Prompted update from 3.0 to 4.0?

215 views
Skip to first unread message

Henri Sivonen

unread,
Apr 20, 2011, 5:28:34 AM4/20/11
to dev-pl...@lists.mozilla.org
Yesterday, I observed a case where a person was stating his preference
for Chrome while showing a screenshot that had the old Firefox icon. The
new icon debuted all the way back in Firefox 3.5, so he had to have
Firefox 3.0.x (or earlier).

This together with the observation that Firefox 3.0.x still has millions
of active daily users inspires me to ask:

Will Firefox 4.0.1 be offered as a prompted update to Firefox 3.0.x
users who are using a compatible OS (even if they have previously
declined 3.5 and 3.6)?

It would be sad if the remaining 3.0.x users either continued using an
unpatched browser or switched to competing browsers instead of keeping
Firefox up-to-date.

--
Henri Sivonen
hsiv...@iki.fi
http://hsivonen.iki.fi/

Message has been deleted

Robert Kaiser

unread,
Apr 20, 2011, 11:45:28 AM4/20/11
to
Henri Sivonen schrieb:

> Will Firefox 4.0.1 be offered as a prompted update to Firefox 3.0.x
> users who are using a compatible OS (even if they have previously
> declined 3.5 and 3.6)?

I think the current plan is 3.5 and 3.6 only, but you might be right
that it might make sense to try 3.0 one last time again - though I'm not
sure how much work that would be, both for releng as well as QA.

Robert Kaiser

--
Note that any statements of mine - no matter how passionate - are never
meant to be offensive but very often as food for thought or possible
arguments that we as a community needs answers to. And most of the time,
I even appreciate irony and fun! :)

Christian Legnitto

unread,
Apr 20, 2011, 1:33:10 PM4/20/11
to Robert Kaiser, dev-pl...@lists.mozilla.org
The plan is to only do 3.6 and 3.5. Users on 3.0 have ignored the 3.6 prompt many times and QA's testing for 3.0 MUs are 100% manual. We might go back and do the 3.0 prompt if we have the resources but we aren't planning to do so currently.

Christian

> _______________________________________________
> dev-planning mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-planning

David E. Ross

unread,
Apr 20, 2011, 3:04:11 PM4/20/11
to

Earlier this month, I did a two-week survey of user agents accessing a
sample of my Web pages. Of identified Gecko-based browsers, 4.5% of
"hits" were from Gecko rv:1.8.x (Firefox 1.x or 2.x, SeaMonkey 1.x); and
2.7% were from Gecko rv:1.9.0.x (Firefox 3.0.x). Thus, 7.2% of the
Gecko-based browsers were from Firefox version 3.0.x or earlier and from
SeaMonkey version 1.x.

I found it interesting that almost twice as many hits were from Firefox
1.x or 2.x and SeaMonkey 1.x than from Firefox 3.0.x.

--

David E. Ross
<http://www.rossde.com/>

On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.

Asa Dotzler

unread,
Apr 20, 2011, 3:47:00 PM4/20/11
to
On 4/20/2011 10:33 AM, Christian Legnitto wrote:
> The plan is to only do 3.6 and 3.5. Users on 3.0 have ignored the 3.6 prompt many times and QA's testing for 3.0 MUs are 100% manual. We might go back and do the 3.0 prompt if we have the resources but we aren't planning to do so currently.
>
> Christian

I think we should package up a 4.0.1 release as a mandatory security
update for Firefox 2.0.x and Firefox 3.0.x users. Nobody should be using
2.0.x or 3.0.x. They are horribly insecure, completely unsupported, are
almost assuredly going to be turned into spambots and are a threat to
the health of the Web and every other user of the Web.

- A

John O'Duinn

unread,
Apr 20, 2011, 3:50:41 PM4/20/11
to Christian Legnitto, dev-pl...@lists.mozilla.org, Robert Kaiser
hi Henri;

Firefox3.0 users can still always do "help->CheckForUpdates" to get
updates. That was our 4th prompted major update to the FF3.0 users, and
remains in place since July2010.

Your friend is so far back, that depending on exactly what version of
Firefox, they may have to do "help->CheckForUpdates" a few times to
reach Firefox4.0. The important point here is that RelEng always makes
sure that users can update to the latest and greatest Firefox.

We do MUs for orphaned groups of users frequently - and as Christian
said, we can (read: will!) revisit who to re-prompt later. Even as far
back as FF2.0.0.x, we would scan back for large groups of users who are
still back on old, less-secure versions of FF1.5.0.x, and re-prompt them
to upgrade. For now, however, it makes more sense to focus scarce
resouces on getting the many more FF3.5, FF3.6 users upgraded to FF4.0.

Feel free to raise this again, if you are curious for status, but yes,
its on our recurring ToDo list.


tc
John.
=====


On 4/20/11 10:33 AM, Christian Legnitto wrote:
> The plan is to only do 3.6 and 3.5. Users on 3.0 have ignored the 3.6 prompt many times and QA's testing for 3.0 MUs are 100% manual. We might go back and do the 3.0 prompt if we have the resources but we aren't planning to do so currently.
>
> Christian
>

> On Apr 20, 2011, at 8:45 AM, Robert Kaiser wrote:
>

Kyle Huey

unread,
Apr 20, 2011, 3:53:39 PM4/20/11
to dev-pl...@lists.mozilla.org
On Wed, Apr 20, 2011 at 3:04 PM, David E. Ross <nob...@nowhere.invalid>wrote:

> On 4/20/11 2:28 AM, Henri Sivonen wrote:
> > Yesterday, I observed a case where a person was stating his preference
> > for Chrome while showing a screenshot that had the old Firefox icon. The
> > new icon debuted all the way back in Firefox 3.5, so he had to have
> > Firefox 3.0.x (or earlier).
> >
> > This together with the observation that Firefox 3.0.x still has millions
> > of active daily users inspires me to ask:
> >
> > Will Firefox 4.0.1 be offered as a prompted update to Firefox 3.0.x
> > users who are using a compatible OS (even if they have previously
> > declined 3.5 and 3.6)?
> >
> > It would be sad if the remaining 3.0.x users either continued using an
> > unpatched browser or switched to competing browsers instead of keeping
> > Firefox up-to-date.
> >
>
> Earlier this month, I did a two-week survey of user agents accessing a
> sample of my Web pages. Of identified Gecko-based browsers, 4.5% of
> "hits" were from Gecko rv:1.8.x (Firefox 1.x or 2.x, SeaMonkey 1.x); and
> 2.7% were from Gecko rv:1.9.0.x (Firefox 3.0.x). Thus, 7.2% of the
> Gecko-based browsers were from Firefox version 3.0.x or earlier and from
> SeaMonkey version 1.x.
>
> I found it interesting that almost twice as many hits were from Firefox
> 1.x or 2.x and SeaMonkey 1.x than from Firefox 3.0.x.
>

> Do you have data on the operating systems those users are running? IIRC
Gecko 1.8.x was the last version to support Windows 9x, so I would expect
the vast majority of users on Gecko 1.8.x to be running Windows 98 or
something.


> --
>
> David E. Ross
> <http://www.rossde.com/>
>
> On occasion, I might filter and ignore all newsgroup messages
> posted through GoogleGroups via Google's G2/1.0 user agent
> because of spam from that source.

