Proposal for keeping our 3.6 users secure

378 views
Skip to first unread message

Alex Keybl

unread,
Mar 29, 2012, 12:26:59 PM3/29/12
to mozilla.dev.planning group
We've been discussing ways to keep our 3.6 users safe, given that support for Firefox 3.6 ends in about a month on April 24th. Several steps have been taken so far: we've communicated that date repeatedly, we've blogged about the 3.6 support change, and we've offered 3.6 users upgrades to the latest version of Firefox on a regular basis since Firefox 4's release. Now it's time to discuss ways to reach the 3.6 users who still haven't upgraded, to ensure Firefox continues to keep them safe.

After Firefox 12's release, we plan to directly warn all of our 3.6 users that they are no longer secure and should update to the latest version of Firefox via an advertised update. We know this won't secure everyone though - those prompts are easy to dismiss when you're busy. Given that, I propose that a few weeks after this warning we offer an automatic update for all Firefox 3.6 users with updates enabled, bringing them up to Firefox 12. After Firefox 13's release, we'd again offer an automatic update to Firefox 12 [1], this time disabling the add-on compatibility check entirely [2].

I'd like to get feedback on this plan, but please stay on topic. I can foresee long digressions about why some users have stayed on 3.6, but after EOL staying on 3.6 is simply not a safe choice. My proposal here is intended to put our users' security first and foremost. To understand how quickly critical security vulnerabilities will pile up after the end of 3.6's life, take a quick look at the security team's 3.6 advisories.

Please provide feedback you may have by the beginning of next week (4/2), so that we can begin making the necessary preparations with Release Engineering. Thanks!

-Alex Keybl
Release Manager at Mozilla


[1] Please note that we must continue to update 3.6 users to Firefox 12 as it's the last release to support Win2K and early versions of XP. Once on FF12, they'll either receive an automatic update to FF13 or a message explaining that they need to upgrade their version of Windows
[2] A majority of add-ons should now be automatically compatible thanks to DTC

Hubert Figuière

unread,
Mar 29, 2012, 1:27:53 PM3/29/12
to dev-pl...@lists.mozilla.org
On 29/03/12 09:26 AM, Alex Keybl wrote:

> After Firefox 12's release, we plan to directly warn all of our 3.6
> users that they are no longer secure and should update to the latest
> version of Firefox via an advertised update. We know this won't
> secure everyone though - those prompts are easy to dismiss when
> you're busy. Given that, I propose that a few weeks after this
> warning we offer an automatic update for all Firefox 3.6 users with
> updates enabled, bringing them up to Firefox 12. After Firefox 13's
> release, we'd again offer an automatic update to Firefox 12 [1], this
> time disabling the add-on compatibility check entirely [2].

The problem is that if you warn 3.6 users on Mac PPC or MacOS < 10.5,
then it is not gonna be good as both PPC and MacOS < 10.5 have been
dropped starting Firefox 4.

If you look at the support question there have been a lot of case were
people downloaded an update that didn't work for their platform. And I'm
sure we want to avoid this.

Cheers,

Hub

Anthony Hughes

unread,
Mar 29, 2012, 1:40:28 PM3/29/12
to Alex Keybl, dev-pl...@lists.mozilla.org
On 03/29/2012 09:26 AM, Alex Keybl wrote:
> Once on FF12, they'll either receive an automatic update to FF13 or a message explaining that they need to upgrade their version of Windows
So what happens to the user running on Win2k who updates from 3.6
(supported) -> 12 (supported) -> 13 (unsupported)? Will Firefox 13 even
work on Win2k? Will it work but it could have untested problems? If not,
then I foresee a couple of different scenarios...

1) If we update them from 3.6 -> 12 -> 13, they'll remain "safe" via
security fixes but may notices "glitches" due to untested feature code
on Win2k.

2) If we update them from 3.6 -> 12 and given them no option to upgrade,
other than upgrading Windows, does that turn 12 into an LTS release we
need to support with security fixes?

Sidebar...
I know this has been discussed and decided against in meetings already,
but I thought I'd bring it up one last time. What's the rationale behind
for not pushing the final stragglers (those who opt out from Firefox 12
and 13) to ESR? This would at least keep the safe and secure for another
few months (until ESR17).

That said, it could be argued that if people haven't upgraded yet (we'll
have given them 10 major releases to update to since 4.0), they likely
won't. That said, it could be argued that we should "brick" their
Firefox installation to keep them and the web safe.

--
Anthony Hughes
Quality Engineer, Mozilla

David Rajchenbach-Teller

unread,
Mar 29, 2012, 1:42:53 PM3/29/12
to dev-pl...@lists.mozilla.org
On 3/29/12 7:40 PM, Anthony Hughes wrote:

> That said, it could be argued that if people haven't upgraded yet (we'll
> have given them 10 major releases to update to since 4.0), they likely
> won't. That said, it could be argued that we should "brick" their
> Firefox installation to keep them and the web safe.

