Slashdot Mirror
Like Google's Chrome, Mozilla To Silently Update Firefox 4
CWmike writes "Taking a page from rival Google's playbook, Mozilla plans to introduce silent, behind-the-scenes security updating to Firefox 4. The feature, which has gotten little attention from Mozilla, is currently 'on track' for Firefox 4, slated to ship before the end of the year. Firefox 4's silent update will only be offered on Windows, Mozilla has said. Most updates will be downloaded and installed automatically without asking the user or requiring a confirmation. 'We'll only be using the major update dialog box for changes like [version] 4 to 4.5 or 5," said Alex Faaborg, a principal designer on Firefox, in the 'mozilla.dev.apps.firefox' forum. 'Unfortunately users will still see the updating progress bar on load, but this is an implementation issue as opposed to a [user interface] one; ideally the update could be applied in the background.' Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update."
to be honest, I'm not so worried about this - its only a browser, and I install all those security updates anyway. What I'm not so keen on is the "silent, in the background, don't bother the user" implementation. I'd like to know that it is doing it, pop a little UI element on the status bar that says "updating latest version now" and then gets on with it, and then puts a little version marker somewhere so I know its been done.
Be polite to your users, be open in your communication, inform us. (and a link to the things that were fixed if you click the version number would be a nice to have)
... silent updates suck.
"I love my job, but I hate talking to people like you" (Freddie Mercury)
I love Mozilla. They can do no wrong! If Apple fanboys and MSFT apologists can do it, so can I!
why would this be considered a bad idea?
"It would be wrong to refuse to face the fact that everything is fundamentally sick and sad."
I like that a lot of what makes Firefox different from Chrome is due to the "we'll let users decide how they want it" approach instead of just telling them how it's going to be done.
Mozilla is stealing our freedoms with communist security updates!
How can I believe you when you tell me what I don't want to hear?
I get more complaints from family and friends about "slow computers" than anything else, and usually these are all about silent background updates in the end. It's damned near impossible to explain to someone that's not computer literate what and update is, how it's affecting their computer, why it's necessary that the update gets installed, etc. They don't even know what Firefox is ("You mean my Internet?") much less any of the other things. Even my wife struggles to comprehend why there's always an update running; she tends to think I'm lying or dismissing her concerns. Every single application running on her computer does silent background updates:
Windows
Office
AntiVirus/Firewall Software
Adobe Flash Player
Adobe Reader
Sun JRE
Nero
Skype
etc.
Even tiny little apps from the vendor do this... Volume control, display control, trackpad control, blah, blah...
Another background process running automatic updates each and every icon in the tray and for each and every folder and application in the Start menu, as well as for browser plugins, third party configuration tools/extensions, drivers, etc.
At the very least they should try to display a notification somewhere on the screen saying "Updating XYZ, may slow your computer..." each time they do this, rather than silently saturating an internet connection (as 10 different updaters are in competition with one another), a CPU, and/or a hard drive's activity.
STOP . AMERICA . NOW
This is problematic on slow links where every byte is precious (dial-up)
This is problmeatic on expensive links where every byte costs money (satellite, cellular)
This is problematic in managed environments where the end user does not have write-permission to the filesystem containing the software
I hope it can be disabled.
If the software is installed with the privileges to install system-wide, it think can install an service with privileges to update as well. So that shouldn't be a problem.
.sig: No such file or directory
While I usually install all updates for firefox, and Windows, for that matter... I keep both update mechanisms disabled. I update my PC when I choose to and more often than not, i read changelogs and release notes. This feature is probably best for the average Joe type of computer user who doesn't know or care about updates.
At the risk of being /. assassinated, I have to say that I agree with this. Particularly because it is possible to disable such a feature.
Non-techie people don't get a thing about browsers, updating, security, etc. The medium-techie usually want to be all updated, so will update to even RCs and Betas if they find them out. Techie guys, us, do whatever they want, but I believe that they want to be in control and know what's going on -- thus, they'll disable such feature.
But especially for the non-techies, this is a way of getting free security upgrades. The upgrades will probably be carefully chosen so that there are no compatibility issues -- and if there are, non-techie to medium-techie users won't care that much.
All in all, it is good for people who don't care, and enables us who care to keep things the way we want it.
Have you heard about SoylentNews?
I wonder how this will get around UAC, a substantially annoying feature of Windows Vista/7. Will they be installing firefox to the user's home directory? Will it be sand-boxed from the OS? I admit I haven't done much looking into the pre-release so I apologize for any ignorance I might be showing.
Until now, FF updates require a restart. The update may be silent, but the restart is still going to require user notification. So what's the advantage here?
Nah, little Snitch will tell me. I really do hate that Google Chrome feature; just when I least expect it one of the Google background processes is for no apparent reason trying to connect to certain sites. Makes me wary, even if for the right reasons some software tries to sneak in any update without telling me. Even Apple gives me more freedom there.