> _______________________________________________
> dev-planning mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-planning
>

- Kyle

timeless

unread,
Apr 20, 2011, 4:22:30 PM4/20/11
to Asa Dotzler, dev-pl...@lists.mozilla.org
On Wed, Apr 20, 2011 at 3:47 PM, Asa Dotzler <a...@mozilla.com> wrote:
> I think we should package up a 4.0.1 release as a mandatory security update
> for Firefox 2.0.x and Firefox 3.0.x users. Nobody should be using 2.0.x or
> 3.0.x. They are horribly insecure, completely unsupported, are almost
> assuredly going to be turned into spambots and are a threat to the health of
> the Web and every other user of the Web.

Sounds great. My sister has a G4 and is waiting for an update to her Firefox 2.

Robert Kaiser

unread,
Apr 20, 2011, 5:03:50 PM4/20/11
to
John O'Duinn schrieb:

> We do MUs for orphaned groups of users frequently - and as Christian
> said, we can (read: will!) revisit who to re-prompt later. Even as far
> back as FF2.0.0.x, we would scan back for large groups of users who are
> still back on old, less-secure versions of FF1.5.0.x, and re-prompt them
> to upgrade. For now, however, it makes more sense to focus scarce
> resouces on getting the many more FF3.5, FF3.6 users upgraded to FF4.0.

I actually wonder, in concert with Asa, if we actually should go and
give those on unsupported versions a non-prompted "minor" update (as
long as their hardware/OS is supported with FF4) instead of a prompted
"major" update offer. We should try to do everything we can to "force"
all those users to a supported version that can run it.
People running 3.0 or even older versions are not only risking their
security and privacy every time they use such a build, but threaten
other people due to the significant risk to become part of a botnet that
is used for all kinds of attacks. We should try to actively avoid that,
even if it means changing their Internet experience without asking.

Robert Kaiser

unread,
Apr 20, 2011, 5:08:49 PM4/20/11
to
Kyle Huey schrieb:

> On Wed, Apr 20, 2011 at 3:04 PM, David E. Ross<nob...@nowhere.invalid>wrote:
>> I found it interesting that almost twice as many hits were from Firefox
>> 1.x or 2.x and SeaMonkey 1.x than from Firefox 3.0.x.
>>
>> Do you have data on the operating systems those users are running? IIRC
> Gecko 1.8.x was the last version to support Windows 9x, so I would expect
> the vast majority of users on Gecko 1.8.x to be running Windows 98 or
> something.

In addition to that, SeaMonkey 1.x didn't ship an update mechanism, so
no way to "help" those users at all - better just forget about them (and
yes, they should get a weekly notification that something newer is
available - we turned that on as soon as SeaMonkey 2.0 was available,
i.e. in late 2009).

We should concentrate on those people we can bring over to something
supported in some way, people on Win9x, PPC Macs or SeaMonkey 1.x
unfortunately are nobody we can help actively.

Christian Legnitto

unread,
Apr 20, 2011, 5:29:12 PM4/20/11
to Robert Kaiser, dev-pl...@lists.mozilla.org

On Apr 20, 2011, at 2:03 PM, Robert Kaiser wrote:

> John O'Duinn schrieb:
>> We do MUs for orphaned groups of users frequently - and as Christian
>> said, we can (read: will!) revisit who to re-prompt later. Even as far
>> back as FF2.0.0.x, we would scan back for large groups of users who are
>> still back on old, less-secure versions of FF1.5.0.x, and re-prompt them
>> to upgrade. For now, however, it makes more sense to focus scarce
>> resouces on getting the many more FF3.5, FF3.6 users upgraded to FF4.0.
>
> I actually wonder, in concert with Asa, if we actually should go and give those on unsupported versions a non-prompted "minor" update (as long as their hardware/OS is supported with FF4) instead of a prompted "major" update offer. We should try to do everything we can to "force" all those users to a supported version that can run it.
> People running 3.0 or even older versions are not only risking their security and privacy every time they use such a build, but threaten other people due to the significant risk to become part of a botnet that is used for all kinds of attacks. We should try to actively avoid that, even if it means changing their Internet experience without asking.

This is the plan for when we kill 3.5 (polishing up the doc now). We currently no plan to do it for older releases but we can debate it once the dust has settled around FF4 and FF5.

Christian

Robert Strong

unread,
Apr 20, 2011, 5:43:09 PM4/20/11
to dev-pl...@lists.mozilla.org
On 4/20/2011 2:29 PM, Christian Legnitto wrote:
> On Apr 20, 2011, at 2:03 PM, Robert Kaiser wrote:
>
>> John O'Duinn schrieb:
>>> We do MUs for orphaned groups of users frequently - and as Christian
>>> said, we can (read: will!) revisit who to re-prompt later. Even as far
>>> back as FF2.0.0.x, we would scan back for large groups of users who are
>>> still back on old, less-secure versions of FF1.5.0.x, and re-prompt them
>>> to upgrade. For now, however, it makes more sense to focus scarce
>>> resouces on getting the many more FF3.5, FF3.6 users upgraded to FF4.0.
>> I actually wonder, in concert with Asa, if we actually should go and give those on unsupported versions a non-prompted "minor" update (as long as their hardware/OS is supported with FF4) instead of a prompted "major" update offer. We should try to do everything we can to "force" all those users to a supported version that can run it.
>> People running 3.0 or even older versions are not only risking their security and privacy every time they use such a build, but threaten other people due to the significant risk to become part of a botnet that is used for all kinds of attacks. We should try to actively avoid that, even if it means changing their Internet experience without asking.
> This is the plan for when we kill 3.5 (polishing up the doc now). We currently no plan to do it for older releases but we can debate it once the dust has settled around FF4 and FF5.
btw: the extension compatibility check performed by app update is very
broken prior to 3.5 which is something I fixed after taking over app
update (https://bugzilla.mozilla.org/show_bug.cgi?id=324121 for the gory
details). The update behavior when not prompting / ignoring extension
compatibility (e.g. the update snippet is a minor update and the
extension compatiblity check is disabled by setting the update's
extension app compatibility version to the user's current app version)
should be heavily tested when you do this. iirc there were cases where
it checked extension compatibility anyway and would show the prompt.

Robert

Asa Dotzler

unread,
Apr 20, 2011, 6:25:16 PM4/20/11
to

Your sister's PC vendor has abandoned her and so have the vendors of her
most security-sensitive software. She really shouldn't be connecting to
the internet at all. She's a danger to herself and to others.

On a more topical note, I should have said "a mandatory security update
for all supported platforms"

For unsupported platforms, I think we should have a "We cannot secure
this version of Firefox and recommend you uninstall" followed by
instructions or a button to launch the uninstaller.

For the overwhelming majority of users (those on Windows) the default
system browser is more secure and better for the user and the Web. IE 6
is still getting critical security updates (see
http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx for
example which was just released for IE 6 a week ago.

If we cannot secure a user, that user and the Web are better off if we
either a) force them forward to a current, supported version or b)
uninstall Firefox and push them back to the system browser which is
being secured by its vendor.)

- A

David E. Ross

unread,
Apr 20, 2011, 8:21:43 PM4/20/11
to

Reviewing my raw data, I see that it appears only six distinct users
accessed my Web pages during those two weeks. The UA strings were:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7)
Gecko/20060909 Firefox/1.5.0.7

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9)
Gecko/20071025 Firefox/2.0.0.9

Mozilla/5.0 (Windows; U; Win98; en-GB; rv:1.8.1.22) Gecko/20090605
SeaMonkey/1.1.17

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.23) Gecko/20090823
SeaMonkey/1.1.18

Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1) Gecko/20061010
Firefox/2.0

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Gecko/20070725 Firefox/2.0.0.6

Only one of these is clearly Windows 98. Four could be Windows XP. I'm
not sure about the Linux user since I don't use Linux and thus don't
know what is the current version. Of course, all this could be confused
by spoofing.