You do realize that this would brick a number of people that cannot
upgrade due to their OS version?
These people would simply lose valuable information, hate us, and never
again use Firefox.

Cheers,
David

--
David Rajchenbach-Teller, PhD
Performance Team, Mozilla

signature.asc

Anthony Hughes

unread,
Mar 29, 2012, 1:48:26 PM3/29/12
to dev-pl...@lists.mozilla.org
Yup, I realize that. However, the alternative is that we leave a lot of
users (in the millions) on extremely vulnerable software. Either way,
it's a harmful prospect.

Let me be clear that I'm not advocating this idea -- I'm merely throwing
it out there.

On 03/29/2012 10:42 AM, David Rajchenbach-Teller wrote:
> On 3/29/12 7:40 PM, Anthony Hughes wrote:
>
>> That said, it could be argued that if people haven't upgraded yet (we'll
>> have given them 10 major releases to update to since 4.0), they likely
>> won't. That said, it could be argued that we should "brick" their
>> Firefox installation to keep them and the web safe.
> You do realize that this would brick a number of people that cannot
> upgrade due to their OS version?
> These people would simply lose valuable information, hate us, and never
> again use Firefox.
>
> Cheers,
> David
>
>
>
> _______________________________________________
> dev-planning mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-planning

Alex Keybl

unread,
Mar 29, 2012, 2:11:28 PM3/29/12
to Anthony Hughes, dev-pl...@lists.mozilla.org
> 1) If we update them from 3.6 -> 12 -> 13, they'll remain "safe" via security fixes but may notices "glitches" due to untested feature code on Win2k.

Once users are on FF12, we have the ability to prevent Win2k or XP SP1 users from updating any further and can also communicate options to them for staying secure. They will not be updated to FF13 and are blocked from running the installer.

> 2) If we update them from 3.6 -> 12 and given them no option to upgrade, other than upgrading Windows, does that turn 12 into an LTS release we need to support with security fixes?

3.6 users on Win2k or XP SP1 will be on an insecure version of Firefox if they don't upgrade to FF12. Upgrading 3.6 users to FF12 allows us to have targeted communications to Win2K/XP users about how they can receive future Firefox updates.

> I know this has been discussed and decided against in meetings already, but I thought I'd bring it up one last time. What's the rationale behind for not pushing the final stragglers (those who opt out from Firefox 12 and 13) to ESR? This would at least keep the safe and secure for another few months (until ESR17).

This has been discussed on a few lists already, for reference here's one example: https://groups.google.com/forum/#!topic/mozilla.dev.planning/ES9gyr0mMEc. And an excerpt from that discussion:

> Even still, I think there's more concern here than just messaging. We would be very quickly changing the scope of what ESR was envisioned as. I imagine this would have a larger effect on support, as these users would not have corporate IT around to help them work through any issues (thus pushing support onto SUMO).

Moving 3.6 users to the ESR would change the scope significantly for support and engineering. Supporting organizations separately is a much more manageable task than carrying on with two supported user branches.

-Alex

On Mar 29, 2012, at 10:40 AM, Anthony Hughes wrote:

> On 03/29/2012 09:26 AM, Alex Keybl wrote:
>> Once on FF12, they'll either receive an automatic update to FF13 or a message explaining that they need to upgrade their version of Windows
> So what happens to the user running on Win2k who updates from 3.6 (supported) -> 12 (supported) -> 13 (unsupported)? Will Firefox 13 even work on Win2k? Will it work but it could have untested problems? If not, then I foresee a couple of different scenarios...
>
> 1) If we update them from 3.6 -> 12 -> 13, they'll remain "safe" via security fixes but may notices "glitches" due to untested feature code on Win2k.
>
> 2) If we update them from 3.6 -> 12 and given them no option to upgrade, other than upgrading Windows, does that turn 12 into an LTS release we need to support with security fixes?
>
> Sidebar...
> I know this has been discussed and decided against in meetings already, but I thought I'd bring it up one last time. What's the rationale behind for not pushing the final stragglers (those who opt out from Firefox 12 and 13) to ESR? This would at least keep the safe and secure for another few months (until ESR17).
>
> That said, it could be argued that if people haven't upgraded yet (we'll have given them 10 major releases to update to since 4.0), they likely won't. That said, it could be argued that we should "brick" their Firefox installation to keep them and the web safe.
>

Anthony Hughes

unread,
Mar 29, 2012, 2:15:18 PM3/29/12
to Alex Keybl, dev-pl...@lists.mozilla.org
Thanks for the clear answers on all my questions, Alex. This all makes
sense to me.

Ron Hunter

unread,
Mar 29, 2012, 2:58:53 PM3/29/12
to
Make sure they understand the risk, and even suggest an alternative
program (if there IS one), if necessary. Bricking isn't a good option,
for anyone. Forcing updates on machines that aren't supported isn't
good either. It's 6 of one, 1/2 dozen of the other. No good options.

