Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Firefox Mozilla Security Upgrades Technology

Like Google's Chrome, Mozilla To Silently Update Firefox 4 287

CWmike writes "Taking a page from rival Google's playbook, Mozilla plans to introduce silent, behind-the-scenes security updating to Firefox 4. The feature, which has gotten little attention from Mozilla, is currently 'on track' for Firefox 4, slated to ship before the end of the year. Firefox 4's silent update will only be offered on Windows, Mozilla has said. Most updates will be downloaded and installed automatically without asking the user or requiring a confirmation. 'We'll only be using the major update dialog box for changes like [version] 4 to 4.5 or 5," said Alex Faaborg, a principal designer on Firefox, in the 'mozilla.dev.apps.firefox' forum. 'Unfortunately users will still see the updating progress bar on load, but this is an implementation issue as opposed to a [user interface] one; ideally the update could be applied in the background.' Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update."
This discussion has been archived. No new comments can be posted.

Like Google's Chrome, Mozilla To Silently Update Firefox 4

Comments Filter:
  • by gbjbaanb ( 229885 ) on Saturday August 07, 2010 @08:25AM (#33172950)

    to be honest, I'm not so worried about this - its only a browser, and I install all those security updates anyway. What I'm not so keen on is the "silent, in the background, don't bother the user" implementation. I'd like to know that it is doing it, pop a little UI element on the status bar that says "updating latest version now" and then gets on with it, and then puts a little version marker somewhere so I know its been done.

    Be polite to your users, be open in your communication, inform us. (and a link to the things that were fixed if you click the version number would be a nice to have)

    • by Kozz ( 7764 ) on Saturday August 07, 2010 @08:59AM (#33173164)

      In fact, I welcome this update! It was hard enough getting those less-than-savvy relations to use Firefox, but even getting my WIFE to update FF is a chore. Automatic updates for these folks will be especially welcome. It's depressing to be on the cutting edge of FF public releases only to visit your mother and find she's still running FF 2.0.17 and has been ignoring the update suggestions forever.

      • Re: (Score:2, Informative)

        >> has been ignoring the update suggestions forever

        If fewer updates broke things, people would be more inclined to update (not just Firefox, but software in general).

      • by Fumus ( 1258966 )

        At first I also thought that this is an annoying move, but then your post made me realize that my family is the same. Each time an update window appears they want me to come over and see what is it because they don't know and "Do you want to update?" is just as alien to them as "would you like to polarize the photon deflectors now?"

        I welcome this change now that I have realized what it truly means. As long as there is a fairly easy way to enable the nagging screen if you want it, then I won't mind it being

    • Re: (Score:3, Insightful)

      by RJFerret ( 1279530 )

      So far computers aren't intelligent, nor smarter than their users (despite opinions to the contrary), they generally pick the worst time to try to do updates.

      There currently isn't a way for a computer to predict when it's getting in your way (hint, right at boot-up is the worst time, as I turned on the computer to get something done). Until then, there should be a clear indication it WANTS to update, with user ability to postpone for a specified period without distraction/interference.

      Computers and other t

      • Re: (Score:3, Insightful)

        A better method would be for the OS to have an updating control, like on the Windows task bar, with progress meters for various software, with controls to aborting, pausing without anything hidden/secretive/subversive/untrusted.

        Sure, give the users the ability to have background updates for those who prefer it, even provide an OS control so that you don't have to tell each individual piece of software that's your preference, that would be great. Thankfully Firefox is not inhibiting user control--yet (or I'd

    • by bgfay ( 5362 )

      This is smart thinking. The process should be easy but not invisible. I like that Chrome does a lot of things easily, but don't like that I don't know about those things. It leads to the sudden "this thing doesn't work anymore" syndrome where things break with no seeming reason.

      That said, I hate that Firefox has to be restarted to install add-ons. Things like that aren't good enough. I should be able to install the add-on and use it immediately.

      Combine the two ideas: tell me that my program is being updated

    • No; exactly the opposite... “ideally the update could be applied in the background”? About freaking time someone figured that out.

      If they can find a way to do it without opening security holes, I’m all for it. Hell... there’s nothing dumber, IMHO, than restarting my browser just to install the update that it downloaded.

      Make it optional. You want to vet each update? Fine. You want to turn it on and forget about it? Also fine. We have auto bill-pay so we don’t even have to think

    • Maybe a Check Box that states, "I don't want to see this message again", would be useful? And the programming to do it is relatively straight forward.