Henri Sivonen

unread,
Apr 21, 2011, 4:22:26 AM4/21/11
to dev-pl...@lists.mozilla.org
On Wed, 2011-04-20 at 12:50 -0700, John O'Duinn wrote:
> We do MUs for orphaned groups of users frequently - and as Christian
> said, we can (read: will!) revisit who to re-prompt later.
...

> but yes, its on our recurring ToDo list.

Cool. Thanks!

On Wed, 2011-04-20 at 15:25 -0700, Asa Dotzler wrote:
> On 4/20/2011 1:22 PM, timeless wrote:
> > On Wed, Apr 20, 2011 at 3:47 PM, Asa Dotzler<a...@mozilla.com> wrote:
> >> I think we should package up a 4.0.1 release as a mandatory security update
> >> for Firefox 2.0.x and Firefox 3.0.x users. Nobody should be using 2.0.x or
> >> 3.0.x. They are horribly insecure, completely unsupported, are almost
> >> assuredly going to be turned into spambots and are a threat to the health of
> >> the Web and every other user of the Web.
> >
> > Sounds great. My sister has a G4 and is waiting for an update to her Firefox 2.
>
> Your sister's PC vendor has abandoned her

Has Apple really abandoned Leopard users as far as security patches go?
It's annoying that Apple is never clear on product EOL. Note that
Mozilla supports Firefox 4 for Intel Leopard. (Mozilla also ships
Firefox to non-latest Android releases and those are also
Internet-connected *nix systems without the latest patches.)

> and so have the vendors of her most security-sensitive software.

Adobe stopping Flash updates is indeed scary.

> She really shouldn't be connecting to
> the internet at all. She's a danger to herself and to others.

I think you haven't really substantiated the danger here. If a person is
running PPC Leopard with the latest point release of Firefox 3.6 or
TenFourFox with FlashBlock enabled (and random old plug-ins disabled),
is there any evidence of her being a danger to herself or to others?

Also, http://www.mozilla.org/projects/ lists Camino, which is still
running the engine that was in Firefox 3.0.

After Firefox 4 was released, I migrated my parents off Camino (to
Firefox 4 on their Intel Macs and to TenFourFox on their PPC Macs). I
think the right and nice thing to do would be making PPC Firefox users
aware of the existence of TenFourFox even if Mozilla Corporation doesn't
have an autoupdate target for PPC users.

Boris Zbarsky

unread,
Apr 21, 2011, 8:32:32 AM4/21/11
to
On 4/21/11 4:22 AM, Henri Sivonen wrote:
> On Wed, 2011-04-20 at 15:25 -0700, Asa Dotzler wrote:
>> On 4/20/2011 1:22 PM, timeless wrote:
>>> Sounds great. My sister has a G4 and is waiting for an update to her Firefox 2.
>>
>> Your sister's PC vendor has abandoned her
>
> Has Apple really abandoned Leopard users as far as security patches go?

Leopard, no.

Note that Leopard doesn't run on all G4s, though....

-Boris

Robert Kaiser

unread,
Apr 21, 2011, 9:53:03 AM4/21/11
to
David E. Ross schrieb:

> Reviewing my raw data, I see that it appears only six distinct users
> accessed my Web pages during those two weeks.

So - sorry to say that - not a really interesting or representative
sample. And all of those have at least some updates available to them
and ignored that. Those are users we should force to upgrade or make
hard to even use those versions of our software any more, IMHO, given
the security risk.

We need to allow running any old version for testing purposes (hopefully
in reasonably sandboxed environments) but we should make it really hard
if not impossible to use them for production.

David E. Ross

unread,
Apr 21, 2011, 11:56:35 AM4/21/11
to
On 4/21/11 6:53 AM, Robert Kaiser wrote:
> David E. Ross schrieb:
>> Reviewing my raw data, I see that it appears only six distinct users
>> accessed my Web pages during those two weeks.
>
> So - sorry to say that - not a really interesting or representative
> sample. And all of those have at least some updates available to them
> and ignored that. Those are users we should force to upgrade or make
> hard to even use those versions of our software any more, IMHO, given
> the security risk.
>
> We need to allow running any old version for testing purposes (hopefully
> in reasonably sandboxed environments) but we should make it really hard
> if not impossible to use them for production.
>
> Robert Kaiser
>

What I meant to write was that only six distinct USERS OF GECKO 1.8.x
accessed my Web pages during those two weeks. I had over 1,600 "hits"
from Gecko, IE (5, 6, 7, 8, and 9), Safari, Chrome, Opera, various
mobiles, Wget, and 19 different bots. I also had 2-3 "hits" that
presented blank UA strings.

Wes Garland

unread,
Apr 21, 2011, 12:57:32 PM4/21/11
to timeless, dev-pl...@lists.mozilla.org, Asa Dotzler
On 20 April 2011 16:22, timeless <time...@gmail.com> wrote:

>
> Sounds great. My sister has a G4 and is waiting for an update to her
> Firefox 2.
>

:P

Has your sister seen ten-four fox? One of my developers runs it on his
ancient PPC MacBook and is happy with it.

http://www.floodgap.com/software/tenfourfox/

Wes

--
Wesley W. Garland
Director, Product Development
PageMail, Inc.
+1 613 542 2787 x 102

Mike Hommey

unread,
Apr 21, 2011, 1:04:18 PM4/21/11
to Wes Garland, timeless, dev-pl...@lists.mozilla.org, Asa Dotzler
On Thu, Apr 21, 2011 at 12:57:32PM -0400, Wes Garland wrote:
> On 20 April 2011 16:22, timeless <time...@gmail.com> wrote:
>
> >
> > Sounds great. My sister has a G4 and is waiting for an update to her
> > Firefox 2.
> >
>
> :P
>
> Has your sister seen ten-four fox? One of my developers runs it on his
> ancient PPC MacBook and is happy with it.
>
> http://www.floodgap.com/software/tenfourfox/

While speaking of TenFourFox, is there any particular reason why we
couldn't have them contribute like the OS/2 and solaris people,
including providing binaries in the contrib directories on our ftp
archive?

Mike

Christian Legnitto

unread,
Apr 21, 2011, 1:09:26 PM4/21/11
to Mike Hommey, Wes Garland, dev-pl...@lists.mozilla.org, Asa Dotzler, timeless

Not sure. I know the PPC nanojit stuff is bug 624164 though (and I believe Cameron is the main force behind TenFourFox).

Thanks,
Christian

Steve Wendt

unread,
Apr 21, 2011, 1:44:00 PM4/21/11
to
On 4/21/2011 10:04 AM, Mike Hommey wrote:

> While speaking of TenFourFox, is there any particular reason why we
> couldn't have them contribute like the OS/2 and solaris people,
> including providing binaries in the contrib directories on our ftp
> archive?

I know in the past, there were concerns about OS/2 builds that had
out-of-tree patches; that's why there were the official builds, and then
there were separate enhanced builds:
http://pmw-warpzilla.sourceforge.net/
http://pmw-warpzilla.sourceforge.net/no_PmW-Fx3.html

I know that branding was at least one of the concerns (hence Peter had
PmW-Fx and PmW-Tb). If that's the only real concern, could TenFourFox
builds be in the contrib directory, even if they aren't called "Firefox"?