Jesse Ruderman

unread,
Mar 29, 2012, 3:30:45 PM3/29/12
to Alex Keybl, mozilla.dev.planning group
> After Firefox 12's release, we plan to directly warn all of our 3.6 users that they are no longer secure and should update to the latest version of Firefox via an advertised update. We know this won't secure everyone though - those prompts are easy to dismiss when you're busy. Given that, I propose that a few weeks after this warning we offer an automatic update for all Firefox 3.6 users with updates enabled, bringing them up to Firefox 12. After Firefox 13's release, we'd again offer an automatic update to Firefox 12 [1], this time disabling the add-on compatibility check entirely [2].

This entire timeline needs to move up by about 6 weeks. I and other
security researchers are not going to wait until some time after
Firefox *13* is released before releasing tools and exploits to break
the already-EOL'ed Firefox 3.6.

The advertised-update prompt should just say "For your safety, Firefox
will update itself in 2 weeks. Update today?" This is gentler and less
likely to surprise users who click Cancel.

Again, this has to happen *before* Firefox 3.6 is EOLed.

> [1] Please note that we must continue to update 3.6 users to Firefox 12 as it's the last release to support Win2K and early versions of XP. Once on FF12, they'll either receive an automatic update to FF13 or a message explaining that they need to upgrade their version of Windows

These users need to be warned about the need to update their OS
*before* they get EOLed.

I think users on these old versions of Windows should be updated to
Firefox 10 ESR, not Firefox 12, because most of them are not going to
update their OS in the next 2 months.

Alex Keybl

unread,
Mar 29, 2012, 4:19:02 PM3/29/12
to Jesse Ruderman, mozilla.dev.planning group
> This entire timeline needs to move up by about 6 weeks. I and other
> security researchers are not going to wait until some time after
> Firefox *13* is released before releasing tools and exploits to break
> the already-EOL'ed Firefox 3.6.

If we were to move the timeline up, only the advertised update would be a possibility ahead of 4/24. Offering an automatic update before EOL seems counter-intuitive, since we're still supporting 3.6 until that date.

> These users need to be warned about the need to update their OS
> *before* they get EOLed.

Prompts for Firefox 12 users on Win2K/XP warning of the support change in FF13 will occur shortly after FF12's release. 3.6 users will see this messaging almost immediately after updating to Firefox 12.

-Alex

Jesper Kristensen

unread,
Mar 29, 2012, 4:55:14 PM3/29/12
to
How much do you expect this to help get users upgraded, considering that
there seems to be slightly more users on on Firefox 4-9 combined
compared to Firefox 3.6, and those newer versions are supposed to update
automatically.

Alex Keybl

unread,
Mar 29, 2012, 6:18:23 PM3/29/12
to Jesper Kristensen, dev-pl...@lists.mozilla.org
Hi Jesper,

There's an ongoing investigation into why some Firefox 4+ users aren't receiving automatic updates - it's unclear if they've turned off updates or are running into other issues. Because we've never offered automatic updates from Firefox 3.6 to 4+, however, we expect to have a very good uptake.

-Alex

Henri Sivonen

unread,
Mar 30, 2012, 2:48:04 AM3/30/12
to mozilla.dev.planning group
On Thu, Mar 29, 2012 at 7:26 PM, Alex Keybl <ake...@mozilla.com> wrote:
> I propose that a few weeks after this warning we offer an automatic update for all Firefox 3.6 users with updates enabled, bringing them up to Firefox 12.

I think it makes sense to push the upgrade, but in order to minimize
user distress (and hate towards Mozilla) from this upgrade, I suggest
doing it in such a way that the toolbar configuration is preserved:
* the menubar is kept visible
* the tabs are kept below the location bar
* the bookmark toolbar is kept visible

Assuming that there is a first run page that explains what has
happened, the first run page could explain the there is now the option
to switch from the menu bar to a Firefox button and to move the tabs
to the top. Even if we believe that the new configuration is better,
letting the user adopt the new configuration explicitly makes the
experience less disruptive than changing the configuration in an
automatic update.

--
Henri Sivonen
hsiv...@iki.fi
http://hsivonen.iki.fi/

Nicholas Nethercote

unread,
Mar 30, 2012, 5:38:04 AM3/30/12
to Alex Keybl, mozilla.dev.planning group
On Fri, Mar 30, 2012 at 3:26 AM, Alex Keybl <ake...@mozilla.com> wrote:
>
> After Firefox 12's release, we plan to directly warn all of our 3.6 users that they are no longer secure and should update to the latest version of Firefox via an advertised update. We know this won't secure everyone though - those prompts are easy to dismiss when you're busy. Given that, I propose that a few weeks after this warning we offer an automatic update for all Firefox 3.6 users with updates enabled, bringing them up to Firefox 12. After Firefox 13's release, we'd again offer an automatic update to Firefox 12 [1], this time disabling the add-on compatibility check entirely [2].

In our warnings can we please please please emphasize that add-ons are
now compatible by default? I don't have data but I suspect a decent
chunk of those on 3.6 didn't upgrade because they were worried about
add-ons breaking during the rapid release cycle.

