No Additional Firefox 4 Security Updates 445
CWmike writes "Unnoticed in the Tuesday release of Firefox 5 was Mozilla's decision to retire Firefox 4, shipped just three months ago. Mozilla spelled out vulnerabilities it had patched in that edition and in 2010's Firefox 3.6, but it made no mention of any bugs fixed in Firefox 4 on Tuesday, because Firefox 4 has reached what Mozilla calls EOL, for 'end of life,' for patches. Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 has been discussed within Mozilla for weeks. In a mozilla.dev.planning mailing list thread, Christian Legnitto, the Firefox release manager, put it most succinctly on May 25: 'Firefox 5 will be the security update for Firefox 4.' Problem is, users are being prompted to upgrade now but are hesitant because the new rapid release of updates means many add-ons are not compatible. And without security updates in between, many could be left exposed with unpatched browsers."
Guess I'll just wait a few months (Score:4, Insightful)
The new release cycle is going to hurt Firefox (Score:5, Insightful)
I would not be surprised if their new release cycle causes their marketshare to start shrinking in a significant fashion.
I have been a long-time Firefox user (ever since it was Phoenix) and their current release philosophy is really turning me off. They just seem so misguided and detached from reality.
I don't get that (Score:5, Insightful)
Are they trying to kill their user base ?
Anybody serious deploying system WILL NOT ship a mozilla product. Obsoleting a software 3 month after its release is ridiculous. You can't try to get market share and killa release in 3 month. If you don't plan to give any support, call that a development version!
I am SO disappointed in them!
Re:What the h. . . ? (Score:5, Insightful)
Slashdot story [slashdot.org]
No big news, except that the Mozilla Foundation has gone out of its mind. I think I'll stick with Firefox 3 until it reaches end of life, and then upgrade to Firefox 25.
Sucks for corporate use (Score:5, Insightful)
I really don't want to have to push out a brand new version of FF every few months and risk breaking my users' plugins that they use.
Forget the Version Numbers (Score:3, Insightful)
Beginning of the end (Score:4, Insightful)
I've been a committed Firefox user for many years, using daily many plugins that I find irreplaceable (zotero, noscript). I'm now seriously considering alternatives. I find it irresponsible that Mozilla would not stand behind the major release of one of their products for more than three months.
Re:I don't get that (Score:5, Insightful)
Anybody serious deploying system WILL NOT ship a mozilla product. Obsoleting a software 3 month after its release is ridiculous. You can't try to get market share and killa release in 3 month. If you don't plan to give any support, call that a development version!
Indeed. For my users, I'm tempted to say "Sorry, I can't support Firefox because Firefox doesn't support Firefox", and switch them all over to Opera.
Should have just skipped version numbers (Score:5, Insightful)
This whole version number thing is insane and pissing off anyone who needs a singe stable version that is supported for a reasonable length of time.
If they wanted to up the version number they should have just skipped 4, 5, 6, 7, 8, 9, 10 to 11 or 12. Or since everyone skips 13 anyway just go directly to 14 and be done with it. Then keep it there for at least a year.
Re:I don't get that (Score:4, Insightful)
I agree with you but how does Google Chrome succeed? "You can't try to get market share and killa release in 3 month"
Lack of plugins - or at least being much less common and quite possibly with a more stable API/ABI. A "security update" that breaks plugins is a sure-fire way to catch Firefox users between a rock and a hard place. It's a typical case of developers coding for developers - who are all on a very recent version and can fix what's broken for them - instead of regular users. Keep going like this and they'll be the #3 browser by Christmas...
Re:Forget the Version Numbers (Score:5, Insightful)
Except that the version numbers do matter when it comes to plugins and the maxVersion string. They are going to be breaking add-ons left and right with this shit.
Who is This Helping? (Score:5, Insightful)
Who, exactly, is the rapid release schedule helping? It's certainly not helping web developers and organizations who try to list their supported browser versions and actually try to code towards those versions. The quickest path to get the corporate PHBs to stop supporting your browser is to have the IT staff say "Guess what, the next version of Firefox is already out so we need to make updates." At some places, support for browsers other than IE is tenuous at best, so making it more difficult to support these browsers only hurts the browser manufacturers.
Want to gain more support? Release a stable product, with wide support for standards and add-ons, and do so on a sane, well-publicized schedule. People don't care about version numbers; updating software isn't something people want or like to do. Why are you making it more difficult and cumbersome for users to use your product?
Dear Mozilla (Score:5, Insightful)
Version Numbers and Add-on Compatibility (Score:5, Insightful)
But that is merely a symptom, not the cause.