Wes Garland

unread,
Apr 21, 2011, 1:43:40 PM4/21/11
to Mike Hommey, timeless, dev-pl...@lists.mozilla.org, Asa Dotzler
On 21 April 2011 13:04, Mike Hommey <mh+mo...@glandium.org> wrote:

> While speaking of TenFourFox, is there any particular reason why we
> couldn't have them contribute like the OS/2 and solaris people,
> including providing binaries in the contrib directories on our ftp
> archive?
>

While speaking of contrib builds, is there any way to make them more
accessible to the general public?

When I want to download firefox 4 for a sun box, I want to go to "
getfirefox.com", then click on "Other systems and languages", and see an
option like "contrib builds".

Instead, I have to google "Firefox release notes" (and I only know this
because I was told about it in bug
503318<https://bugzilla.mozilla.org/show_bug.cgi?id=503318>),
then click on the google link, go to the releases page, click on "Firefox
3.6", edit the URL so it says "4.0" and then click on the link "Contrib
Builds".

If you think I'm whining about nothing -- go to "getfirefox.com" and try to
download Firefox 4 for Solaris using nothing but a mouse and what you seen
on the screen. It's a downright hostile user experience. In fact, it might
not even be possible.

Steve Wendt

unread,
Apr 21, 2011, 2:03:54 PM4/21/11
to
On 4/21/2011 10:43 AM, Wes Garland wrote:

> When I want to download firefox 4 for a sun box, I want to go to "
> getfirefox.com", then click on "Other systems and languages", and see an
> option like "contrib builds".

Seamonkey does better in this respect, but even there, the contributed
builds section frequently does not get updated. That is why I long ago
stopped using the "friendly" web interfaces, and just go to:
http://releases.mozilla.org/pub/mozilla.org/.../contrib/

But that is obviously not ideal...

Asa Dotzler

unread,
Apr 21, 2011, 4:03:55 PM4/21/11
to
On 4/21/2011 1:22 AM, Henri Sivonen wrote:

>> She really shouldn't be connecting to
>> the internet at all. She's a danger to herself and to others.
>
> I think you haven't really substantiated the danger here. If a person is
> running PPC Leopard with the latest point release of Firefox 3.6

First, I don't care much about the maybe hundreds of people on PPC
Leopard Firefox. I just used that post as a jumping off point to talk
about more substantial volumes of users.

I do care about the 8 million or so Windows users who are on Firefox
2.0.x, 3.0.x, and the hundreds of millions of people on Firefox 3.5.x,
and 3.6.x.

Today I care most about the 2.0.x and 3.0.x users who do not and have
not for some time been getting security updates from Mozilla. There are
almost ten million of them and they are in danger and they are a danger
to the Web and I believe they absolutely would be better off on IE 6 if
we cannot find a way to get them to a supported Firefox release.

I think before we try to move them back to IE, we should actually give
them the security update for Firefox 2.0.x and 3.0.x that is available
today with a Firefox 4 update (or maybe wait a bit and give them 5). It
should be an unprompted security update that happens to come with some
new non-security features. If they've disabled unprompted security
updates, then they are kind of lost to us and I think we should use what
ever other channels we have (start page, the press, our army of awesome)
to push them to go back to IE where they can still get security updates
from Microsoft.

I'm further asserting that beyond the already unsupported versions of
Firefox (2.0.x and 3.0.x) that we cannot support the latest point
release of Firefox 3.5 plus the latest point release of Firefox 3.6 plus
the latest point release of Firefox 4.0 plus the latest point release of
Firefox 5 plus the latest point release of Firefox 6 etc., etc.

If it is the case that we're going to keep with the new plan and ship
every 3 months, we simply cannot make the same promises we did in the
past about 6 months of support for previous version after new version is
released.

I propose, therefor, that we take this opportunity to stop supporting
all older versions and mandate upgrades to newer versions. I further
propose that for those users on versions that become unsupported, and
who will not, for whatever reason, move forward to a supported Firefox
version, that we do help users get back to IE 6/7/8/9/whatever by what
ever means we have available, including (we'd have to add the feature)
disabling Firefox completely.

- A

Steve Wendt

unread,
Apr 21, 2011, 4:26:29 PM4/21/11
to
On 4/21/2011 1:03 PM, Asa Dotzler wrote:

> that we do help users get back to IE 6/7/8/9/whatever by what
> ever means we have available, including (we'd have to add the feature)
> disabling Firefox completely.

If you fully remove choice from the user, why should that user ever
trust you again for a newer version? Lots of warnings and prompts are
one thing, but full removal of choice is patronizing.

Here's one scenario: somebody has a pet bug that first showed up in
Firefox 3.6.x, which makes it unusable in their situation. They even
reported the bug, but fixing it has been prioritized down to "someday we
will look into that again." You go and kill their Firefox 3.5.x, which
is working nicely for them, and they become disenfranchised. The bug
finally gets resolved in Firefox 7, but that user hates Firefox now,
because you screwed him over.

Asa Dotzler

unread,
Apr 21, 2011, 5:35:08 PM4/21/11
to

My argument is that during the time between when that user became
unsupported (stopped receiving Firefox security updates) and when that
user decides to upgrade to a new version of Firefox, that user shouldn't
be using Firefox.

An unsupported (no longer receiving security updates) version of Firefox
is less secure for that user and for the Web at large than even IE 6.
Not only is it less secure, but the bad guys know exactly how to target
it (because we've told them the flaws we've fixed in newer versions
which are often still present in your older unfixed version) and the
chances if your computer being infected via that insecure browser
version skyrocket.

I don't believe that users have the ultimate right to become bots that
spam or attack others on the Web. I think of it a lot like I think of
public health. You do not have the right to get on an airplane with
tuberculosis because of the potential to cause harm to your fellow
passengers. Hospitals are available to treat you and you should avail
yourself of their services before going out in public and potentially
infect others. Not doing so is simply wrong and a civil society should
not tolerate that.

The Web is a public space and you and your computer are in that public
space. Having an infected computer on the Web, deliberately or not, is
not OK.

Mozilla provides you with a free secure version of a great browser but
when that version is no longer secure and you refuse to upgrade to a
newer (and still free) secure version, you are now using a dangerous
piece of software that can not only harm you, but harm millions of other
people on the Web. I think Mozilla should be able to pull the plug on
that bad software so that it does not cause harm to the rest of the Web.

I'm sure not many others see it this way, and I don't expect this
argument to persuade everyone, but I'm an absolutely serious and sincere
in making it. I firmly believe that this is a public health issue and
sometimes public health issues trump individual liberty.

- A

David Ascher

unread,
Apr 21, 2011, 5:50:13 PM4/21/11
to Asa Dotzler, dev-pl...@lists.mozilla.org

> My argument is that during the time between when that user became
> unsupported (stopped receiving Firefox security updates) and when that
> user decides to upgrade to a new version of Firefox, that user shouldn't
> be using Firefox.

Yeah, but you're using your value system (which values security very
highly) to decide what the user should do, regardless of any other
value system, including the user's, the user's network administrator,
the user's ISP, government, parents, etc.

I don't think any absolutist point of view is appropriate here.
Safety, user choice, open source, various notions of freedom, UX,
localization, various jurisdictional concerns (from parents through
network administrators and ISPs all the way to governments) all
conflict in various exciting ways.

--da

Ron Hunter

unread,
Apr 21, 2011, 6:07:19 PM4/21/11
to

I understand your points, but I disagree with one statement. NO ONE is
better off with IE6 than ANY Firefox version. Even Microsoft agrees
with that.
As for supporting old versions...
Going to an update or else setup would cause a lot of negative
response from users. Further, updating to a newer version under the
guise of a 'security update' would probably be considered less than
honest by most users.
Just some things to think on.