Similarly, I think promoting the ESR is a great idea. Sure, it may be
aimed at enterprise, but given the choice between a user who (a)
sticks with 3.6, (b) switches to another browser, or (c) switches to
ESR, I think it's a no-brainer that (c) is the best for Mozilla.

Nick

Henri Sivonen

unread,
Mar 30, 2012, 5:50:53 AM3/30/12
to dev-pl...@lists.mozilla.org
On Thu, Mar 29, 2012 at 8:27 PM, Hubert Figuière <h...@mozilla.com> wrote:
> The problem is that if you warn 3.6 users on Mac PPC or MacOS < 10.5,
> then it is not gonna be good as both PPC and MacOS < 10.5 have been
> dropped starting Firefox 4.

Could Mac PPC 3.6 users be shown a message that says
1) Mozilla is no longer supporting their platform
2) They can get a browser based on the Firefox codebase from
http://www.floodgap.com/software/tenfourfox/
?

Ron Hunter

unread,
Mar 30, 2012, 7:12:49 AM3/30/12
to
I would like to see a '3.6 conversion kit' that would include defaults
that would install preconfigured themes and extensions intended to make
FF12 look as much like FF 3.6 as possible, and information on how they
can revert to the new look if they want to try it out. Many of these
users are highly resistant to ANY kind of change, and rather comfortable
with things are the were. I don't think there is much chance of
changing their perceptions. THis would, at least, cushion the shock of
going from a default 3.6 to default 12 in one leap.

Robert Kaiser

unread,
Mar 30, 2012, 10:48:26 AM3/30/12
to
Hubert Figuière schrieb:
> The problem is that if you warn 3.6 users on Mac PPC or MacOS< 10.5,
> then it is not gonna be good as both PPC and MacOS< 10.5 have been
> dropped starting Firefox 4.

We surely won't send an update to those people, as we can easily detect
this in our update system.

I still think we should give those people on unsupported OSes a clear
message that *their OS vendor* abandoned them and that makes them
insecure, and we don't offer further updates to them as it would just
give them an impression of being secure while they are not. Their only
option is to switch to a newer OS, and we should tell them about that.

Robert Kaiser

Jorge Villalobos

unread,
Mar 30, 2012, 11:18:08 AM3/30/12
to Nicholas Nethercote, Alex Keybl, mozilla.dev.planning group
It is possible that these users have installed add-ons that don't
qualify for DTC, though. An add-on needs to support at least Firefox 4
to qualify, and there were many add-ons that were never adapted to work
on 4. It might look disingenuous if we tell people their add-ons will
automatically work and then they don't.

We're looking for alternatives to popular pre-Firefox 4 add-ons to try
to move as many users as possible to them before the EOL.

- Jorge

Jorge Villalobos

unread,
Mar 30, 2012, 11:18:08 AM3/30/12
to Nicholas Nethercote, mozilla.dev.planning group, Alex Keybl
On 3/30/12 3:38 AM, Nicholas Nethercote wrote:

Daniel Cater

unread,
Mar 30, 2012, 11:28:34 AM3/30/12
to mozilla.de...@googlegroups.com, mozilla.dev.planning group
I have 2 questions:

1. Do you know how many of the users that are on 3.6 can't update because they don't have admin privileges? If not, can this be added?

2. Presumably Fx 13 will have security fixes over Fx 12. If you advertise Fx 12 to people after Fx 13 is released, wouldn't that be the first time Mozilla has recommended a known-insecure browser as an update? I think it could be confusing to offer an already EOLd browser as an update. Obviously a newer EOLd browser is better than an older EOLd browser but it needs to be clear why there are no supported versions of Firefox available.

Daniel Cater

unread,
Mar 30, 2012, 11:28:34 AM3/30/12
to mozilla.dev.planning group

Cameron Kaiser

unread,
Mar 30, 2012, 12:10:40 PM3/30/12
to
For Mac PPC specifically, I don't see many users moving to another OS
(the only other option, really, is Linux PPC and besides spotty
support for hardware and updates, it won't run their old
applications). Now that Apple won't let PPC apps run on Lion at all,
there's really no choice except to keep a Snow Leopard Mac or a Power
Mac around if they have legacy software they need to run, and SL
itself isn't going to be supported for much longer than a year more
given the impending release of Mountain Lion. I think that should
figure into whatever advice is presented to those users because
particularly for PPC 10.4 and 10.5 there is no good substitute.

Cameron Kaiser

Alex Keybl

unread,
Mar 30, 2012, 12:32:10 PM3/30/12
to Henri Sivonen, mozilla.dev.planning group
Rather than spending resources on new 3.6->12 migration functionality, we'll likely note the most significant differences on a 3.6 specific What's New page. The ability to target specific "from versions" (3.6 in this case) with a WN page on update was implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=739793.