There are two rules for success:
1. Never tell everything you know.
So much for rolling out Firefox for Enterprize.
I have installed by the Administrator account and then Unpriv users can't do updates, it requires manual intervention.
So instead we'll get "couldn't silently update" dialog boxes !
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Maybe a user doesn't like the new 4.0 look and wants to stay at 3.5? Give the user a box and ask. Do not change this behavior!
Congratulations for not even reading the summary: They will only do silent updates for
minor versions, i.e. security and stability updates.
The question will be kept for major updates, like 3.x to 4.
The beauty of open source - you don't like it, fork it.
Seven puppies were harmed during the making of this post.
I'd love to be able to actually deploy and maintain Firefox in the large enterprise that I work in. Users want it. Unfortunately, users don't have admin rights, and Mozilla makes applying updates and configuring the browser from a central location difficult and has a history of not thinking about and actively shooting down any proposals which would potentially benefit system administrators trying to support Firefox.
I don't get why they don't get it.
Conformity is the jailer of freedom and enemy of growth. -JFK
That and these hidden updates could cause problems in the corporate world. Normally when browsers are updated I see vendors advising users to wait until the browser has been tested. That mostly applies to major updates, but any kind of update could patch a hole that a web application relied on - or introduce a new bug.
-- Using the preview button since 2005
Give the user a box and ask.
Good luck with that. I'm still using firefox 2.0.0.20 simply because the awesome-bar was a dealbreaker for me since day one. And no, the 'oldbar' addon just makes it look the same, when the old behaviour is what I want most. What makes it even more depressing is how every other browser on the face of the earth which supports ad-blockers and noscript add-ons have followed mozilla over that cliff.
Lynx is looking more and more attractive by the day.
It says right there you have the option to turn off silent updates.
it's under construction
Why not ask whether you want to be notified once it gets ready to update for the first time? This way, people who don't want to be notified in the future can elect not to (make this the default choice), and those that do can uncheck to box easily. Everyone's happy.
on Windows, Mozilla has said.
Nothing to see here, move along..
How stupid! Show the user the dialog box, and put a checkmark on it which says (approx) "Don't notify me of these updates anymore, just do them."
J'aime mieux les méchants que les imbéciles, parce qu'ils se reposent. -- Alexandre Dumas
The protocol could also require signed updates
Signed with a certificate issued by whom, purchased with what money? A company like Mozilla Corp could afford it, just as it can afford the Authenticode certificate to digitally sign Firefox Setup, but individual hobbyist developers of freeware and free software likely can't spare 200 U.S. dollars per year plus whatever their state charges to form a business entity.
Disable the update if you don't like it.
Can you recommend an easy-to-understand user interface to configure the updater to disable itself when on a pay-per-bit connection to the Internet yet reenable itself when on a less strictly metered connection (such as a home LAN or a restaurant hotspot)?
How stupid! Show the user the dialog box, and put a checkmark on it which says (approx) "Don't notify me of these updates anymore, just do them."
What's an update?
Son quick get in here, I got a virus!
How is an extra service, with admin and network access rights and intent on modifying /program files/, safer/better?
The updater service can be audited separately because it is a much smaller program than Firefox itself. After the main app has finished downloading the update package to the Local Settings folder in the user's home directory, it starts the updater service. The updater service itself does not connect to any network; all it does is verify the digital signature of the update package and then replace the executable with the updated copy. I don't know how Windows ACLs work in depth, but if the updater runs as a user that can't write outside /Program Files/Mozilla Firefox, that's another way to limit the damage it can do.
Dude, you can turn off silent updates. I know nobody reads the article, but at least read the summary before frothing at the mouth about a non-problem.
I like how Chrome updates silently - if anything the additional thing I'd like is to see a changelog of what has been updated; not because I want to scan it for government spy code, but out of curiosity/new minor features. As for the updates in terms of less computer literate users, I'd rather it update silently for them. Having worked at an ISP, I know the frustrations of having to deal with someone using a horridly outdated browser. If not for the features and to make their browsers more usable, then for the security updates of which they wouldn't even really realize the implications of.
They have essentially reached the point of time when there was no competition (technologically, *) left, and interpreted the achieved stability as a stagnation. And that freaked them out and they set out to destroy themselves by screwing up what was working perfectly before.
Kidding. FireFox's focus was always a grandma type of user. The moment when they say goodbye to their tech savvy audience was ought to come and I believe it is upon us. It started in 2.x with some enhancements one couldn't turn off (and had to install couple of add-ons to disable stuff), further expanded in 3.x and I think might peak in 4.x.
I'm already searching for a FireFox' replacement on Windows... IE is too dumb and arrogant (+ poor extensions + idiotic security). Chrome's too primitive (+ constant quirks due to forced updates). Opera is way too feature overloaded and cluttered.