Asa Dotzler

unread,
Apr 21, 2011, 6:16:32 PM4/21/11
to
On 4/21/2011 3:07 PM, Ron Hunter wrote:

> I understand your points, but I disagree with one statement. NO ONE is
> better off with IE6 than ANY Firefox version. Even Microsoft agrees with
> that.

Microsoft just released a major security patchset for IE 6 last Tuesday.
Microsoft still supports IE 6. Mozilla does not support Firefox 1.0,
Firefox 1.5, Firefox 2, and Firefox 3. IMO, those users are absolutely
better off on IE 6.

> Further, updating to a newer version under the guise of a
> 'security update' would probably be considered less than honest by most
> users.

But it is a security update. There's absolutely no dishonesty there at
all. The minute we fix a critical security bug in a newer version that
we don't fix in an affected older version, then the newer version is a
security update. We currently don't deploy it as an "unprompted update"
like we do other security updates, but you simply cannot argue that it
is not a security update.

- A

Asa Dotzler

unread,
Apr 21, 2011, 6:20:41 PM4/21/11
to
On 4/21/2011 2:50 PM, David Ascher wrote:
>
>> My argument is that during the time between when that user became
>> unsupported (stopped receiving Firefox security updates) and when that
>> user decides to upgrade to a new version of Firefox, that user
>> shouldn't be using Firefox.
>
> Yeah, but you're using your value system (which values security very
> highly) to decide what the user should do, regardless of any other value
> system, including the user's, the user's network administrator, the
> user's ISP, government, parents, etc.

It's not just my value system that places a high importance on security.
A minimal level of security is a fundamental requirement for the Web to
function. Anyone who doesn't put a high importance on security isn't
thinking about it very seriously. I'm OK with that, though. Most people
don't have to think about that because they've got experts (their
software vendors like us) who have the responsibility to think about it
on their behalf.

- A


Patrick Finch

unread,
Apr 21, 2011, 6:27:28 PM4/21/11
to Asa Dotzler, dev-pl...@lists.mozilla.org


The point about user perception probably stands anyway: whether or not
it's honest, there's a good chance it won't be perceived as such.
Possibly a different issue, but still an issue.

Patrick


> _______________________________________________
> dev-planning mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-planning

--
Patrick Finch
Mozilla
pat...@mozilla.com
Mobile: +46 768 444 833
Office: +1 650 903 0800 ext. 340
Twitter: @patrickf
IM: patric...@gmail.com

Daniel Cater

unread,
Apr 21, 2011, 7:04:34 PM4/21/11
to a...@mozilla.com
The people that lead the product have to realise that decisions they make about features and user interface can lead to users being vulnerable to security threats, not because of code issues, but because their workflow got so messed up that they turn down the upgrade (because they've used it on another computer, or because they've been warned about it by someone they trust on computer issues). Some might even downgrade by uninstalling and reinstalling the old version.

I think Mozilla is falling out of touch with a large part of its audience, and doing things like killing the uninstaller survey doesn't help. An optional feedback mechanism for people who click the "Never" button in the upgrade dialog would help.

Once 4.0.1 gets pushed as a major update, this problem will get worse. People will downgrade and people will tell their parents to click "Never" when it pops up.

Philip Chee

unread,
Apr 21, 2011, 8:39:24 PM4/21/11
to
On Wed, 20 Apr 2011 15:22:35 -0500, timeless wrote:
> On Wed, Apr 20, 2011 at 3:47 PM, Asa Dotzler <a...@mozilla.com> wrote:
>> I think we should package up a 4.0.1 release as a mandatory security update
>> for Firefox 2.0.x and Firefox 3.0.x users. Nobody should be using 2.0.x or
>> 3.0.x. They are horribly insecure, completely unsupported, are almost
>> assuredly going to be turned into spambots and are a threat to the health of
>> the Web and every other user of the Web.
>
> Sounds great. My sister has a G4 and is waiting for an update to her Firefox 2.

Why wait?

<http://www.floodgap.com/software/tenfourfox/>

Versions available for G3, G4, and G5 processors.

Phil

--
-==-
Philip Chee <phi...@aleytys.pc.my>, <phili...@gmail.com>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.
[ ]T'greatest griefs are those we cause ourselves. Sophocles
* TagZilla 0.066.6

Philip Chee

unread,
Apr 21, 2011, 8:45:53 PM4/21/11
to
On Wed, 20 Apr 2011 23:03:50 +0200, Robert Kaiser wrote:
> John O'Duinn schrieb:
>> We do MUs for orphaned groups of users frequently - and as Christian
>> said, we can (read: will!) revisit who to re-prompt later. Even as far
>> back as FF2.0.0.x, we would scan back for large groups of users who are
>> still back on old, less-secure versions of FF1.5.0.x, and re-prompt them
>> to upgrade. For now, however, it makes more sense to focus scarce
>> resouces on getting the many more FF3.5, FF3.6 users upgraded to FF4.0.
>
> I actually wonder, in concert with Asa, if we actually should go and
> give those on unsupported versions a non-prompted "minor" update (as
> long as their hardware/OS is supported with FF4) instead of a prompted
> "major" update offer. We should try to do everything we can to "force"
> all those users to a supported version that can run it.
> People running 3.0 or even older versions are not only risking their
> security and privacy every time they use such a build, but threaten
> other people due to the significant risk to become part of a botnet that
> is used for all kinds of attacks. We should try to actively avoid that,
> even if it means changing their Internet experience without asking.
>
> Robert Kaiser

As far as I know, those on Firefox 3.0 (or Thunderbird 2.0) who can but
who refuse to upgrade are refusing for philosophical or ideological
reasons. If a mandatory upgrade occurs, they would simply restore from
backup or reinstall from a saved copy of the 3.0 installer.

There are even people who refuse to upgrade SeaMonkey beyond 2.1b1
because of objections to changes made by you and me in subsequent betas.

And I know someone in the support firefox forums who is remaining on one
of the Firefox 4.0betas permanently because of some change or other in
later betas.

Phil

--

Philip Chee

unread,
Apr 21, 2011, 8:50:40 PM4/21/11
to

They aren't stock Firefox 4.0 due to adaptations needed for the older
PPC processors and hence can't use the Firefox branding.

Ron Hunter

unread,
Apr 21, 2011, 9:24:53 PM4/21/11
to
No, but then I still think users might find this a bit less than 'open',
you know, like 'open source'? The mentality of someone who hasn't
updated his software in that long is not likely to be the kind who will
welcome this kind of 'help'.

Ron Hunter

unread,
Apr 21, 2011, 9:26:17 PM4/21/11
to
Think about it, write it, offer it, but don't force it. There will be a
backlash.
An attempt at education might be in order, but I don't know how to
implement that.

Robert Kaiser

unread,
Apr 21, 2011, 9:59:48 PM4/21/11
to
Philip Chee schrieb:

> There are even people who refuse to upgrade SeaMonkey beyond 2.1b1
> because of objections to changes made by you and me in subsequent betas.

In that case (and the same for Firefox), they should abandon our
products and at least move to something that is supported with security
updates. I don't care if that's SeaMonkey 2.0, 2.1, a new enough
Firefox, IE, Safari, Chrome, Opera or whatever. I absolutely agree with
Asa that we should not have people out there who are endangering their
surroundings by becoming members of a botnet - and anyone who refuses to
use browsers with security updates but uses the web doe endanger his/her
surroundings in that way.

