Slashdot Mirror
No Additional Firefox 4 Security Updates
CWmike writes "Unnoticed in the Tuesday release of Firefox 5 was Mozilla's decision to retire Firefox 4, shipped just three months ago. Mozilla spelled out vulnerabilities it had patched in that edition and in 2010's Firefox 3.6, but it made no mention of any bugs fixed in Firefox 4 on Tuesday, because Firefox 4 has reached what Mozilla calls EOL, for 'end of life,' for patches. Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 has been discussed within Mozilla for weeks. In a mozilla.dev.planning mailing list thread, Christian Legnitto, the Firefox release manager, put it most succinctly on May 25: 'Firefox 5 will be the security update for Firefox 4.' Problem is, users are being prompted to upgrade now but are hesitant because the new rapid release of updates means many add-ons are not compatible. And without security updates in between, many could be left exposed with unpatched browsers."
For Firefox 6.0
Ubuntu upgraded to FF 5 this morning. I was surprised, given that Ubuntu has not been too swift with previous FF upgrades. I suppose the EOL is the reason.
...they would be fine.
However, it looks like Mozilla failed to communicate it well enough, thinking their own notice was enough. The result is that Mozilla seems to take Microsoft's path for once - refusing to patch security issues on a relatively new release, and washing their hands clean with an EOL.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
I would not be surprised if their new release cycle causes their marketshare to start shrinking in a significant fashion.
I have been a long-time Firefox user (ever since it was Phoenix) and their current release philosophy is really turning me off. They just seem so misguided and detached from reality.
Are they trying to kill their user base ?
Anybody serious deploying system WILL NOT ship a mozilla product. Obsoleting a software 3 month after its release is ridiculous. You can't try to get market share and killa release in 3 month. If you don't plan to give any support, call that a development version!
I am SO disappointed in them!
Slashdot story
No big news, except that the Mozilla Foundation has gone out of its mind. I think I'll stick with Firefox 3 until it reaches end of life, and then upgrade to Firefox 25.
I really don't want to have to push out a brand new version of FF every few months and risk breaking my users' plugins that they use.
"A plan fiendishly clever in its intricacies"- Homer Simpson
Version numbers don't matter any more. This is really not a major release. It is an incremental upgrade, just like Chrome and just like the Linux kernel. It is a new way of developing software that has been happening for a while now.
This is the exact behavior that will drive users away. It's more disruptive than the KDE 4.0 debacle.
I've been a committed Firefox user for many years, using daily many plugins that I find irreplaceable (zotero, noscript). I'm now seriously considering alternatives. I find it irresponsible that Mozilla would not stand behind the major release of one of their products for more than three months.
As I remember, the Mozilla Add-ons site does not allow plugins to be posted if they have a maxVersion that hasn't been released yet (that's the gist of it anyway).
You might be able to post an add-on with a maxVersion of 4.1alpha or something, but it would break on 4.1 final. Of course, there's no way to quickly re-enable the add-on, because Mozilla thinks you can't be trusted to run your own browser, an interesting concept coming from open source software.
The right to protest the State is more sacred than the State.
If it helps you sleep at night, the nightly builds are currently 7.0a1, and planning for FF8 is underway. And prior to FF4, Gecko was still in the 1.9 numbering series. (They bumped it up to match the FF version release.)
Ironically, SeaMonkey is still at version 2, when it comes from a branch of the Netscape tree that should make it six or seven.
And furthermore, all of these web browsers are identified as Mozilla/5.0 in their user agents.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
This whole version number thing is insane and pissing off anyone who needs a singe stable version that is supported for a reasonable length of time.
If they wanted to up the version number they should have just skipped 4, 5, 6, 7, 8, 9, 10 to 11 or 12. Or since everyone skips 13 anyway just go directly to 14 and be done with it. Then keep it there for at least a year.
Mozilla Corporation gets most of its funds from Google. Something to keep in mind in regards to the future of Firefox...
My gut says, barring some significant change in funding / lead developers, that Firefox's future is bleak - what's happening now feels to me so much like what happened back when Netscape jumped the shark with their bloated Communicator suite. People bailed in droves.