      Openness of Communication has been the Fan and Light for the "Smoke and Mirror" types out there. This simple fact acts like a salt on an open wound to every "Secret by Silence" business model I have been exposed to. I proudly state to BSOD victims that one of the most successful aspects of Openness is that the bad guys are shut down in to two to three wee
    • by wwphx ( 225607 )
      I HATE Google doing this! In fact, I ripped out Picassa and Chrome on my Mac because of these silent updates. I don't have a problem if this was a configuration option set on during install that I could turn off, but it isn't. Since Firefox will allow it to update in the traditional manner, I'm fine with that, but I HATE it being done silently in the background!

      I have found that there is a way to block Google's silent update on a Mac, it basically requires creating an empty file in a certain directory
  • by Lazy Jones ( 8403 ) on Saturday August 07, 2010 @08:26AM (#33172956) Homepage Journal
    ... silent updates suck.
    • by fearlezz ( 594718 ) on Saturday August 07, 2010 @09:11AM (#33173238)

      Yes. Silent updates suck. Well at least, for people that want to control their own computer, it does. But for my sister, my dad, my great aunt and all these people that think i'm their personal helpdesk, this is perfect. I've seen so many family members who had 2 year old browsers and stuff...

      • by Trelane ( 16124 )

        Yes. Silent updates suck. Well at least, for people that want to control their own computer, it does.

        Fortunately, you (or someone or collection of persons you trust) have the source, can build it, use it, and redistribute it. Thus, you don't *have* to use the software with silent update functionality, even if you keep using the browser itself. (though you'll lose the branding; call it "iceweasel" perhaps ;)

        • Re: (Score:2, Informative)

          by kbrosnan ( 880121 )
          The devs already said that this is going to be a preference.
        • Yes. Silent updates suck. Well at least, for people that want to control their own computer, it does.

          Fortunately, you (or someone or collection of persons you trust) have the source, can build it, use it, and redistribute it. Thus, you don't *have* to use the software with silent update functionality, even if you keep using the browser itself. (though you'll lose the branding; call it "iceweasel" perhaps ;)

          And what percentage of Windows boxes even have a compiler installed, much less a user who know how to use it? Are you really going recompile by hand everytime you get an update? Yeah, I thought so.

      • by NotBorg ( 829820 )

        Yes. Silent updates suck. Well at least, for people that want to control their own computer, it does. But for my sister, my dad, my great aunt and all these people that think i'm their personal helpdesk, this is perfect. I've seen so many family members who had 2 year old browsers and stuff...

        There's a lot of truth here.

        Often the only updates that happen are automatic or silent. If they aren't automatic they typically don't happen. The silent updates that I speak of are when geeks like me do it for their

    • My root partition is read-only.

      Good luck updating my software without me sitting a root prompt, jerks.

  • I love Mozilla. They can do no wrong! If Apple fanboys and MSFT apologists can do it, so can I!
  • why would this be considered a bad idea?
    • by Anonymous Coward on Saturday August 07, 2010 @08:37AM (#33173022)

      I don't mind if the browser asks. It looks like they are going to default to silent updates unless you change the setting. They only way I can see this as a bad idea for the non-techinical user is in the case where Mozilla screws up and a patch hoses up the browser or operating system itself (and don't act like that can't happen because it has for other software, even if it wasn't Mozilla that did it, it could still happen.)

      FTA (bolding mine):

      Firefox 4's silent update will only be offered on Windows, Mozilla has said.

      Most updates, including all security updates, will be downloaded and installed automatically without asking the user or requiring a confirmation, said Alex Faaborg, a principal designer on Firefox. ...

      Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update.

    • why would this be considered a bad idea?

      Some take exception to their software installing stuff (even updates) without their express permission (or request), or to software refusing to run until it is updated (MS's IM client does this, or so I'm told). There are a number of reasons why you might want to hold back on an update - perhaps you are a dev who want to keep old versions around for testing how their pages work in older versions that have certain issues, or perhaps you just prefer to hold back a day or so to make sure there are no massive b

      • Also (missed this from my previous post) I don't want my browser deciding it want to download an several Mb update while I'm connected via a very slow cellular connection (i.e. GPRS in area with no 3G or wifi coverage) trying to get something done with what little bandwidth is available in such circumstances.
      • by Anonymous Coward on Saturday August 07, 2010 @08:48AM (#33173092)

        There is a potential security issue too: what if someone manages to hack Mozilla's DNS to point to a malicious site pretending that there is an update (which introduces malware)? I hope they are planning on properly signing and verifying updates to deal with this possibility.

