
AntiVirus/Firewall Software
Adobe Flash Player
Adobe Reader
Sun JRE
Nero
Skype
etc.
Even tiny little apps from the vendor do this... Volume control, display control, trackpad control, blah, blah...
Another background process running automatic updates each and every icon in the tray and for each and every folder and application in the Start menu, as well as for browser plugins, third party configuration tools/extensions, drivers, etc.
At the very least they should try to display a notification somewhere on the screen saying "Updating XYZ, may slow your computer..." each time they do this, rather than silently saturating an internet connection (as 10 different updaters are in competition with one another), a CPU, and/or a hard drive's activity.
STOP . AMERICA . NOW
This is problematic on slow links where every byte is precious (dial-up)
This is problmeatic on expensive links where every byte costs money (satellite, cellular)
This is problematic in managed environments where the end user does not have write-permission to the filesystem containing the software
I hope it can be disabled.
My personal firewall checksums executables and warns me the next time I start them if they have changed. If I don't know why an internet-enabled application has changed, I'll have to suspect shenanigans. Don't change executable code behind my back!
...won't work on windows 7
What are you smoking? Background services work just fine on Windows 7, as they did on all NT-based versions of Windows, provided you know how to program and set them up.
While I usually install all updates for firefox, and Windows, for that matter... I keep both update mechanisms disabled. I update my PC when I choose to and more often than not, i read changelogs and release notes. This feature is probably best for the average Joe type of computer user who doesn't know or care about updates.
At the risk of being /. assassinated, I have to say that I agree with this. Particularly because it is possible to disable such a feature.
Non-techie people don't get a thing about browsers, updating, security, etc. The medium-techie usually want to be all updated, so will update to even RCs and Betas if they find them out. Techie guys, us, do whatever they want, but I believe that they want to be in control and know what's going on -- thus, they'll disable such feature.
But especially for the non-techies, this is a way of getting free security upgrades. The upgrades will probably be carefully chosen so that there are no compatibility issues -- and if there are, non-techie to medium-techie users won't care that much.
All in all, it is good for people who don't care, and enables us who care to keep things the way we want it.
Have you heard about SoylentNews?
I wonder how this will get around UAC, a substantially annoying feature of Windows Vista/7. Will they be installing firefox to the user's home directory? Will it be sand-boxed from the OS? I admit I haven't done much looking into the pre-release so I apologize for any ignorance I might be showing.
Until now, FF updates require a restart. The update may be silent, but the restart is still going to require user notification. So what's the advantage here?
Nah, little Snitch will tell me. I really do hate that Google Chrome feature; just when I least expect it one of the Google background processes is for no apparent reason trying to connect to certain sites. Makes me wary, even if for the right reasons some software tries to sneak in any update without telling me. Even Apple gives me more freedom there.
There are two rules for success:
1. Never tell everything you know.
And what if some of your plugins aren't ready for 4? suddenly, websites look different (like maybe a craigslist image laoder stops working), or worse yet your tab extension is borked, and you can't do anything with tabs any more?
Maybe a user doesn't like the new 4.0 look and wants to stay at 3.5?
Give the user a box and ask.
Do not change this behavior!
Don't steal. The government hates competition.
It has been like this for 6 years - what's the problem ? Disable the update if you don't like it.
The biggest issue with auto-updates is that when I'm on 3G on my laptop, I have to make pretty sure everything has its update mechanisms disabled, and re-enable them when I get home, otherwise my bill runs up pretty quickly.
Case in point, Steam. It's not exactly an auto-updater, but it'll insist on immediately syncing the games I installed on my desktop. And that's a *load* of traffic. Sure, I can always shutdown Steam, but I can't shutdown Firefox or Chrome, which I need for my everyday browsing. And BAM, out of nowhere, I've already spent ~20 MB out of my quota, and it hurts.
... Simply set your application firewall to block all IP traffic originating from Firefox.
So much for rolling out Firefox for Enterprize.
I'd love to be able to actually deploy and maintain Firefox in the large enterprise that I work in. Users want it. Unfortunately, users don't have admin rights, and Mozilla makes applying updates and configuring the browser from a central location difficult and has a history of not thinking about and actively shooting down any proposals which would potentially benefit system administrators trying to support Firefox.
I don't get why they don't get it.
Conformity is the jailer of freedom and enemy of growth. -JFK
as simple as that. i wont upgrade to 4, as long as my software gets updated behind my back. i dont care about the reasons, i dont care about the rationalizations, i dont give a damn about anything else. it is MY computer, MY browser.
Read radical news here
Why not ask whether you want to be notified once it gets ready to update for the first time? This way, people who don't want to be notified in the future can elect not to (make this the default choice), and those that do can uncheck to box easily. Everyone's happy.
on Windows, Mozilla has said.