The ideal situation would be for a group of developers to fork Firefox 3.6.x, throw in some of the improvements from 4, and run with it. Many would be greatly appreciative, and likely support it in both time and donations; don't make the same mistake as Mozilla Foundation has in regards to relying too much on any one major donor.
Jump to where? Ad Block, noscript, firebug, flash block and the like have become pretty much required for my browsing needs. Who else has something like this?
"I use a Mac because I'm just better than you are."
I thought the windows one was made of broken glass, and the linux one had a point out to the side (front if standing up) like a little beak.
BSD has two points at the end and a pitch fork.
MacOSs can only be used on one part of the body, and only in one room of the house, only at the time Mr. Jobs lets you use it, and only with Apple approved partners...
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Who, exactly, is the rapid release schedule helping? It's certainly not helping web developers and organizations who try to list their supported browser versions and actually try to code towards those versions. The quickest path to get the corporate PHBs to stop supporting your browser is to have the IT staff say "Guess what, the next version of Firefox is already out so we need to make updates." At some places, support for browsers other than IE is tenuous at best, so making it more difficult to support these browsers only hurts the browser manufacturers.
Want to gain more support? Release a stable product, with wide support for standards and add-ons, and do so on a sane, well-publicized schedule. People don't care about version numbers; updating software isn't something people want or like to do. Why are you making it more difficult and cumbersome for users to use your product?
Because that's not the way the addon versioning system works?
Look, it's really pretty simple. An addon needs to say what versions of Firefox it supports, as the API is known to change with each version.
The old rule was that you were pretty safe in assuming that the "patch level" number (the third/fourth number depending on release) could change without breaking any addons. Changing the minor number might break existing addons and could add new APIs. (For example, the change from Firefox 3.5 to 3.6.)
Changing the major number indicated a major change in functionality that could, potentially, require addons to be rewritten. (For example, Firefox 2 to Firefox 3.)
How the hell do you work that into the new versioning system?! The only way would be for the browser itself to "know" that Firefox 5 is basically Firefox 4 and not flag addons written for "4.0+".
Am I supposed to assume that an addon I write against Firefox 4 will work in Firefox 5 and Firefox 6, when the same was certainly not true for Firefox 1 to 2 - and 2 to 3, and 3 to 4? When will they be changing the API again? Am I supposed to be psychic when setting the maxVersion number?
Keep in mind that it's the browser itself that enforces these version checks. It's not something that addon developers really have any control over.
You are in a maze of twisty little relative jumps, all alike.
Dear Mozilla: Pull your head out of Chrome's ass.
Conservative, mod down for violating
Also I really hate how distros mark software deemed stable by upstream as totally experimental and dangerous (applies to pretty much everyone).
Stable doesn't just relate to the software, but how the software works on a specific platform (that is, whether it plays nice with other libraries and such, whether the dependancies have been specified properly in the ebuild (or whatever your distro of choice uses), etc..).
But that is merely a symptom, not the cause.
If nothing else, the new release philosophy causes the incredibly stupid approach to add-on compatibility to be highlighted.
People have complained about add-ons 'breaking' for years with other (point) releases, usually stating that after updating the maxVersion string manually, or using Nightly Tester Tools to override, the add-on continues to work perfectly fine.
Perhaps it's wishful thinking.. but part of me is hoping that the new release schedule forces Mozilla, and the community, to re-think add-on compatibility reporting; flagging add-ons as 'broken' not by default, but after testing.
I am still using Firefox 3.6 and will stay that way until either Mozilla lay down the crack pipe or I find another browser whose UI designers aren't similarly crack addled (sorry Chrome).
========
CINC, 4th Penguin Legion
I believe you can install the Mozilla Add-on Compatibility Reporter (made by Mozilla) to manually turn on any outdated/incompatible/whatever add-ons.
I can't blame them for making such functionality take a couple of extra steps because I imagine the support nightmare from your average user is hell otherwise.
I'm not a big fan of this new rapid release thing with major version numbers just to look better, though.
End Of Life after THREE FUCKING MONTHS?? Who the fuck thought this was a good decision?
CDE open sourced! https://sourceforge.net/projects/cdesktopenv/
Firefox doesn't really need to do that as it's open source and upgrading to a newer version is free.