As I said in a different message already, it needs to be possible to
test our old software to find out problems, regressions, etc. but we
should make regular use of old unsupported versions as hard as possible,
ideally upgrade people as silently as possible to supported versions.

If people don't agree with our decisions in our supported versions, they
need to switch to some other product that is supported for security,
abandon the Internet completely, or develop their own variant (or
add-on) that does what they want on the base of a supported product.

Asa Dotzler

unread,
Apr 21, 2011, 10:31:44 PM4/21/11
to
On 4/21/2011 6:24 PM, Ron Hunter wrote:

> No, but then I still think users might find this a bit less than 'open',
> you know, like 'open source'? The mentality of someone who hasn't
> updated his software in that long is not likely to be the kind who will
> welcome this kind of 'help'.

I have no idea what you think open source has to do with this. Firefox
has always been and will be for the foreseeable future available under
an open source license.

Also, your assertion that these people haven't updated software is just
plain wrong. Most of these people *were* updating their Mozilla software
every six weeks or so -- every time we pushed out a security and
stability update. We stopped doing that, leaving them on old and
insecure versions of Firefox and I'm proposing that we pick that back up
and push out another round of security and stability updates for these
users.

- A

Boris Zbarsky

unread,
Apr 21, 2011, 11:27:58 PM4/21/11
to
On 4/21/11 10:31 PM, Asa Dotzler wrote:
> I'm proposing that we pick that back up
> and push out another round of security and stability updates for these
> users.

This would be a lot easier to do if it weren't for the "omg, it's all
different" factor involved....

-Boris, who just spent part of last weekend doing things like turning
the menu back on and looking for a way to turn off glass for a Firefox
user who had updated to Fx4 on Windows 7 and was freaked out as a result.

Asa Dotzler

unread,
Apr 22, 2011, 12:06:51 AM4/22/11
to

It's not as bad for most of our users on old versions because they're on
XP. Firefox 4 (and 5) on XP does not default to the new menu arrangement
so it's mostly just "tabs on top".

But yes, it is going to be hard for a lot of those users. OMG Change! is
a legitimate problem. It will result in user frustration. It will result
in user dissatisfaction. It will result in users abandoning Firefox. But
I don't think that should stop us from doing the right thing for those
users to ensure that as many of them as possible are on secure browsers.

- A

Robert Strong

unread,
Apr 22, 2011, 12:45:01 AM4/22/11
to dev-pl...@lists.mozilla.org
On 4/21/2011 9:06 PM, Asa Dotzler wrote:
> On 4/21/2011 8:27 PM, Boris Zbarsky wrote:
>> On 4/21/11 10:31 PM, Asa Dotzler wrote:
>>> I'm proposing that we pick that back up
>>> and push out another round of security and stability updates for these
>>> users.
>>
>> This would be a lot easier to do if it weren't for the "omg, it's all
>> different" factor involved....
>>
>> -Boris, who just spent part of last weekend doing things like turning
>> the menu back on and looking for a way to turn off glass for a Firefox
>> user who had updated to Fx4 on Windows 7 and was freaked out as a
>> result.
>
> It's not as bad for most of our users on old versions because they're
> on XP. Firefox 4 (and 5) on XP does not default to the new menu
> arrangement so it's mostly just "tabs on top".

Looking at raw Firefox 2 and Firefox 3 blocklist pings over the 30 days
we have had 738498 pings for Windows 7 and 6234778 pings for Windows XP

Robert

Asa Dotzler

unread,
Apr 22, 2011, 1:10:37 AM4/22/11
to


I think that ratio definitely supports the case for packaging up a
contemporary Firefox release as an unprompted update for Firefox 2 and 3
users. The OMG Change factor will be much less extreme than we suppose
(given our bias to thinking only about Windows 7) for the overwhelming
majority of those users and they are the ones on the most at-risk
Firefox versions.

- A

- A

Robert Strong

unread,
Apr 22, 2011, 1:14:19 AM4/22/11
to dev-pl...@lists.mozilla.org
On 4/21/2011 9:45 PM, Robert Strong wrote:
> On 4/21/2011 9:06 PM, Asa Dotzler wrote:
>> On 4/21/2011 8:27 PM, Boris Zbarsky wrote:
>>> On 4/21/11 10:31 PM, Asa Dotzler wrote:
>>>> I'm proposing that we pick that back up
>>>> and push out another round of security and stability updates for these
>>>> users.
>>>
>>> This would be a lot easier to do if it weren't for the "omg, it's all
>>> different" factor involved....
>>>
>>> -Boris, who just spent part of last weekend doing things like turning
>>> the menu back on and looking for a way to turn off glass for a Firefox
>>> user who had updated to Fx4 on Windows 7 and was freaked out as a
>>> result.
>>
>> It's not as bad for most of our users on old versions because they're
>> on XP. Firefox 4 (and 5) on XP does not default to the new menu
>> arrangement so it's mostly just "tabs on top".
>
> Looking at raw Firefox 2 and Firefox 3 blocklist pings over the 30
> days we have had 738498 pings for Windows 7 and 6234778 pings for
> Windows XP
I should have included Win2K and WinVista numbers along with separating
the blocklist pings for the last 30 days by Firefox version so it is
easier to see the distribution, etc.

| Win2K WinXP WinVista Win7
Firefox 2 26 1527 42 92
Firefox 3 61029 6233251 379960 738406


|Cheers,
Robert

Ron Hunter

unread,
Apr 22, 2011, 4:08:35 AM4/22/11
to
I hope you are right, but suspect the opposite. I think the idea is
good, but it will cause some users to be really unhappy about having
their comfortable old shoes replaced with new ones. Some people just
abhor change, and those are the ones we are talking about. That it is
for their own good, and the good of the community as a whole, really
won't occur to them.

David Illsley

unread,
Apr 22, 2011, 6:14:25 AM4/22/11
to
<snip>

> My argument is that during the time between when that user became
> unsupported (stopped receiving Firefox security updates) and when that
> user decides to upgrade to a new version of Firefox, that user shouldn't
> be using Firefox.
>
> An unsupported (no longer receiving security updates) version of Firefox
> is less secure for that user and for the Web at large than even IE 6.
> Not only is it less secure, but the bad guys know exactly how to target
> it (because we've told them the flaws we've fixed in newer versions
> which are often still present in your older unfixed version) and the
> chances if your computer being infected via that insecure browser
> version skyrocket.
>
> I don't believe that users have the ultimate right to become bots that
> spam or attack others on the Web. I think of it a lot like I think of
> public health. You do not have the right to get on an airplane with
> tuberculosis because of the potential to cause harm to your fellow
> passengers. Hospitals are available to treat you and you should avail
> yourself of their services before going out in public and potentially
> infect others. Not doing so is simply wrong and a civil society should
> not tolerate that.

IMO this analogy is a poor one... you don't have the right to get on
the plane, but equally, the attendant checking your boarding pass when
you get on doesn't have the right to give you an involuntary
inoculation because you look sick.

> The Web is a public space and you and your computer are in that public
> space. Having an infected computer on the Web, deliberately or not, is
> not OK.

In the physical world, there would be a refusal of access, not an
enforced treatment.

> Mozilla provides you with a free secure version of a great browser but
> when that version is no longer secure and you refuse to upgrade to a
> newer (and still free) secure version, you are now using a dangerous
> piece of software that can not only harm you, but harm millions of other
> people on the Web. I think Mozilla should be able to pull the plug on
> that bad software so that it does not cause harm to the rest of the Web.