If nothing else, the new release philosophy causes the incredibly stupid approach to add-on compatibility to be highlighted.
People have complained about add-ons 'breaking' for years with other (point) releases, usually stating that after updating the maxVersion string manually, or using Nightly Tester Tools to override, the add-on continues to work perfectly fine.
Perhaps it's wishful thinking.. but part of me is hoping that the new release schedule forces Mozilla, and the community, to re-think add-on compatibility reporting; flagging add-ons as 'broken' not by default, but after testing.
Re:This is gonna suck... (Score:2, Insightful)
for all practical purposes, it IS the security update to 4.1 and should be treated as such.
Security updates do not break backwards compatibility.
Except when necessary to fix implementation and design bugs, there shouldn't be any trade-offs in installing a security update; the new version should be exactly the same except more bug free, or people aren't going to install it.
Re:Broken by design (Score:3, Insightful)
Re:I don't get that (Score:2, Insightful)
I think you, and MANY other people, are missing the idea.
When you upgrade Firefox 3.6.16 to 3.6.17, are you upset that Mozilla no longer plans to support 3.6.16?
3.6.17 ***is*** the continued support of 3.6.16.
Likewise, 5.0 ***is*** the continued support of 4.0.
Most people aren't used to thinking like that, so it seems backwards.
Re:FSVO "free" (Score:4, Insightful)
You are not kidding, half of my add-ons/plugins are not compatible to the new release. so I'll sit on the sidelines for a while.
Now I think that Firefox should find a point and say, clean up time, make a few versions updates, then poll the community for the next official features, this way you get some stability over time and new features, heck I don't mind if they did that every 9 months, at lease I would know that the older versions would be somewhat safe to utilize on the current platform of my firm.
Is Mozilla becoming closed and self-serving? (Score:4, Insightful)
Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 has been discussed within Mozilla for weeks.
Who cares what the users think about EOL'ing a product that was only released a few week ago. We The Developers are going to do what we want, users be damned.
Re:The new release cycle is going to hurt Firefox (Score:2, Insightful)
Big difference between Chrome & FF updates though :: Chrome updates are tiny and nearly invisible. I switched from IE to FF a few years back, and from FF to Chrome full-time about a year ago. Chrome has updated itself countless times while I'm using it and the only times I even noticed were when it wasn't closed for days on end and popped up a little notice saying it wanted to restart. Compare that with the annoying "FF has an update available, do you want to download?" / "FF is applying an update" notices. The worst was FF's inability to update itself without admin approval so I couldn't put it on managed computers.
In short, Chrome can update as often as it wants because it does not create an imposition for users. On the other hand, FF shouldn't ever update because its update flow is a pain in the ass.
Comment removed (Score:5, Insightful)
Just Came to Say ... (Score:5, Insightful)
Christian Legnitto, the Firefox release manager, put it most succinctly on May 25: 'Firefox 5 will be the security update for Firefox 4.' Problem is, users are being prompted to upgrade now but are hesitant because the new rapid release of updates means many add-ons are not compatible. And without security updates in between, many could be left exposed with unpatched browsers."
Came to say that.
Don't the people in charge think these things through? It appears not.
The new versioning schema is the new security hole in Firefox.
And all done for no real gain or benefit.
Idiots.
It's all in the numbering! (Score:4, Insightful)
Decouple Program/API versions (Score:5, Insightful)
How the hell do you work that into the new versioning system?! The only way would be for the browser itself to "know" that Firefox 5 is basically Firefox 4 and not flag addons written for "4.0+".
Am I supposed to assume that an addon I write against Firefox 4 will work in Firefox 5 and Firefox 6, when the same was certainly not true for Firefox 1 to 2 - and 2 to 3, and 3 to 4? When will they be changing the API again? Am I supposed to be psychic when setting the maxVersion number?
Two things they could do. The one they probably should do right away is to decouple the API versions from the program versions, since those have become meaningless. Heck, even Windows did this when their marketing department got the clout Mozilla's seems to have - developers could still query the real (meaningful) version number even though the box had a year or stupid name on it. They could leave things as they are now for addon developers or they could introduce a new maxAPIVersion check, one time.
If they were feeling energetic, they could teach the browser how to introspect its API changes and make smart decisions. Say, an addon uses foo() and bar() - those did not change since the maxVersion release, so run the addon. Another addon uses foo() and baz() and declares the same maxVersion. The browser knows that baz() changed semantically, so it prevents baz() from running.
I'd probably rather see that approach since it takes the weight off of thousands of developers and puts it onto one or two.