As long as you're not doing any incoming qualification, that's dandy. Of course, in an enterprise setting you just might want to make sure that the new version supports all of your mission-critical applications. If you're running a distribution, you might want to do some QA on it.
As it is, Gentoo (to name one) still has 4.0 in unstable, and Mozilla's rapid releases are practically guaranteed to keep any of the new releases from ever reaching stable. That's not a joke; running tarballs is a quick way to hose dependencies in most distributions, and pure death in the hardware platforms outside of PC clones.
Then there are all of those plugins that will never catch up to the supported browser version ...
Lacking <sarcasm> tags,
for all practical purposes, it IS the security update to 4.1 and should be treated as such.
Security updates do not break backwards compatibility.
Except when necessary to fix implementation and design bugs, there shouldn't be any trade-offs in installing a security update; the new version should be exactly the same except more bug free, or people aren't going to install it.
3 words: Rolling release distro.
Like Arch or Gentoo, or Debian unstable if you want.
Yeah right.
I love gentoo, I hate the idea of non-rolling-release systems.
However.
It takes ~1h to compile the new xulrunner and firefox on my 2.5ghz dual core laptop.
If the fast release cycle keeps accelerating, soon Firefox X+1 wil be out before I'm d-one compiling Firefox X
Segmentation Fault in "Life, Universe and Everything" at line 42. Don't Panic.
Does it really matter what the version is?
Obviously it does. Have you not read the comments? Marketing that drives people away from your product is bad marketing.
It'll break most of your add-ons, but it will just drop in.
No no, FF5 wasn't released in the US, at least not for SNES. FF4 was rebranded as FF2, and FF6 as FF3.
It sounds like browser version numbers are designed to be a poor proxy for plugin API version. Therefore, I have to wonder, why not version the API instead (i.e. Firefox Plugin API 2.1 in Firefox 5.0)? Plus, you even get backwards compatibility since it becomes trivial to have multiple APIs and use the highest one the plugin is compatible with.
I'd just set it to 99 or whatever and patch shit as it breaks.
I'd rather have an app that's buggy on a new version of FF than one that *would* have worked fine but had maxVersion set too low...
Last I checked, you're not allowed to do that and have your addon be hosted on addons.mozilla.org. Which is why none of the addons on there do.
Not to mention that doing that was strongly discouraged by Mozilla and, prior to Firefox 5, at least, a really bad idea.
You are in a maze of twisty little relative jumps, all alike.
They are trying to copy or catch up with Chrome on the version numbering thing, but they are missing something important here. With Chrome, it gets auto-updated all the time (at least mine is, on both OS X and Ubuntu), to where I've always got the latest and greatest, and all the inherent security fixes and such. If I had to manually download a new copy of Chrome regularly, even every three months, I would grow tired of it. But the auto-updater does it for me; I installed Chrome once and am now done with that part of it. I couldn't tell you what version of Chrome I am running, except for I know it updated itself earlier this week.
Firefox, on the other hand, won't auto-update to a "major version", like going from 4.x to 5.x. Mozilla should know they had a hard enough time getting people to download a new copy, even when it took 18 months between major versions. People are not going to re-download it on such a quick schedule.
And Mozilla needs to update Firefox's handling of extensions, with its "max version" attribute. Once again, it was bad enough when there was a new FF update every 18 months and it took forever for the extension developers to make the simple integer change. All I have read this week with FF5 is how this extension and that extension disabled itself, when it will probably work just fine.
I was a long-time Firefox supporter and didn't like Chrome at first. Now I am either going with Chrome or Safari all the time, and feeling sad for the days when Firefox was the shiznit.
:q!
Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 has been discussed within Mozilla for weeks.
Who cares what the users think about EOL'ing a product that was only released a few week ago. We The Developers are going to do what we want, users be damned.
It often is. Even if we leave out the obvious bias people might have about software they wrote, there's the simple fact that there are more users than developers, so the former will almost certainly run into bugs the latter didn't. And of course, any project with proper testing will continue finding new bugs all the time, so the developers have to decide which ones will be fixed (and which ones won't) before the release is declared "stable". All of which means that newly released "stable" software is usually anything but.
