Slashdot Mirror
No Additional Firefox 4 Security Updates
CWmike writes "Unnoticed in the Tuesday release of Firefox 5 was Mozilla's decision to retire Firefox 4, shipped just three months ago. Mozilla spelled out vulnerabilities it had patched in that edition and in 2010's Firefox 3.6, but it made no mention of any bugs fixed in Firefox 4 on Tuesday, because Firefox 4 has reached what Mozilla calls EOL, for 'end of life,' for patches. Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 has been discussed within Mozilla for weeks. In a mozilla.dev.planning mailing list thread, Christian Legnitto, the Firefox release manager, put it most succinctly on May 25: 'Firefox 5 will be the security update for Firefox 4.' Problem is, users are being prompted to upgrade now but are hesitant because the new rapid release of updates means many add-ons are not compatible. And without security updates in between, many could be left exposed with unpatched browsers."
For Firefox 6.0
...they would be fine.
However, it looks like Mozilla failed to communicate it well enough, thinking their own notice was enough. The result is that Mozilla seems to take Microsoft's path for once - refusing to patch security issues on a relatively new release, and washing their hands clean with an EOL.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
I would not be surprised if their new release cycle causes their marketshare to start shrinking in a significant fashion.
I have been a long-time Firefox user (ever since it was Phoenix) and their current release philosophy is really turning me off. They just seem so misguided and detached from reality.
Are they trying to kill their user base ?
Anybody serious deploying system WILL NOT ship a mozilla product. Obsoleting a software 3 month after its release is ridiculous. You can't try to get market share and killa release in 3 month. If you don't plan to give any support, call that a development version!
I am SO disappointed in them!
Slashdot story
No big news, except that the Mozilla Foundation has gone out of its mind. I think I'll stick with Firefox 3 until it reaches end of life, and then upgrade to Firefox 25.
I really don't want to have to push out a brand new version of FF every few months and risk breaking my users' plugins that they use.
"A plan fiendishly clever in its intricacies"- Homer Simpson
Version numbers don't matter any more. This is really not a major release. It is an incremental upgrade, just like Chrome and just like the Linux kernel. It is a new way of developing software that has been happening for a while now.
This is the exact behavior that will drive users away. It's more disruptive than the KDE 4.0 debacle.
I've been a committed Firefox user for many years, using daily many plugins that I find irreplaceable (zotero, noscript). I'm now seriously considering alternatives. I find it irresponsible that Mozilla would not stand behind the major release of one of their products for more than three months.
As I remember, the Mozilla Add-ons site does not allow plugins to be posted if they have a maxVersion that hasn't been released yet (that's the gist of it anyway).
You might be able to post an add-on with a maxVersion of 4.1alpha or something, but it would break on 4.1 final. Of course, there's no way to quickly re-enable the add-on, because Mozilla thinks you can't be trusted to run your own browser, an interesting concept coming from open source software.
The right to protest the State is more sacred than the State.
If it helps you sleep at night, the nightly builds are currently 7.0a1, and planning for FF8 is underway. And prior to FF4, Gecko was still in the 1.9 numbering series. (They bumped it up to match the FF version release.)
Ironically, SeaMonkey is still at version 2, when it comes from a branch of the Netscape tree that should make it six or seven.
And furthermore, all of these web browsers are identified as Mozilla/5.0 in their user agents.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
This whole version number thing is insane and pissing off anyone who needs a singe stable version that is supported for a reasonable length of time.
If they wanted to up the version number they should have just skipped 4, 5, 6, 7, 8, 9, 10 to 11 or 12. Or since everyone skips 13 anyway just go directly to 14 and be done with it. Then keep it there for at least a year.
Mozilla Corporation gets most of its funds from Google. Something to keep in mind in regards to the future of Firefox...
My gut says, barring some significant change in funding / lead developers, that Firefox's future is bleak - what's happening now feels to me so much like what happened back when Netscape jumped the shark with their bloated Communicator suite. People bailed in droves.
The ideal situation would be for a group of developers to fork Firefox 3.6.x, throw in some of the improvements from 4, and run with it. Many would be greatly appreciative, and likely support it in both time and donations; don't make the same mistake as Mozilla Foundation has in regards to relying too much on any one major donor.
Who, exactly, is the rapid release schedule helping? It's certainly not helping web developers and organizations who try to list their supported browser versions and actually try to code towards those versions. The quickest path to get the corporate PHBs to stop supporting your browser is to have the IT staff say "Guess what, the next version of Firefox is already out so we need to make updates." At some places, support for browsers other than IE is tenuous at best, so making it more difficult to support these browsers only hurts the browser manufacturers.
Want to gain more support? Release a stable product, with wide support for standards and add-ons, and do so on a sane, well-publicized schedule. People don't care about version numbers; updating software isn't something people want or like to do. Why are you making it more difficult and cumbersome for users to use your product?
Because that's not the way the addon versioning system works?
Look, it's really pretty simple. An addon needs to say what versions of Firefox it supports, as the API is known to change with each version.
The old rule was that you were pretty safe in assuming that the "patch level" number (the third/fourth number depending on release) could change without breaking any addons. Changing the minor number might break existing addons and could add new APIs. (For example, the change from Firefox 3.5 to 3.6.)
Changing the major number indicated a major change in functionality that could, potentially, require addons to be rewritten. (For example, Firefox 2 to Firefox 3.)
How the hell do you work that into the new versioning system?! The only way would be for the browser itself to "know" that Firefox 5 is basically Firefox 4 and not flag addons written for "4.0+".