        Unlike many others, Mozilla already does sign it's updates.

    • I think on a fresh install or upgrade to FF4, make the silent updating an opt-in. If you want it, you got it. Otherwise you stay traditional.

      Myself, I would like to stay traditional on updates, but that's me.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Just take a hint from the silent updates that Windows does;

        Do you want Firefox to be updated automatically?
        (x) Yes, check for updates and install automatically (recommended).
        ( ) No, notify me but I will decide to install updates myself.
        ( ) Do not check for updates (not recommended).

        Note: with automatic updates, you will still be asked for permission to instal major updates.

  • Choice vs. Sleek (Score:5, Insightful)

    by Amorpheus_MMS ( 653095 ) <amorpheus&gmail,com> on Saturday August 07, 2010 @08:28AM (#33172974)

    I like that a lot of what makes Firefox different from Chrome is due to the "we'll let users decide how they want it" approach instead of just telling them how it's going to be done.

    • It does sound like there will be a setting that can be changed, but the default is silent install.
  • OMG! (Score:5, Insightful)

    by pushing-robot ( 1037830 ) on Saturday August 07, 2010 @08:33AM (#33173004)

    Mozilla is stealing our freedoms with communist security updates!

    ...Seriously, folks, they're just automating the updates that everyone installs already. It saves us time, which last time I checked was a valuable commodity.

  • by aussersterne ( 212916 ) on Saturday August 07, 2010 @08:33AM (#33173006) Homepage

    I get more complaints from family and friends about "slow computers" than anything else, and usually these are all about silent background updates in the end. It's damned near impossible to explain to someone that's not computer literate what and update is, how it's affecting their computer, why it's necessary that the update gets installed, etc. They don't even know what Firefox is ("You mean my Internet?") much less any of the other things. Even my wife struggles to comprehend why there's always an update running; she tends to think I'm lying or dismissing her concerns. Every single application running on her computer does silent background updates:

    Windows
    Office
    AntiVirus/Firewall Software
    Adobe Flash Player
    Adobe Reader
    Sun JRE
    Nero
    Skype
    etc.

    Even tiny little apps from the vendor do this... Volume control, display control, trackpad control, blah, blah...

    Another background process running automatic updates each and every icon in the tray and for each and every folder and application in the Start menu, as well as for browser plugins, third party configuration tools/extensions, drivers, etc.

    At the very least they should try to display a notification somewhere on the screen saying "Updating XYZ, may slow your computer..." each time they do this, rather than silently saturating an internet connection (as 10 different updaters are in competition with one another), a CPU, and/or a hard drive's activity.

    • by tcdk ( 173945 )
      I've a older (winXP) notebook that I use sparsely, if it's been off-line much more than a week, it needs about 15-20 minutes on first boot for updates, before I can use it.
    • I installed the nvidia driver on my Linux system from the rpmfusion repository. When I run "yum update", yum updates both normal Fedora updates and nvidia driver updates. I could even configure yum-updatesd to update all packages without me even noticing.

      Why can't it be this simple on windows? Windows update on Vista/Win7 is okay for updating microsoft software. Now if only third parties could add their own 'repositories' to windows update, this would make updating a lot easier, and computing a lot safer.

      • by tepples ( 727027 )

        Now if only third parties could add their own 'repositories' to windows update

        How much would Microsoft and Microsoft's certificate authority partner (that is, VeriSign) charge third-party application publishers for such a service? And how would developers of Free applications for Windows be able to afford it?

    • by evanspw ( 872471 )

      most of those can be set to manual update, or at least a notification that an update is ready to download. i know that's got it's downside too.

    • by Jorl17 ( 1716772 )
      You forget that browser updates matter. And, in theory, OS security updates should as well. So let's not say that silent updates are not ideal for all cases. They're not ideal for stupid and silly apps that you shouldn't be supporting any way (woops, broke the rule of not bashing useful but bloated apps -- kill me!; woops, did it again!)
    • Hopefully Windows (Microsoft) will implement a repository system like in Linux distros. There's no reason to have EACH program run an updater for itself. Or, if you don't like the Linux example think of Apple app store....

      • by hedwards ( 940851 ) on Saturday August 07, 2010 @09:28AM (#33173334)
        Linux can do that because virtually all the software is free either pricewise or GPLed. In which case most of those people are thrilled to have somebody else picking up the tab on the distribution and advertising. In the Windows world, that's not really the case. Much of it is commercial software and the freeware and opensource stuff is so numerous that I doubt MS is interested in taking on the responsibility and cost of hosting those files.
        • Two words: App Store. Apple can do it. They even make money out of it. GPL and free software is a red herring.