-Alex

On Mar 29, 2012, at 11:48 PM, Henri Sivonen wrote:

> On Thu, Mar 29, 2012 at 7:26 PM, Alex Keybl <ake...@mozilla.com> wrote:
>> I propose that a few weeks after this warning we offer an automatic update for all Firefox 3.6 users with updates enabled, bringing them up to Firefox 12.
>
> I think it makes sense to push the upgrade, but in order to minimize
> user distress (and hate towards Mozilla) from this upgrade, I suggest
> doing it in such a way that the toolbar configuration is preserved:
> * the menubar is kept visible
> * the tabs are kept below the location bar
> * the bookmark toolbar is kept visible
>
> Assuming that there is a first run page that explains what has
> happened, the first run page could explain the there is now the option
> to switch from the menu bar to a Firefox button and to move the tabs
> to the top. Even if we believe that the new configuration is better,
> letting the user adopt the new configuration explicitly makes the
> experience less disruptive than changing the configuration in an
> automatic update.
>
> --
> Henri Sivonen
> hsiv...@iki.fi
> http://hsivonen.iki.fi/

Alex Keybl

unread,
Mar 30, 2012, 12:36:36 PM3/30/12
to Henri Sivonen, Hub Figuière, dev-pl...@lists.mozilla.org
I looped back with RelEng about this yesterday. We need to think more about whether there's any way to communicate the EOL to desupported Mac users. Currently PPC and Darwin 6, 7, and 8 all have updates blocked to FF4+. I'm not aware of a mechanism besides the major update prompt that would allow us to target these users specifically, but in this case we don't have a version >3.6.28 that we can offer to these Mac users in order to prompt them specifically.

-Alex

On Mar 30, 2012, at 2:50 AM, Henri Sivonen wrote:

> On Thu, Mar 29, 2012 at 8:27 PM, Hubert Figuière <h...@mozilla.com> wrote:
>> The problem is that if you warn 3.6 users on Mac PPC or MacOS < 10.5,
>> then it is not gonna be good as both PPC and MacOS < 10.5 have been
>> dropped starting Firefox 4.
>
> Could Mac PPC 3.6 users be shown a message that says
> 1) Mozilla is no longer supporting their platform
> 2) They can get a browser based on the Firefox codebase from
> http://www.floodgap.com/software/tenfourfox/
> ?
>

Alex Keybl

unread,
Mar 30, 2012, 12:52:44 PM3/30/12
to Daniel Cater, mozilla.dev.planning group, mozilla.de...@googlegroups.com
> 1. Do you know how many of the users that are on 3.6 can't update because they don't have admin privileges? If not, can this be added?

We sadly do not. There has been discussion about implementing a feature that does report this information in the future, however.

> 2. Presumably Fx 13 will have security fixes over Fx 12. If you advertise Fx 12 to people after Fx 13 is released, wouldn't that be the first time Mozilla has recommended a known-insecure browser as an update? I think it could be confusing to offer an already EOLd browser as an update. Obviously a newer EOLd browser is better than an older EOLd browser but it needs to be clear why there are no supported versions of Firefox available.

As touched upon earlier in the thread, our need to move users to FF12 even after FF13's release is a technical detail specifically meant to prevent bricking Win2K and early WinXP users. It will also allow us to communicate how they can continue to receive future updates.

-Alex

PhillipJones

unread,
Mar 30, 2012, 3:46:38 PM3/30/12
to
In some cases doing that requires the purchase of an expensive new
Computer, in some cases a new printer, new Scanner and other peripheral
equipment in addition to the new system just use to use an update Browser.

In some cases updating to that free new browser, will end up costing
that user several thousand Dollars they may not have.

--
Phillip M. Jones, C.E.T. "If it's Fixed, Don't Break it"
http://www.phillipmjones.net mailto:pjo...@kimbanet.com

PhillipJones

unread,
Mar 30, 2012, 3:50:29 PM3/30/12
to
Not very hard though there are some That I use in SM that were available
in both and newer version are non existent.

Example if some on would come up with QuoteColors for new SM version and
an Equivalent for NoSquint I would move to a newer version of SM.

Jorge Villalobos

unread,
Mar 30, 2012, 4:49:24 PM3/30/12
to pjo...@kimbanet.com
Well, I'm focusing on Firefox at the moment, since that's what we're the
most concerned about.

>
> Example if some on would come up with QuoteColors for new SM version and
> an Equivalent for NoSquint I would move to a newer version of SM.
>

Judging by its usage numbers, you can just override Quote Colors'
compatibility using the Add-on Compatibility Reporter and it will work
correctly. It looks abandoned unfortunately. As for NoSquint, I looked
at its history and it has never supported SM or TB as far as I can see,
so I don't know why you brought that one up.

- Jorge

Robert Strong

unread,
Mar 30, 2012, 5:00:22 PM3/30/12
to dev-pl...@lists.mozilla.org
On 3/30/2012 9:52 AM, Alex Keybl wrote:
>> 1. Do you know how many of the users that are on 3.6 can't update because they don't have admin privileges? If not, can this be added?
> We sadly do not. There has been discussion about implementing a feature that does report this information in the future, however.
Also, these users are notified that there is a new version available
that they can download and install along with a link as long as they
haven't manually disabled updates.