(*) Except for the further development of HTML itself.
All hope abandon ye who enter here.
Opera is cluttered? Any extra features you don't use are disabled (ie, if you don't use the built-in mail client, it's not running).
"And I hope it can be disabled"
Read the summary.
I don't normally run as administrator on my computers. I have installed Firefox as an admin., though, and I must use that account for updates. This is slightly annoying with Firefox because I get update nag notifications under my user account which can't be used to perform the updates. I don't always want to go through the hassle of shutting down my current session and switching accounts for the latest update. I hope this new feature can be turned off to avoid additional problems with the update process.
I am becoming gerund, destroyer of verbs.
This is problematic on computers used as digital audio workstations, where background processes can cause glitches in playback
It can be disabled. It says that right there in the summary. Geez dude, did you just read the title and call it a day? :p
"Those who would sacrifice essential liberties for a little temporary safety deserve neither liberty nor safety." - BenF
I assume that if it bothered you that much, you'd probably search for a way to turn it off. The summary did say that you will still know when the updates are being applied with a progress bar, it just doesn't ask you or go through a whole hullaballoo to install updates.
Wow, these companies are really shooting themselves in the foot when it comes to corporate adoption.
No right-minded SysAdmin would want this sort of thing in their environment. While I understand that you CAN turn it off, Im willing to bet (without caring enough to actually look), that they have neglected to add any security features that would prevent an end user from turning the "auto update" back on.
Who exactly is running their web browser with the privileges required to install an update?
Virtually everyone.
Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update.
Why is this even modded Insightful?
People ignore update dialogs. Why do you think they wouldn't ignore that, too?
So with this new silent update process, half the time when I start Firefox it'll have to update before I can use it? And this is something that just happens? Mozilla, you should stop worrying about browser cold start time and start worrying about update time. I just want to be able to open a web browser and use the internet; I don't need any more progress bars before I can do so.
From the summary:
"Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update."
HTC EVO 4G LTE w/ CM 10.2 | NookColor w/ CM 10.2 | Samsung Epic 4G w/ CM 10.1
I'll not be updating either but mostly because I just don't like the new chrome like GUI, this is another minus point however I like to see what's happening on my own PC it helps me troubleshoot if nothing else.
I have to say no to this, It should not be on by default. As much as everyone loves foxfire they make mistakes updates brick computers and so on. If we have no clue there was an update before the computer acts up this is a bad thing. We all ask what was the last thing you did? correct? It can be an option but thats it, an option.
Jack of all trades,master of none
As a windows user I'd like to see a big player like Mozilla release a standalone updater that all the other software can use so every app doesn't have to check for updates on its own and use its own halfassed update method.
"Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update."
Because it still tells you that it's updating...
A one-time problem, easily fixed. If you really want to be safe, unplug your internet connection. Maybe go outside, talk to some real women, something like that.
When I first used it, the distribution fit on half a 3.5" floppy drive. It's rather larger than that now...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The browser is the most important app for most people. Its the front door to most viruses ( ok, trojans techincally ) and is their window to the world.
It should be taken more seriously.
---- Booth was a patriot ----
"Unfortunately users will still see the updating progress bar on load"
I don't understand this. Why is that unfortunate? Why would they want the browser update to happen completely out of the user's awareness?
My paranoia kicks in.
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
Because illiteracy isn't just for ACs, it extends to people with mod points too.
Silent updates is the reason why I received a 30 euro phone bill for a few minutes.
I was on holiday, and let a friend use my laptop and telephone to send an important email (it was party invitation, nothing more important than that). And of course... I forgot to displace all things that would silently try to update whatever they could when a network connection was found. Withing a short time, a few megabyte was downloaded. And mobile data from a foreign country is more expensive than HP ink.
So please mozilla, provide a nice toggle though the preferences screen to change this, an not through a about:config option.
The moment when Firefox jumped the shark for me was when I went to about:config and got some snarky anti-grandma click-through.
I hope so too. Will I have to chmod -R -w /path/to/firefox-dir?
But not everything now has an option in about:config.
Tab tear off cannot be disabled at all. (Happens all the time - accidentally - when one opens lots of tabs, e.g. when searching through with bugzilla.) And there is no option for it at all - request on bugzilla was denied.
For faster start-up FireFox loads initial tabs from cache. And there is no option to tell it to fetch the pages from net instead.
The about:config might remain, but its usefullness sunk in the 2.x/3.x times - and I do not expect that to improve in 4.x.
All hope abandon ye who enter here.
No problem. Firefox is opensource so you're free to edit it to do whatever you want.
So no FF4 for me. At least on the netbook...