Am I supposed to assume that an addon I write against Firefox 4 will work in Firefox 5 and Firefox 6, when the same was certainly not true for Firefox 1 to 2 - and 2 to 3, and 3 to 4? When will they be changing the API again? Am I supposed to be psychic when setting the maxVersion number?
Keep in mind that it's the browser itself that enforces these version checks. It's not something that addon developers really have any control over.
You are in a maze of twisty little relative jumps, all alike.
Dear Mozilla: Pull your head out of Chrome's ass.
Conservative, mod down for violating
But that is merely a symptom, not the cause.
If nothing else, the new release philosophy causes the incredibly stupid approach to add-on compatibility to be highlighted.
People have complained about add-ons 'breaking' for years with other (point) releases, usually stating that after updating the maxVersion string manually, or using Nightly Tester Tools to override, the add-on continues to work perfectly fine.
Perhaps it's wishful thinking.. but part of me is hoping that the new release schedule forces Mozilla, and the community, to re-think add-on compatibility reporting; flagging add-ons as 'broken' not by default, but after testing.
End Of Life after THREE FUCKING MONTHS?? Who the fuck thought this was a good decision?
CDE open sourced! https://sourceforge.net/projects/cdesktopenv/
No no, FF5 wasn't released in the US, at least not for SNES. FF4 was rebranded as FF2, and FF6 as FF3.
It sounds like browser version numbers are designed to be a poor proxy for plugin API version. Therefore, I have to wonder, why not version the API instead (i.e. Firefox Plugin API 2.1 in Firefox 5.0)? Plus, you even get backwards compatibility since it becomes trivial to have multiple APIs and use the highest one the plugin is compatible with.
You are not kidding, half of my add-ons/plugins are not compatible to the new release. so I'll sit on the sidelines for a while.
Now I think that Firefox should find a point and say, clean up time, make a few versions updates, then poll the community for the next official features, this way you get some stability over time and new features, heck I don't mind if they did that every 9 months, at lease I would know that the older versions would be somewhat safe to utilize on the current platform of my firm.
if you see me, smile and say hello.
Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 has been discussed within Mozilla for weeks.
Who cares what the users think about EOL'ing a product that was only released a few week ago. We The Developers are going to do what we want, users be damned.
Yes, I agree, the arbitrary version compatibility strings are the problem, for extensions in a lot of cases. A move from 4.x to 5.0 should not actually break many (or any?) extensions, because they haven't changed those interfaces.
If there's no update for an extension that is essential and the versioning doesn't jibe, there's this extension:
https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/
That allows you to ignore the compatibility version check, enable disabled extensions and submit "this extension works" or "this extension doesn't work" to developers.
I'm using Firefox 5.0 in Linux (self compiled), but in Windows I use Nightly, because it gives me a 64 bit firefox that gets updates. When Nightly reached a version number that was to disable my Status4Evar addon, I used the tool to enable it again and it's still working with the firefox version being 7.0a1
They make it sound as if it is the users fault. The users are not there so you can code. You should not code despite of the users.
I now need to run firefox with the -P option, because they do not allow me to run two instances at the same time (No, I do not mean a second window). Running it over ssh needs an extra parameter.
It does a lot of other things against logic, like updating itself instead of letting my distro do that.
With everything they do I get a feeling that the developers think they are holier then thou. They do things because they can and/or because it is fun to do for them.
At this moment the only thing that keeps me with Firefox is the add-ons, but I will making a list of the importance of all plugins and see if there is an alternative elsewhere.
They, of all browsers, should know how fast people can switch and loose everything again.
Don't fight for your country, if your country does not fight for you.
Christian Legnitto, the Firefox release manager, put it most succinctly on May 25: 'Firefox 5 will be the security update for Firefox 4.' Problem is, users are being prompted to upgrade now but are hesitant because the new rapid release of updates means many add-ons are not compatible. And without security updates in between, many could be left exposed with unpatched browsers."
Came to say that.
Don't the people in charge think these things through? It appears not.
The new versioning schema is the new security hole in Firefox.
And all done for no real gain or benefit.
Idiots.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Firefox 5 is more like Firefox 4.1 in truth, the only thing this rapid release crap has done is confused everyone with thinking what is actually a minor update is a major break lots of extensions update.
the only real reason to stay with firefox is the add-on's, just like one few the few reasons to stay with windows is the huge software library. They need to fix breaking add-ons, and they need to do it now
How the hell do you work that into the new versioning system?! The only way would be for the browser itself to "know" that Firefox 5 is basically Firefox 4 and not flag addons written for "4.0+".
Am I supposed to assume that an addon I write against Firefox 4 will work in Firefox 5 and Firefox 6, when the same was certainly not true for Firefox 1 to 2 - and 2 to 3, and 3 to 4? When will they be changing the API again? Am I supposed to be psychic when setting the maxVersion number?
Two things they could do. The one they probably should do right away is to decouple the API versions from the program versions, since those have become meaningless. Heck, even Windows did this when their marketing department got the clout Mozilla's seems to have - developers could still query the real (meaningful) version number even though the box had a year or stupid name on it. They could leave things as they are now for addon developers or they could introduce a new maxAPIVersion check, one time.
If they were feeling energetic, they could teach the browser how to introspect its API changes and make smart decisions. Say, an addon uses foo() and bar() - those did not change since the maxVersion release, so run the addon. Another addon uses foo() and baz() and declares the same maxVersion. The browser knows that baz() changed semantically, so it prevents baz() from running.
I'd probably rather see that approach since it takes the weight off of thousands of developers and puts it onto one or two.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)