Robert

>
>> 2. Presumably Fx 13 will have security fixes over Fx 12. If you advertise Fx 12 to people after Fx 13 is released, wouldn't that be the first time Mozilla has recommended a known-insecure browser as an update? I think it could be confusing to offer an already EOLd browser as an update. Obviously a newer EOLd browser is better than an older EOLd browser but it needs to be clear why there are no supported versions of Firefox available.
> As touched upon earlier in the thread, our need to move users to FF12 even after FF13's release is a technical detail specifically meant to prevent bricking Win2K and early WinXP users. It will also allow us to communicate how they can continue to receive future updates.
>
> -Alex
>
> On Mar 30, 2012, at 8:28 AM, Daniel Cater wrote:
>

Justin Dolske

unread,
Mar 30, 2012, 9:06:34 PM3/30/12
to
On 3/30/12 9:32 AM, Alex Keybl wrote:
> Rather than spending resources on new 3.6->12 migration
> functionality, we'll likely note the most significant differences on
> a 3.6 specific What's New page. The ability to target specific "from
> versions" (3.6 in this case) with a WN page on update was implemented
> in https://bugzilla.mozilla.org/show_bug.cgi?id=739793.

Agreed. It's an interesting idea, but I don't think it's worth the time
and complexity. And if it was simply a matter of 3.6 users not updating
because of UI changes, we'd have to do a _lot_ more work to make Firefox
12 substantially feel like 3.6. Not going to happen.

Justin

Henri Sivonen

unread,
Mar 31, 2012, 10:07:49 AM3/31/12
to mozilla.dev.planning group
> On Mar 29, 2012, at 11:48 PM, Henri Sivonen wrote:
>> I think it makes sense to push the upgrade, but in order to minimize
>> user distress (and hate towards Mozilla) from this upgrade, I suggest
>> doing it in such a way that the toolbar configuration is preserved:
>> * the menubar is kept visible
>> * the tabs are kept below the location bar
>> * the bookmark toolbar is kept visible

Actually, the bookmark toolbar is already preserved when upgrading
from 3.6. So what I suggested above reduces to the making the menu
bar visible and putting that tabs on the bottom when upgrading from
3.6 to 12.

On Fri, Mar 30, 2012 at 7:32 PM, Alex Keybl <ake...@mozilla.com> wrote:
> Rather than spending resources on new 3.6->12 migration functionality, we'll likely note the most significant differences  on a 3.6 specific What's New page. The ability to target specific "from versions" (3.6 in this case) with a WN page on update was implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=739793.

I think it's a bit sad that resources won't be allocated to flipping
two booleans in configuration upon upgrade from 3.6 to 12 (it is a
supported configuration combination after all) when resources have
been allocated to keeping 3.6 alive for a year. Making the results
after the upgrade more familiar and less disruptive would mean that
fewer people would try to go back to the old insecure version. The
people left for the unprompted push are the most conservative people
and the people least likely to read any text we put in front of them.
(If they were reading text and making decisions that are in their past
interest based on what they read, they'd have chosen to upgrade to 12
when prompted and wouldn't be on 3.6 for the unprompted push.) If
people try to go back to the old version as a reaction to the user
interface changing in unfamiliar ways (they won't be reading text on
the welcome page if they didn't read the earlier upgrade prompt), the
whole point of autoupgrading them to a new version is defeated.

Philip Chee

unread,
Mar 31, 2012, 1:44:30 PM3/31/12
to
On 30/03/2012 19:12, Ron Hunter wrote:

> I would like to see a '3.6 conversion kit' that would include defaults
> that would install preconfigured themes and extensions intended to make
> FF12 look as much like FF 3.6 as possible, and information on how they
> can revert to the new look if they want to try it out. Many of these
> users are highly resistant to ANY kind of change, and rather comfortable
> with things are the were. I don't think there is much chance of
> changing their perceptions. THis would, at least, cushion the shock of
> going from a default 3.6 to default 12 in one leap.

<http://mike.kaply.com/2012/02/13/making-firefox-10-more-like-firefox-3-6/>

The Firefox 3.6 Behaviors add-on can be customized to provide the
following four behaviors to Firefox 10:

* Display the bookmarks bar
* Display the status bar
* Display the menu bar (on Windows)
* Display tabs on bottom

Phil

--
Philip Chee <phi...@aleytys.pc.my>, <phili...@gmail.com>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.

David Rajchenbach-Teller

unread,
Mar 31, 2012, 2:27:55 PM3/31/12
to Henri Sivonen, dev-pl...@lists.mozilla.org
On 3/30/12 11:50 AM, Henri Sivonen wrote:
> On Thu, Mar 29, 2012 at 8:27 PM, Hubert Figuière <h...@mozilla.com> wrote:
>> The problem is that if you warn 3.6 users on Mac PPC or MacOS < 10.5,
>> then it is not gonna be good as both PPC and MacOS < 10.5 have been
>> dropped starting Firefox 4.
>
> Could Mac PPC 3.6 users be shown a message that says
> 1) Mozilla is no longer supporting their platform
> 2) They can get a browser based on the Firefox codebase from
> http://www.floodgap.com/software/tenfourfox/
> ?
>

Is anyone aware of any similar solution for Intel + MacOS < 10.5?