It would be totally irresponsible for distro maintainers to simply take the developers word that something is stable.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Yes, I agree, the arbitrary version compatibility strings are the problem, for extensions in a lot of cases. A move from 4.x to 5.0 should not actually break many (or any?) extensions, because they haven't changed those interfaces.
If there's no update for an extension that is essential and the versioning doesn't jibe, there's this extension:
https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/
That allows you to ignore the compatibility version check, enable disabled extensions and submit "this extension works" or "this extension doesn't work" to developers.
I'm using Firefox 5.0 in Linux (self compiled), but in Windows I use Nightly, because it gives me a 64 bit firefox that gets updates. When Nightly reached a version number that was to disable my Status4Evar addon, I used the tool to enable it again and it's still working with the firefox version being 7.0a1
They make it sound as if it is the users fault. The users are not there so you can code. You should not code despite of the users.
I now need to run firefox with the -P option, because they do not allow me to run two instances at the same time (No, I do not mean a second window). Running it over ssh needs an extra parameter.
It does a lot of other things against logic, like updating itself instead of letting my distro do that.
With everything they do I get a feeling that the developers think they are holier then thou. They do things because they can and/or because it is fun to do for them.
At this moment the only thing that keeps me with Firefox is the add-ons, but I will making a list of the importance of all plugins and see if there is an alternative elsewhere.
They, of all browsers, should know how fast people can switch and loose everything again.
Don't fight for your country, if your country does not fight for you.
Why use the latest version? Newer versions are not better, they do not have fewer bugs, they do not have better features. I'm certainly never going to upgrade and disrupt my work merely to make some total stranger happy.
Christian Legnitto, the Firefox release manager, put it most succinctly on May 25: 'Firefox 5 will be the security update for Firefox 4.' Problem is, users are being prompted to upgrade now but are hesitant because the new rapid release of updates means many add-ons are not compatible. And without security updates in between, many could be left exposed with unpatched browsers."
Came to say that.
Don't the people in charge think these things through? It appears not.
The new versioning schema is the new security hole in Firefox.
And all done for no real gain or benefit.
Idiots.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
If it's "stealing" to view a web site without "viewing" the ads, then it's "stealing" to mute the TV during a commercial, or change the channel, or go to the bathroom. Same for the radio.
I have made no agreement with any web site owners to look at or download any content they may place in their pages. Site owners who make content freely-viewable do so at their own risk, without any guarantees.
Don't let the **AAs co-opt the meaning of "theft". Don't let them brainwash you.
Next thing you know, people will be saying that it's "stealing" to go to a site without CLICKING ads. Good grief. Grow a spine! Stand up to the idiocy!
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Firefox 5 is more like Firefox 4.1 in truth, the only thing this rapid release crap has done is confused everyone with thinking what is actually a minor update is a major break lots of extensions update.
the only real reason to stay with firefox is the add-on's, just like one few the few reasons to stay with windows is the huge software library. They need to fix breaking add-ons, and they need to do it now
How the hell do you work that into the new versioning system?! The only way would be for the browser itself to "know" that Firefox 5 is basically Firefox 4 and not flag addons written for "4.0+".
Am I supposed to assume that an addon I write against Firefox 4 will work in Firefox 5 and Firefox 6, when the same was certainly not true for Firefox 1 to 2 - and 2 to 3, and 3 to 4? When will they be changing the API again? Am I supposed to be psychic when setting the maxVersion number?
Two things they could do. The one they probably should do right away is to decouple the API versions from the program versions, since those have become meaningless. Heck, even Windows did this when their marketing department got the clout Mozilla's seems to have - developers could still query the real (meaningful) version number even though the box had a year or stupid name on it. They could leave things as they are now for addon developers or they could introduce a new maxAPIVersion check, one time.
If they were feeling energetic, they could teach the browser how to introspect its API changes and make smart decisions. Say, an addon uses foo() and bar() - those did not change since the maxVersion release, so run the addon. Another addon uses foo() and baz() and declares the same maxVersion. The browser knows that baz() changed semantically, so it prevents baz() from running.
I'd probably rather see that approach since it takes the weight off of thousands of developers and puts it onto one or two.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)