          • What the hell are you talking about? OSX does NOT have a central repository for updating programs. I get spammed only a bit less than windows for updates to the various programs I have installed on OSX. If you're talking iPhone specifically, then you're talking about programs which Apple distributes being updated by Apple. This is not what is being talked about here - these are programs that are distributed by a large number of companies, being updated by those companies specifically. And that's the problem
            • Is your solution to have Microsoft distribute all the windows programs in the world?

              No, but it could distribute or _facilitate_ the distribution for the most common programs. I don't expect my Linux distro to distribute all the programs available on Linux but I'm happy with the 20k+ that it does distribute, among them Firefox and Chrome, neither has to use computer resources to check separately if there's an upgrade available. I get Chrome as soon as is released, Firefox usually takes a while until is packaged for my distro.

              But I hope you realize that having each program check independentl

        • by dbcad7 ( 771464 )
          Poor, poor, pitiful Microsoft.. can't be bothered with the cost of maintaining a repository of trusted and tested programs, like the fat cat big spenders on the Linux distro world.. but it's ok, their other approaches to security are working so well.. Don't kid yourself, that it's a "cost" issue, or am issue of "too many" applications.. The REAL REASON they don't follow suit with a repository system, is that there are whole industries built around the system they have.. Thousands of little Dutch boys would
      • by siride ( 974284 )
        It doesn't need to have a repo system. It just needs to have a standard protocol for installation and update. Programs, once installed, can register with the update service, point Windows to the update URL source and then when there's an update, Windows can do it all in one batch.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      This is why i hate that OSes... well, Windows, hasn't got a decent package manager.

      Auto updates could easily be handled through a single program for the entire OS.
      All you do is just add to a file or registry item where the URL is, current version number, date / frequency of check and an optional "where to extract this to" for non-install archives.
      Then you can make whatever damned EXE you need to make for doing updates then, whether it is Chromes silent updater or a Windows updates.
      Windows Task Manager != an

    • There is a solution to that, but the Windows implementation that I've seen was downright dreadful. (Well, the one that works for third-party software...)

      Have all applications register with an updater program that checks for updates when the machine is idle.

      The problem is, there's two choices I've seen: Windows Update, which is really just for Microsoft software (but works fairly well for that,) and InstallShield Update Manager, which is great in theory... but in practice, it doesn't respect settings to not

  • by Anonymous Coward on Saturday August 07, 2010 @08:34AM (#33173008)

    This is problematic on slow links where every byte is precious (dial-up)

    This is problmeatic on expensive links where every byte costs money (satellite, cellular)

    This is problematic in managed environments where the end user does not have write-permission to the filesystem containing the software

    I hope it can be disabled.

  • I agree (Score:5, Insightful)

    by Jorl17 ( 1716772 ) on Saturday August 07, 2010 @08:49AM (#33173096)
    At the risk of being /. assassinated, I have to say that I agree with this. Particularly because it is possible to disable such a feature.

    Non-techie people don't get a thing about browsers, updating, security, etc. The medium-techie usually want to be all updated, so will update to even RCs and Betas if they find them out. Techie guys, us, do whatever they want, but I believe that they want to be in control and know what's going on -- thus, they'll disable such feature.
    But especially for the non-techies, this is a way of getting free security upgrades. The upgrades will probably be carefully chosen so that there are no compatibility issues -- and if there are, non-techie to medium-techie users won't care that much.

    All in all, it is good for people who don't care, and enables us who care to keep things the way we want it.
    • I won't disable automatic updates, but I will disable silent automatic updates. When something stops working, I generally look at what has changed. If I don't know what to look at, it makes things very difficult to debug.
  • User Account Control (Score:4, Interesting)

    by Crock23A ( 1124275 ) on Saturday August 07, 2010 @08:50AM (#33173106)
    I wonder how this will get around UAC, a substantially annoying feature of Windows Vista/7. Will they be installing firefox to the user's home directory? Will it be sand-boxed from the OS? I admit I haven't done much looking into the pre-release so I apologize for any ignorance I might be showing.
    • I also thought about this almost immediately. You cant silently do anything under /Program Files/ or /Program Files (x86)/ without administrator rights.

      Is it their intention to install the binaries/etc some place that doesnt require admin rights to modify them? How could that possibly be safer/better?

      Maybe instead they intend to install a service set up with admin privileges. How is an extra service, with admin and network access rights and intent on modifying /program files/, safer/better?

