No Additional Firefox 4 Security Updates

CWmike writes "Unnoticed in the Tuesday release of Firefox 5 was Mozilla's decision to retire Firefox 4, shipped just three months ago. Mozilla spelled out vulnerabilities it had patched in that edition and in 2010's Firefox 3.6, but it made no mention of any bugs fixed in Firefox 4 on Tuesday, because Firefox 4 has reached what Mozilla calls EOL, for 'end of life,' for patches. Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 has been discussed within Mozilla for weeks. In a mozilla.dev.planning mailing list thread, Christian Legnitto, the Firefox release manager, put it most succinctly on May 25: 'Firefox 5 will be the security update for Firefox 4.' Problem is, users are being prompted to upgrade now but are hesitant because the new rapid release of updates means many add-ons are not compatible. And without security updates in between, many could be left exposed with unpatched browsers."

If they hadn't broken addons...

[sethstorm]

...they would be fine.

However, it looks like Mozilla failed to communicate it well enough, thinking their own notice was enough. The result is that Mozilla seems to take Microsoft's path for once - refusing to patch security issues on a relatively new release, and washing their hands clean with an EOL.

Re:If they hadn't broken addons...

[Anonymous Coward]

What? Microsoft are still supporting Windows XP. It's a bit more than three months old.

Re:FF5 is out?

[Samantha Wright]

If it helps you sleep at night, the nightly builds are currently 7.0a1, and planning for FF8 is underway. And prior to FF4, Gecko was still in the 1.9 numbering series. (They bumped it up to match the FF version release.)

Ironically, SeaMonkey is still at version 2, when it comes from a branch of the Netscape tree that should make it six or seven.

And furthermore, all of these web browsers are identified as Mozilla/5.0 in their user agents.

Re:Broken by design

[_xeno_]

Because that's not the way the addon versioning system works?

Look, it's really pretty simple. An addon needs to say what versions of Firefox it supports, as the API is known to change with each version.

The old rule was that you were pretty safe in assuming that the "patch level" number (the third/fourth number depending on release) could change without breaking any addons. Changing the minor number might break existing addons and could add new APIs. (For example, the change from Firefox 3.5 to 3.6.)

Changing the major number indicated a major change in functionality that could, potentially, require addons to be rewritten. (For example, Firefox 2 to Firefox 3.)

How the hell do you work that into the new versioning system?! The only way would be for the browser itself to "know" that Firefox 5 is basically Firefox 4 and not flag addons written for "4.0+".

Am I supposed to assume that an addon I write against Firefox 4 will work in Firefox 5 and Firefox 6, when the same was certainly not true for Firefox 1 to 2 - and 2 to 3, and 3 to 4? When will they be changing the API again? Am I supposed to be psychic when setting the maxVersion number?

Keep in mind that it's the browser itself that enforces these version checks. It's not something that addon developers really have any control over.