Nothing to see here, move along..
How stupid! Show the user the dialog box, and put a checkmark on it which says (approx) "Don't notify me of these updates anymore, just do them."
J'aime mieux les méchants que les imbéciles, parce qu'ils se reposent. -- Alexandre Dumas
The protocol could also require signed updates
Signed with a certificate issued by whom, purchased with what money? A company like Mozilla Corp could afford it, just as it can afford the Authenticode certificate to digitally sign Firefox Setup, but individual hobbyist developers of freeware and free software likely can't spare 200 U.S. dollars per year plus whatever their state charges to form a business entity.
Disable the update if you don't like it.
Can you recommend an easy-to-understand user interface to configure the updater to disable itself when on a pay-per-bit connection to the Internet yet reenable itself when on a less strictly metered connection (such as a home LAN or a restaurant hotspot)?
How stupid! Show the user the dialog box, and put a checkmark on it which says (approx) "Don't notify me of these updates anymore, just do them."
What's an update?
Son quick get in here, I got a virus!
I hope it can be disabled.
Duh. Given how much fine-grained control Firefox does give you on about:config, chances are you won't just be able to disable it, you'll also be able to fine-tune what kinds of updates you receive, how often the check will be performed, and what server the updates will be fetched from (which might be useful for companies).
Say whatever you want about Firefox and Mozilla - I don't always agree with their default choices, and this one seems like something I'd not be happy with, either, but they DO allow you to configure things to your liking.
How is an extra service, with admin and network access rights and intent on modifying /program files/, safer/better?
The updater service can be audited separately because it is a much smaller program than Firefox itself. After the main app has finished downloading the update package to the Local Settings folder in the user's home directory, it starts the updater service. The updater service itself does not connect to any network; all it does is verify the digital signature of the update package and then replace the executable with the updated copy. I don't know how Windows ACLs work in depth, but if the updater runs as a user that can't write outside /Program Files/Mozilla Firefox, that's another way to limit the damage it can do.
I like how Chrome updates silently - if anything the additional thing I'd like is to see a changelog of what has been updated; not because I want to scan it for government spy code, but out of curiosity/new minor features. As for the updates in terms of less computer literate users, I'd rather it update silently for them. Having worked at an ISP, I know the frustrations of having to deal with someone using a horridly outdated browser. If not for the features and to make their browsers more usable, then for the security updates of which they wouldn't even really realize the implications of.
Why is this only on the windows platform? and why can't it be the other way around, ASK me if I want a silent update or not instead of silent updates being the default.. This seems more to me like a way to hush hush how vulnerable FF really is..
"And I hope it can be disabled"
Read the summary.
I don't normally run as administrator on my computers. I have installed Firefox as an admin., though, and I must use that account for updates. This is slightly annoying with Firefox because I get update nag notifications under my user account which can't be used to perform the updates. I don't always want to go through the hassle of shutting down my current session and switching accounts for the latest update. I hope this new feature can be turned off to avoid additional problems with the update process.
I am becoming gerund, destroyer of verbs.
This is problematic on computers used as digital audio workstations, where background processes can cause glitches in playback
Yes it is: "Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update."
It can be disabled. It says that right there in the summary. Geez dude, did you just read the title and call it a day? :p
"Those who would sacrifice essential liberties for a little temporary safety deserve neither liberty nor safety." - BenF
Wow, these companies are really shooting themselves in the foot when it comes to corporate adoption.
No right-minded SysAdmin would want this sort of thing in their environment. While I understand that you CAN turn it off, Im willing to bet (without caring enough to actually look), that they have neglected to add any security features that would prevent an end user from turning the "auto update" back on.
Huh? You don't seem to get it.
Automatic updates does not slow down anything, unless they are update managers that runs constantly like Adobe's. But Firefox / Mozilla can check the new updates e.g. when starting browser or after ~2 minutes of running the browser, anyways they use resources (if no update is found, it should ideally use resources as much as one Ajax request) only very small amount of time per week, they don't need no stinking update manager running all the time.
Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update.
Why is this even modded Insightful?
People ignore update dialogs. Why do you think they wouldn't ignore that, too?
So with this new silent update process, half the time when I start Firefox it'll have to update before I can use it? And this is something that just happens? Mozilla, you should stop worrying about browser cold start time and start worrying about update time. I just want to be able to open a web browser and use the internet; I don't need any more progress bars before I can do so.
From the summary:
"Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update."
HTC EVO 4G LTE w/ CM 10.2 | NookColor w/ CM 10.2 | Samsung Epic 4G w/ CM 10.1
From TFS:
Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update.
Is GnuPG signed with a certificate issued by a CA? No, it isn't
Does this mean you can't trust it? No it doesn't.