      Updates sho
      • How is an extra service, with admin and network access rights and intent on modifying /program files/, safer/better?

        The updater service can be audited separately because it is a much smaller program than Firefox itself. After the main app has finished downloading the update package to the Local Settings folder in the user's home directory, it starts the updater service. The updater service itself does not connect to any network; all it does is verify the digital signature of the update package and then replace the executable with the updated copy. I don't know how Windows ACLs work in depth, but if the updater runs as a

        • I don't know how Windows ACLs work in depth, but if the updater runs as a user that can't write outside /Program Files/Mozilla Firefox, that's another way to limit the damage it can do.

          It can't if it runs as a regular user. Thats sort of the point.

          The article summary claims silent updating, so the service can't run as the logged in user.

    • Re: (Score:3, Interesting)

      by sadler121 ( 735320 )

      Chrome has it's exe in APPDATA, that is how they get around UAC.

  • Until now, FF updates require a restart. The update may be silent, but the restart is still going to require user notification. So what's the advantage here?

    • by PRMan ( 959735 )
      I imagine it would wait until the user restarted Firefox...
      • by tepples ( 727027 )

        I imagine it would wait until the user restarted Firefox...

        Which gets into cases where a user leaves Firefox open for days, putting the computer to sleep instead of shutting it down.

  • by bursch-X ( 458146 ) on Saturday August 07, 2010 @08:55AM (#33173138)
    Nah, little Snitch will tell me. I really do hate that Google Chrome feature; just when I least expect it one of the Google background processes is for no apparent reason trying to connect to certain sites. Makes me wary, even if for the right reasons some software tries to sneak in any update without telling me. Even Apple gives me more freedom there.
  • More Mozilla Fail (Score:5, Insightful)

    by duffbeer703 ( 177751 ) on Saturday August 07, 2010 @09:25AM (#33173316)

    I'd love to be able to actually deploy and maintain Firefox in the large enterprise that I work in. Users want it. Unfortunately, users don't have admin rights, and Mozilla makes applying updates and configuring the browser from a central location difficult and has a history of not thinking about and actively shooting down any proposals which would potentially benefit system administrators trying to support Firefox.

    I don't get why they don't get it.

  • Re: (Score:2, Insightful)

    Comment removed based on user account deletion
  • by ccady ( 569355 ) on Saturday August 07, 2010 @09:54AM (#33173490) Journal
    How stupid! Show the user the dialog box, and put a checkmark on it which says (approx) "Don't notify me of these updates anymore, just do them."
    • by genner ( 694963 )

      How stupid! Show the user the dialog box, and put a checkmark on it which says (approx) "Don't notify me of these updates anymore, just do them."

      What's an update?
      Son quick get in here, I got a virus!

    • Re: (Score:3, Insightful)

      by Nemyst ( 1383049 )
      People ignore update dialogs. Why do you think they wouldn't ignore that, too?
  • by wiredlogic ( 135348 ) on Saturday August 07, 2010 @10:47AM (#33173824)

    I don't normally run as administrator on my computers. I have installed Firefox as an admin., though, and I must use that account for updates. This is slightly annoying with Firefox because I get update nag notifications under my user account which can't be used to perform the updates. I don't always want to go through the hassle of shutting down my current session and switching accounts for the latest update. I hope this new feature can be turned off to avoid additional problems with the update process.

  • Wow, these companies are really shooting themselves in the foot when it comes to corporate adoption.

    No right-minded SysAdmin would want this sort of thing in their environment. While I understand that you CAN turn it off, Im willing to bet (without caring enough to actually look), that they have neglected to add any security features that would prevent an end user from turning the "auto update" back on.
  • As a windows user I'd like to see a big player like Mozilla release a standalone updater that all the other software can use so every app doesn't have to check for updates on its own and use its own halfassed update method.

  • by El_Muerte_TDS ( 592157 ) on Saturday August 07, 2010 @03:07PM (#33175390) Homepage

    Silent updates is the reason why I received a 30 euro phone bill for a few minutes.

    I was on holiday, and let a friend use my laptop and telephone to send an important email (it was party invitation, nothing more important than that). And of course... I forgot to displace all things that would silently try to update whatever they could when a network connection was found. Withing a short time, a few megabyte was downloaded. And mobile data from a foreign country is more expensive than HP ink.

    So please mozilla, provide a nice toggle though the preferences screen to change this, an not through a about:config option.

Heard that the next Space Shuttle is supposed to carry several Guernsey cows? It's gonna be the herd shot 'round the world.

Working...