Simply shipping an silent 3.0.x update which kills the browser at a
specified date in the future unless you voluntarily update to >= 3.5
is a more direct parallel of 'pulling the plug' than forcing an
upgrade (and giving the user at least a couple of weeks warning is a
lot more friendly).

Elsewhere in the thread, there's been discussion that there are other
browsers which would also be an improvement for people on 3.0... It's
worth considering if future messaging to people on back-level versions
mentions that. A MU pop-up which said that we're so concerned about
your security that we'd encourage you to look elsewhere if necessary
might be a real jolt to a lot of people. (As might re-advertising very
frequently).

There's been little discussion of the possibility that the 10-15?
million users on 3.0.x might be there for good reasons, and that
forcibly bumping them to 4.x might cause them serious problems - If
I'm stuck on Fx3.0.x because of having to use exampleCorp CRM 3.5.4
which has a hard Fx3.0.x dependency, then suddenly losing access to my
system one morning might cause me actual financial loss. In that kind
of scenario, I might even be using Fx3.0.x exclusively for that one
site, so my security exposure is really low. (I've been in a similar
situation to that in the past where I've used IE6 for access to a
single system).

I'm also intrigued if there's a way to know how many of these back-
level users may have auto-updates turned off by corporate
administrators - I seem to remember my employer-provided Firefox in
the 3.0.x timescale had auto-updates from mozilla.org turned off. Is
there a way to compare blocklist pings and update check logs to work
this out?

If a low proportion of the back-level users would actually see the
forced update, I'd be very skeptical that it would be worth the
inevitable backlash.

>
> I'm sure not many others see it this way, and I don't expect this
> argument to persuade everyone, but I'm an absolutely serious and sincere
> in making it. I firmly believe that this is a public health issue and
> sometimes public health issues trump individual liberty.

Sure. To me this is a tension between Principles 4 and 5 in the
Manifesto [1].

4. Individuals' security on the Internet is fundamental and cannot be
treated as optional.
5. Individuals must have the ability to shape their own experiences on
the Internet.

I do think both are important, but don't think one obviously trumps
another, so I think it's important to find a way to satisfy 4 without
trampling all over 5.
David

[1] http://www.mozilla.org/about/manifesto.en.html

Daniel Cater

unread,
Apr 22, 2011, 8:29:50 AM4/22/11
to a...@mozilla.com
Note that I didn't mean to imply that no-one is taking these things into consideration, nor to single out the product leads.

I just think that it should be given more weight when coming up with new designs and features and that *everyone* should be thinking about this kind of impact, not just the people who lead the product.

Apologies to anyone who felt unfairly insulted.

Boris Zbarsky

unread,
Apr 22, 2011, 12:29:01 PM4/22/11
to
On 4/22/11 6:14 AM, David Illsley wrote:
> Elsewhere in the thread, there's been discussion that there are other
> browsers which would also be an improvement for people on 3.0... It's
> worth considering if future messaging to people on back-level versions
> mentions that. A MU pop-up which said that we're so concerned about
> your security that we'd encourage you to look elsewhere if necessary
> might be a real jolt to a lot of people.

For what it's worth, I think this is a _very_ good idea.

-Boris

David E. Ross

unread,
Apr 22, 2011, 2:27:03 PM4/22/11
to
On 4/20/11 12:47 PM, Asa Dotzler wrote:
> On 4/20/2011 10:33 AM, Christian Legnitto wrote:
>> The plan is to only do 3.6 and 3.5. Users on 3.0 have ignored the 3.6 prompt many times and QA's testing for 3.0 MUs are 100% manual. We might go back and do the 3.0 prompt if we have the resources but we aren't planning to do so currently.
>>
>> Christian

>
> I think we should package up a 4.0.1 release as a mandatory security
> update for Firefox 2.0.x and Firefox 3.0.x users. Nobody should be using
> 2.0.x or 3.0.x. They are horribly insecure, completely unsupported, are
> almost assuredly going to be turned into spambots and are a threat to
> the health of the Web and every other user of the Web.
>
> - A

Any update forced upon me when I have set my preferences to prohibit
such updates will result in a criminal complaint under U.S. law. There
are federal laws against unwelcome tampering with someone else's computer.

You can let me know about updates and offer them to me. But the law
requires that you allow me the option to decide whether or not to accept
such updates.

--

David E. Ross
<http://www.rossde.com/>

On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.

Christian Legnitto

unread,
Apr 22, 2011, 2:51:02 PM4/22/11
to Boris Zbarsky, dev-pl...@lists.mozilla.org

We did something similar for 3.0 already:

https://bugzilla.mozilla.org/show_bug.cgi?id=624620 - "Scary" google homepage snippets
https://bugzilla.mozilla.org/show_bug.cgi?id=609085 - "Scary" update offer

We start with the carrot ("upgrade to this new release, it's awesome!"), end with the stick ("you are insecure, update now!").

If we're going to do it again, why would we tell them to look elsewhere? We have to do all that work to do the prompt, we'd just offer them a newer version of Firefox.

Again, there is cost to doing this for any release < 3.5 as QA's update testing isn't automated for those versions. We WILL loop back around on this for < 3.5 but we're more focused on how to handle 3.5's impending EOL currently.

Christian

Robert Strong

unread,
Apr 22, 2011, 2:50:53 PM4/22/11
to dev-pl...@lists.mozilla.org
On 4/22/2011 11:27 AM, David E. Ross wrote:
> On 4/20/11 12:47 PM, Asa Dotzler wrote:
>> On 4/20/2011 10:33 AM, Christian Legnitto wrote:
>>> The plan is to only do 3.6 and 3.5. Users on 3.0 have ignored the 3.6 prompt many times and QA's testing for 3.0 MUs are 100% manual. We might go back and do the 3.0 prompt if we have the resources but we aren't planning to do so currently.
>>>
>>> Christian
>> I think we should package up a 4.0.1 release as a mandatory security
>> update for Firefox 2.0.x and Firefox 3.0.x users. Nobody should be using
>> 2.0.x or 3.0.x. They are horribly insecure, completely unsupported, are
>> almost assuredly going to be turned into spambots and are a threat to
>> the health of the Web and every other user of the Web.
>>
>> - A
> Any update forced upon me when I have set my preferences to prohibit
> such updates will result in a criminal complaint under U.S. law. There
> are federal laws against unwelcome tampering with someone else's computer.
>
> You can let me know about updates and offer them to me. But the law
> requires that you allow me the option to decide whether or not to accept
> such updates.
There is no such ability to force a user that has explicitly set updates
to always prompt. As a matter of fact, we always prompt for major
updates even if the user has selected to just download and apply the
update prior to Firefox 4. As of Firefox 4 the Firefox drivers can
choose to actually respect this preference for both major and minor
updates. This way if the product drivers believe the user needs to
consent prior to downloading and applying an update they can. To be
abundantly clear... what you are concerned about is not possible.

btw: keep in mind that the terms major and minor are just metadata and
are used by the client prior to Firefox 4 to force prompting for major
updates.