GnuPG, like a many other FOSS programs, is simply signed by the developer's signature key. If you have once obtained said key over a secure channel, or verified it by other means (like having downloaded it 15 years or/and having cross-verified it over various different channels), you can verify the integrity of every release of GnuPG with this key.
Can this system be by-passed?
Yes, just like nearly any other system. If you never had a secure channel to obtain the key.
But it's the risk is probably lower than the risk that someone added a bogus SSL/TLS root certificate to your favorite browsers certificate DB during it's initial download.
What I'm trying to say is that it's a common misinformation that there has to be a PKI one has to pay for in order to securely sign anything. Moreover, the PKIs you're referring to are partially based on DNS, which isn't exactly a secure protocol, at least not before DNSSEC is rolled out everywhere. For example, some CAs use your e-mail address to verify that you're the legitimate owner of the domain. It has happened multiple times already that someone could get a signed certificate from a CA without being the owner of the domain specified in the certificate.
See Dan Kaminsky's work if you're interested in some of the issues with (current) PKIs. Bruce Schneier has also some interesting points.
I have to say no to this, It should not be on by default. As much as everyone loves foxfire they make mistakes updates brick computers and so on. If we have no clue there was an update before the computer acts up this is a bad thing. We all ask what was the last thing you did? correct? It can be an option but thats it, an option.
Jack of all trades,master of none
As a windows user I'd like to see a big player like Mozilla release a standalone updater that all the other software can use so every app doesn't have to check for updates on its own and use its own halfassed update method.
This is problematic on slow links where every byte is precious (dial-up)
This is problmeatic on expensive links where every byte costs money (satellite, cellular)
This is problematic in managed environments where the end user does not have write-permission to the filesystem containing the software
I hope it can be disabled.
Well I know this is slashdot but you could at least read the entire fucking summary as it clearly states that you can disable this in the settings
I compile my Firefox (on Linux of course) from the source code. In this case, silent updates make no sense whatsoever.
"Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update."
When I first used it, the distribution fit on half a 3.5" floppy drive. It's rather larger than that now...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Hah, and you'd let a browser run on such a system? Dear user, please do not browse the web with this browser or you may disturb audio playback. If you must browse the web, do not browse any computationally complex nor I/O-heavy websites. If you do not know what that means, good luck and God speed.
The browser is the most important app for most people. Its the front door to most viruses ( ok, trojans techincally ) and is their window to the world.
It should be taken more seriously.
---- Booth was a patriot ----
"Unfortunately users will still see the updating progress bar on load"
I don't understand this. Why is that unfortunate? Why would they want the browser update to happen completely out of the user's awareness?
My paranoia kicks in.
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
Because illiteracy isn't just for ACs, it extends to people with mod points too.
Silent updates is the reason why I received a 30 euro phone bill for a few minutes.
I was on holiday, and let a friend use my laptop and telephone to send an important email (it was party invitation, nothing more important than that). And of course... I forgot to displace all things that would silently try to update whatever they could when a network connection was found. Withing a short time, a few megabyte was downloaded. And mobile data from a foreign country is more expensive than HP ink.
So please mozilla, provide a nice toggle though the preferences screen to change this, an not through a about:config option.
I hope so too. Will I have to chmod -R -w /path/to/firefox-dir?
it's not silently being updated by oracle..
No problem. Firefox is opensource so you're free to edit it to do whatever you want.
So no FF4 for me. At least on the netbook...
I can use my mobile connection responsibly and the 500MB limit will last me a month. But at some $0.25/500K above limit, if Firefox decides to download 15MB of updates, sorry, no deal.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
> This is problematic on slow links where every byte is precious (dial-up)
How is it more problematic than the default setup today, where the updates are downloaded automatically, but not applied automatically?
> This is problematic in managed environments where the end user does not have write-
> permission to the filesystem containing the software
Not any more so than the current behavior.
> I hope it can be disabled.
Reading comprehension?
Showing the user something he probably doesn't need* to see undermines what could have been an automagical experience.
* for varying definitions of need. Slashdot users, in all their technical glory, sure love talking about edge cases that wouldn't apply to the vast majority of people out there...
I would switch 100% to Chrome... if it worked... Anytime I click a link that opens the default browser (set to chrome), chrome opens up and shows an error dialog. Chrome will then not load any pages. You have to close Chrome, and reopen it with the desktop shortcut in order for it to work properly. Win 7 64, 4gb, 8800gt oc, quad q6600 2.4 running at 3.0ghz, Asus P5K
Just because it works, Doesn't make it right. - JTM
WHAT THE FUCK?!
It's only a matter of time before someone figures out how to send data which tricks Firefox into believing it's time to update and installing malware.