I can use my mobile connection responsibly and the 500MB limit will last me a month. But at some $0.25/500K above limit, if Firefox decides to download 15MB of updates, sorry, no deal.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I realize this may seem like sacrilege on /. but IE8 plus an extension called IE7Pro (which despite its name works great on 8) gives Firefox a good run for its money. It's actually more secure in some important ways (sandboxing, ASLR), includes ad-blocking out of the box (set the registry key to enable InPrivate Filtering on every startup) and Flash filtering (under the Flash add-on options, delete the Use on sites: *.* then you can manually add sites when they request it) and while its JS engine is weak compared to Firefox, it works fine on 99.9 percent of the sites I've seen (Acid3 being pretty much the other 0.1%). Plus, call me weird but I actually find its Accelerators feature handy, and feel its tabbed browsing is a lot better than Firefox's.
IE7Pro ( http://ie7pro.com/ ) gives you more ad-block and flash-block options, spell checking, a download manager, user agent switching, customizable mouse gestures and keyboard shortcuts, fast proxy switching, pre-fetching options, GreaseMonkey-style user scripts, and a lot more.
Firefox still wins on JS and HTML5, but I find the advantages worth it.
There's no place I could be, since I've found Serenity...
> This is problematic on slow links where every byte is precious (dial-up)
How is it more problematic than the default setup today, where the updates are downloaded automatically, but not applied automatically?
> This is problematic in managed environments where the end user does not have write-
> permission to the filesystem containing the software
Not any more so than the current behavior.
> I hope it can be disabled.
Reading comprehension?
Showing the user something he probably doesn't need* to see undermines what could have been an automagical experience.
* for varying definitions of need. Slashdot users, in all their technical glory, sure love talking about edge cases that wouldn't apply to the vast majority of people out there...
I would switch 100% to Chrome... if it worked... Anytime I click a link that opens the default browser (set to chrome), chrome opens up and shows an error dialog. Chrome will then not load any pages. You have to close Chrome, and reopen it with the desktop shortcut in order for it to work properly. Win 7 64, 4gb, 8800gt oc, quad q6600 2.4 running at 3.0ghz, Asus P5K
Just because it works, Doesn't make it right. - JTM
The most ridiculous option to be absent from about:config is the option to ignore the no-password-saving flag set on login forms by "super secure" sites, used for everything from online banks to Exchange webmail logins.
IIRC the justification was (and is, as the bug is WONTFIX) that banks would blacklist firefox and that - and I closely paraphrase - "The success of the project takes precedence over the experience of the users." Meanwhile, seamonkey supports the option with no problem, and so does every sane browser.
You do realize that Firefox already has the feature in question? Look in Firefox's setting window, in the "updates" tab of the "advanced" pane. In there is the option to prompt or to automatically install updates.
If you do the latter, they will download in the background when you browse, and the next time you start the browser, it will show a progress bar for a bit, and then the browser will open. I have the option set, so on occasion I see this.
All Mozilla is doing is changing the default for this setting. You can change it back if you want.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
They will only do silent updates for minor versions, i.e. security and stability updates.
And no company has ever screwed over millions of users with a bad automatic/mandatory security or stability update.
[Fuck Beta]
o0t!
GnuPG, like a many other FOSS programs, is simply signed by the developer's signature key. If you have once obtained said key over a secure channel
What channel is secure, other than a channel established with the aid of a face-to-face meeting known as a key signing party? I, for one, don't fly often enough to attend those.
or verified it by other means (like having downloaded it 15 years or/and having cross-verified it over various different channels)
A developer who is new to a particular web of trust won't have a 15-year track record like the GnuPG team. So to which "various different channels" are you referring?
a bogus SSL/TLS root certificate
Which is why Authenticode, for example, uses a different set of root certificates from TLS in part because TLS is such a juicy target.
Moreover, the PKIs you're referring to are partially based on DNS
To break HTTP, you'd have to bypass DNS. To break HTTPS, you'd have to both bypass DNS and either fool a CA or fool the user into installing a root certificate.
For faster start-up FireFox loads initial tabs from cache. And there is no option to tell it to fetch the pages from net instead.
This annoys me to no end.
Yes, an individual user can turn off silent updates but is there a setting that turns off silent updates for all users on a system? On Windows at least, Firefox update settings are stored per user, making it difficult to manage in a multiuser lab environment.
I quote from the summary: "Unfortunately users will still see the updating progress bar on load, but this is an implementation issue as opposed to a [user interface] one".
They want to make it totally invisible, but it does not sound like they have gotten there yet. It does not chane the fact that it will still use the same setting underneath.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
Oh, also: if you're interested in a highly customizable browser, Konqueror can run on Windows these days. It's not a small install footprint (KDE base libraries are required) and it still has some quirks to iron out, but it works as a day-to-day browser.
There's no place I could be, since I've found Serenity...
It's only a matter of time before someone figures out how to send data which tricks Firefox into believing it's time to update and installing malware.