--
David Rajchenbach-Teller, PhD
Performance Team, Mozilla

signature.asc

Asa Dotzler

unread,
Mar 31, 2012, 2:58:16 PM3/31/12
to
On 3/31/2012 11:27 AM, David Rajchenbach-Teller wrote:
> On 3/30/12 11:50 AM, Henri Sivonen wrote:
>> On Thu, Mar 29, 2012 at 8:27 PM, Hubert Figuičre <h...@mozilla.com> wrote:
>>> The problem is that if you warn 3.6 users on Mac PPC or MacOS < 10.5,
>>> then it is not gonna be good as both PPC and MacOS < 10.5 have been
>>> dropped starting Firefox 4.
>>
>> Could Mac PPC 3.6 users be shown a message that says
>> 1) Mozilla is no longer supporting their platform
>> 2) They can get a browser based on the Firefox codebase from
>> http://www.floodgap.com/software/tenfourfox/
>> ?
>>
>
> Is anyone aware of any similar solution for Intel + MacOS < 10.5?
>

This is off-topic for this thread. Please take it to .support.

- A

David Rajchenbach-Teller

unread,
Mar 31, 2012, 4:12:16 PM3/31/12
to Asa Dotzler, dev-pl...@lists.mozilla.org
Let me rephrase: if we suggest tenfourfox to PPC users, it would be nice
to suggest something to Intel users, too.

Cheers,
David

On 3/31/12 8:58 PM, Asa Dotzler wrote:
>> Is anyone aware of any similar solution for Intel + MacOS < 10.5?
>>
>
> This is off-topic for this thread. Please take it to .support.
>
> - A
>
> _______________________________________________
> dev-planning mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-planning


signature.asc

John Wilcock

unread,
Apr 2, 2012, 2:28:26 AM4/2/12
to
Le 30/03/2012 18:36, Alex Keybl a écrit :
> I looped back with RelEng about this yesterday. We need to think more
> about whether there's any way to communicate the EOL to desupported
> Mac users. Currently PPC and Darwin 6, 7, and 8 all have updates
> blocked to FF4+. I'm not aware of a mechanism besides the major
> update prompt that would allow us to target these users specifically,
> but in this case we don't have a version>3.6.28 that we can offer to
> these Mac users in order to prompt them specifically.

Wouldn't it be possible to build (or perhaps just repackage if the build
resources are no longer available) a fictional 3.6.29 that changes
absolutely nothing from 3.6.28 other than the ability to communicate
with the users?

Gervase Markham

unread,
Apr 2, 2012, 7:33:48 AM4/2/12
to pjo...@kimbanet.com
On 30/03/12 20:46, PhillipJones wrote:
> In some cases doing that requires the purchase of an expensive new
> Computer, in some cases a new printer, new Scanner and other peripheral
> equipment in addition to the new system just use to use an update Browser.
>
> In some cases updating to that free new browser, will end up costing
> that user several thousand Dollars they may not have.

Unfortunately, the magic "make it all better for free" option has not
yet materialized. We can't make the OS vendor re-start supporting their
OS, and we can't change the fact that using their OS on the internet is
dangerous.

Gerv


Alex Keybl

unread,
Apr 2, 2012, 12:33:07 PM4/2/12
to John Wilcock, dev-pl...@lists.mozilla.org
> Wouldn't it be possible to build (or perhaps just repackage if the build resources are no longer available) a fictional 3.6.29 that changes absolutely nothing from 3.6.28 other than the ability to communicate with the users?

It's technically possible to add a method of communicating the EOL to PPC and 10.5 Firefox 3.6 users, but to do so in a low-risk fashion would be difficult prior to EOL in three weeks. New features typically go through ~18 weeks of testing prior to release. A communication solution involving an existing landing page (perhaps http://www.google.com/firefox) would be preferable.

-Alex

Robert Kaiser

unread,
Apr 3, 2012, 12:38:20 PM4/3/12
to
Cameron Kaiser schrieb:
> For Mac PPC specifically, I don't see many users moving to another OS

I know you are putting a moster effort into supporting those users, and
I respect that, but I still personally believe that it's bordering to
being irresponsible to access the Internet from machines where the OS
doesn't get security updates any more, which unfortunately is the case
for those.