Robert

Christian Legnitto

unread,
Apr 22, 2011, 2:56:50 PM4/22/11
to David E. Ross, dev-pl...@lists.mozilla.org

On Apr 22, 2011, at 11:27 AM, David E. Ross wrote:

> On 4/20/11 12:47 PM, Asa Dotzler wrote:
>> On 4/20/2011 10:33 AM, Christian Legnitto wrote:
>>> The plan is to only do 3.6 and 3.5. Users on 3.0 have ignored the 3.6 prompt many times and QA's testing for 3.0 MUs are 100% manual. We might go back and do the 3.0 prompt if we have the resources but we aren't planning to do so currently.
>>>
>>> Christian
>>
>> I think we should package up a 4.0.1 release as a mandatory security
>> update for Firefox 2.0.x and Firefox 3.0.x users. Nobody should be using
>> 2.0.x or 3.0.x. They are horribly insecure, completely unsupported, are
>> almost assuredly going to be turned into spambots and are a threat to
>> the health of the Web and every other user of the Web.
>>
>> - A
>
> Any update forced upon me when I have set my preferences to prohibit
> such updates will result in a criminal complaint under U.S. law. There
> are federal laws against unwelcome tampering with someone else's computer.

Chill out. We're not talking about sending an update when a user has opted out of updates entirely or asked to be notified first. We are talking about users that already have automatic updates turned on. Nowhere in the UI does it say what the content of those updates is or that the updates can't jump across versions.

> You can let me know about updates and offer them to me.

There's an explicit preference in the options to notify or install automatically. If it is checked to do so automatically we can send an update. Again, we are not talking about overriding that preference.

> But the law
> requires that you allow me the option to decide whether or not to accept
> such updates.

Please cite this law as I am unfamiliar with it and would like to read up.

Thanks,
Christian

Asa Dotzler

unread,
Apr 22, 2011, 2:58:15 PM4/22/11
to
On 4/22/2011 11:27 AM, David E. Ross wrote:
> On 4/20/11 12:47 PM, Asa Dotzler wrote:
>> I think we should package up a 4.0.1 release as a mandatory security
>> update for Firefox 2.0.x and Firefox 3.0.x users. Nobody should be using
>> 2.0.x or 3.0.x. They are horribly insecure, completely unsupported, are
>> almost assuredly going to be turned into spambots and are a threat to
>> the health of the Web and every other user of the Web.
>>
>> - A
>
> Any update forced upon me when I have set my preferences to prohibit
> such updates will result in a criminal complaint under U.S. law. There
> are federal laws against unwelcome tampering with someone else's computer.
>
> You can let me know about updates and offer them to me. But the law
> requires that you allow me the option to decide whether or not to accept
> such updates.
>

Now you're just being silly (that or you're mounting a serious effort to
ensure that no one takes you seriously here.)

If you have automatic updates turned on, and Mozilla delivers an
automatic update through that channel, Mozilla is doing nothing wrong
and certainly nothing criminal.

If you're going to get hysterical and spew credibility-destroying
nonsense like that, please take it somewhere else besides our planning
group.

-A

Boris Zbarsky

unread,
Apr 22, 2011, 3:13:08 PM4/22/11
to Christian Legnitto, dev-pl...@lists.mozilla.org
On 4/22/11 2:51 PM, Christian Legnitto wrote:
> We did something similar for 3.0 already:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=624620 - "Scary" google homepage snippets
> https://bugzilla.mozilla.org/show_bug.cgi?id=609085 - "Scary" update offer
>
> We start with the carrot ("upgrade to this new release, it's awesome!"), end with the stick ("you are insecure, update now!").

I think that the "please just install another browser if you don't want
to update this one" wording is an escalation on our existing stick that
may be worth pursuing.

It may also be worth pursuing _much_ scarier versions of the language
here (e.g. "This version of Firefox is no longer safe to use for online
banking" or "Using this version of Firefox allows websites to see
everything you type on this computer if they want to" or whatnot; yes I
think these are accurate descriptions of Firefox 3 at this point). The
text in bug 609085 is pretty tame and euphemistic; I can definitely see
users not thinking the problem is such a big deal.

> If we're going to do it again, why would we tell them to look elsewhere? We have to do all that work to do the prompt, we'd just offer them a newer version of Firefox.

We should do the latter too, sure. But I think we should make it clear
that staying on their current browser version is a _really_ bad idea.

> Again, there is cost to doing this for any release< 3.5 as QA's update testing isn't automated for those versions. We WILL loop back around on this for< 3.5 but we're more focused on how to handle 3.5's impending EOL currently.

That's fine; I'm just saying we should do something here, not that doing
it is more important than the other things we also need to do. ;)

-Boris

David E. Ross

unread,
Apr 22, 2011, 3:53:13 PM4/22/11
to

You indicated forcing updates on users. You mentioned "mandatory
security update". What am I to think about your use of the word
"mandatory"?

David E. Ross

unread,
Apr 22, 2011, 3:58:32 PM4/22/11
to

The law against unauthorized third-party tampering with a computer is
cited (without indicating a title or section number) in various news
articles about federal prosecution of hackers. The next time I see such
a news article, I will attempt to get the specifics.

Boris Zbarsky

unread,
Apr 22, 2011, 4:12:55 PM4/22/11
to
On 4/22/11 3:53 PM, David E. Ross wrote:
> You indicated forcing updates on users. You mentioned "mandatory
> security update". What am I to think about your use of the word
> "mandatory"?

It contrasts with the "we ask you if you want to update" prompted update.

Note that historically an update from 3.0 to 4.0 or the like is prompted
even if your preferences say "Automatically download and install the
update" (the default setting), because we only did the automatic thing
for minor updates.

Asa is suggesting we treat the update from 3.0 to 4.0 the same way we
would treat an update from 3.0.95 to 3.0.96. That's still controlled by
your preferences, of course.

-Boris

Cameron Kaiser

unread,
Apr 22, 2011, 7:00:34 PM4/22/11
to
> > While speaking of TenFourFox, is there any particular reason why we
> > couldn't have them contribute like the OS/2 and solaris people,
> > including providing binaries in the contrib directories on our ftp
> > archive?
>
> I know in the past, there were concerns about OS/2 builds that had
> out-of-tree patches; that's why there were the official builds, and then
> there were separate enhanced builds:http://pmw-warpzilla.sourceforge.net/http://pmw-warpzilla.sourceforge.net/no_PmW-Fx3.html
>
> I know that branding was at least one of the concerns (hence Peter had
> PmW-Fx and PmW-Tb).  If that's the only real concern, could TenFourFox
> builds be in the contrib directory, even if they aren't called "Firefox"?

I noticed this thread just today, so sorry about the late reply.
TenFourFox as the name implies also supports Tiger, primarily for G3
users and people who still use Classic. There was talk earlier (I
think it was Philip Chee) about putting these patches into the tree,
but with 10.4 support gone, it was voted down at the time and I don't
think that has changed. So it will always remain a modified build. El
Furbe, Xabaris and a couple others still build "true" PowerPC 10.5
Firefoxes and these would be more appropriate for contrib as they are
otherwise unmodified. That said, I certainly wouldn't mind being the
"legacy support arm" for Power Macs.

The POWER-general features I'm piecemealing out as separate bugs,
including 624164, and these I hope to get into the tree for the
benefit of other POWER ISA builders. TenFourFox also has various VMX
accelerations which are coming out as part of 4.0.1. Feel free to talk
to me about this off group if you are interested.

Cameron Kaiser

Robert O'Callahan

unread,
Apr 22, 2011, 7:09:17 PM4/22/11
to Cameron Kaiser, dev-pl...@lists.mozilla.org
Hmm, why don't we take the TenFourFox patches into mozilla-central, given
it's actively maintained? Seems to make at least as much sense as having
OS/2 support in mozilla-central!

Rob
--
"Now the Bereans were of more noble character than the Thessalonians, for
they received the message with great eagerness and examined the Scriptures
every day to see if what Paul said was true." [Acts 17:11]

Ron Hunter

unread,
Apr 22, 2011, 7:58:39 PM4/22/11