Robert Kaiser

Robert

unread,
May 6, 2012, 1:13:43 PM5/6/12
to
On Mar 29, 5:26 pm, Alex Keybl <ake...@mozilla.com> wrote:
> We've been discussing ways to keep our 3.6 users safe, given that support forFirefox 3.6ends in about a month on April 24th. Several steps have been taken so far: we've communicated that date repeatedly, we've blogged about the 3.6 support change, and we've offered 3.6 users upgrades to the latest version of Firefox on a regular basis since Firefox 4's release. Now it's time to discuss ways to reach the 3.6 users who still haven't upgraded, to ensure Firefox continues to keep them safe.
>
> After Firefox 12's release, we plan to directly warn all of our 3.6 users that they are no longer secure and should update to the latest version of Firefox via an advertised update. We know this won't secure everyone though - those prompts are easy to dismiss when you're busy. Given that, I propose that a few weeks after this warning we offer an automatic update for allFirefox 3.6users with updates enabled, bringing them up to Firefox 12. After Firefox 13's release, we'd again offer an automatic update to Firefox 12 [1], this time disabling the add-on compatibility check entirely [2].
>
> I'd like to get feedback on this plan, but please stay on topic. I can foresee long digressions about why some users have stayed on 3.6, but after EOL staying on 3.6 is simply not a safe choice. My proposal here is intended to put our users' security first and foremost. To understand how quickly critical security vulnerabilities will pile up after the end of 3.6's life, take a quick look at the security team's 3.6 advisories.
>
> Please provide feedback you may have by the beginning of next week (4/2), so that we can begin making the necessary preparations with Release Engineering. Thanks!
>
> -Alex Keybl
> Release Manager at Mozilla
>
> [1] Please note that we must continue to update 3.6 users to Firefox 12 as it's the last release to support Win2K and early versions of XP. Once on FF12, they'll either receive an automatic update to FF13 or a message explaining that they need to upgrade their version of Windows
> [2] A majority of add-ons should now be automatically compatible thanks to DTC

I would like to move to newer versions of FF, but I don't like the new
versions. I prefer my tabs underneath the toolbar, and prefer a
separate URL and search box. If there is a skin that can do that, I
will move.

Tom Schuster

unread,
May 6, 2012, 1:24:22 PM5/6/12
to Robert, dev-pl...@lists.mozilla.org
I am not sure what kind of Firefox version you were using, but even in
the latest Nightly there is still a separate URL and search box. You
can put the tabs below the URL bar by unchecking the "Tabs on Top"
option, which you can open by right clicking the space next to the
tabs.

Robert

unread,
May 6, 2012, 2:31:47 PM5/6/12
to
On May 6, 6:24 pm, Tom Schuster <t...@schuster.me> wrote:
> > dev-plann...@lists.mozilla.org
> >https://lists.mozilla.org/listinfo/dev-planning

Many thanks for that Tom! Is there is away to get the status bar to
show permanently in FF12? It only hovers, which is quite annoying. I
know you can do Control+/ but that's not what I am talking about - I
want what the hover/floating bar showing permanently. Cheers.

David E. Ross

unread,
May 6, 2012, 3:55:08 PM5/6/12
to
Switch to SeaMonkey. There are no current plans to eliminate the status
bar.

--

David E. Ross
<http://www.rossde.com/>.

Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation.
© 1997 by David E. Ross

Asa Dotzler

unread,
May 6, 2012, 4:59:40 PM5/6/12
to
Robert, Tom, David, this is off-topic for this forum. Please take this
conversation to .support or some other forum. Thanks.

- a

John Volikas

unread,
May 7, 2012, 7:17:58 PM5/7/12
to
There's the extension Status-4-Evar [1] that replicates the old statusbar and also does some other neat tricks too.

[1] https://addons.mozilla.org/en-US/firefox/addon/status-4-evar

Steve Carlson

unread,
May 25, 2012, 7:28:54 PM5/25/12
to mozilla.dev.planning group
What's the latest on this? Has force-upgrade of 3.6 been tabled?

Alex Keybl

unread,
May 25, 2012, 7:39:40 PM5/25/12
to Steve Carlson, dev-pl...@lists.mozilla.org
Automatic updates from Firefox 3.6 to Firefox 12 proceeded on May 9th, and we expect automatic updates with add-on checks disabled to occur in early June. Note that this is not a force-upgrade. If users disable updates, they will receive an update.

-Alex

On May 25, 2012, at 4:28 PM, Steve Carlson wrote:

> What's the latest on this? Has force-upgrade of 3.6 been tabled?

Alex Keybl

unread,
May 25, 2012, 7:42:18 PM5/25/12
to Steve Carlson, mozilla.dev.planning group
> If users disable updates, they will receive an update.

That should read "they will _not_ receive an update".

On May 25, 2012, at 4:39 PM, Alex Keybl wrote:

> Automatic updates from Firefox 3.6 to Firefox 12 proceeded on May 9th, and we expect automatic updates with add-on checks disabled to occur in early June. Note that this is not a force-upgrade. If users disable updates, they will receive an update.
>
> -Alex
>
> On May 25, 2012, at 4:28 PM, Steve Carlson wrote:
>
>> What's the latest on this? Has force-upgrade of 3.6 been tabled?
Reply all
Reply to author
Forward
0 new messages