Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Firefox Mozilla Security News

No Additional Firefox 4 Security Updates 445

CWmike writes "Unnoticed in the Tuesday release of Firefox 5 was Mozilla's decision to retire Firefox 4, shipped just three months ago. Mozilla spelled out vulnerabilities it had patched in that edition and in 2010's Firefox 3.6, but it made no mention of any bugs fixed in Firefox 4 on Tuesday, because Firefox 4 has reached what Mozilla calls EOL, for 'end of life,' for patches. Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 has been discussed within Mozilla for weeks. In a mozilla.dev.planning mailing list thread, Christian Legnitto, the Firefox release manager, put it most succinctly on May 25: 'Firefox 5 will be the security update for Firefox 4.' Problem is, users are being prompted to upgrade now but are hesitant because the new rapid release of updates means many add-ons are not compatible. And without security updates in between, many could be left exposed with unpatched browsers."
This discussion has been archived. No new comments can be posted.

No Additional Firefox 4 Security Updates

Comments Filter:
  • ...for anyone running a Linux distro :-(

    • Ubuntu upgraded to FF 5 this morning. I was surprised, given that Ubuntu has not been too swift with previous FF upgrades. I suppose the EOL is the reason.

    • 3 words: Rolling release distro.

      Like Arch or Gentoo, or Debian unstable if you want.

      • by koolfy ( 1213316 )

        3 words: Rolling release distro.

        Like Arch or Gentoo, or Debian unstable if you want.

        Yeah right.
        I love gentoo, I hate the idea of non-rolling-release systems.

        However.
        It takes ~1h to compile the new xulrunner and firefox on my 2.5ghz dual core laptop.
        If the fast release cycle keeps accelerating, soon Firefox X+1 wil be out before I'm d-one compiling Firefox X

    • by sjames ( 1099 )

      Just unpack the tarball somewhere convenient and be happy. If you had FF4 working, 5 will just drop in.

      • Yeah and then have to keep doing that to get updates...

        I've heard Ubuntu has FF5 in their main repos now, so users will get updates, but Mozilla needs to have repos ready for the final versions of their browsers at the same time the final version is released as a .deb package/tarball. Typically I end up sticking to the old browser or running a beta from a repo, then I have to wait weeks after the final release for a PPA for the final version.

        • by sjames ( 1099 )

          How does that suck any more than waiting for the security update to be packaged?

          It's the same decision it always was. Wait for your distro to update the package or grab the tarball direct and forgo management on that package.

          Had FF5 introduced a serious bug thjat could impact productionm, I might be more upset, but for all practical purposes, it IS the security update to 4.1 and should be treated as such. If you like, rename it to FF4.2

      • It'll break most of your add-ons, but it will just drop in.

  • by Anonymous Coward on Wednesday June 22, 2011 @12:17PM (#36531180)
    For Firefox 6.0
  • by sethstorm ( 512897 ) on Wednesday June 22, 2011 @12:20PM (#36531244) Homepage

    ...they would be fine.

    However, it looks like Mozilla failed to communicate it well enough, thinking their own notice was enough. The result is that Mozilla seems to take Microsoft's path for once - refusing to patch security issues on a relatively new release, and washing their hands clean with an EOL.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      What? Microsoft are still supporting Windows XP. It's a bit more than three months old.

      • MS provides only security patches at this point and will do so until 2014 IIRC, which means well over a decade of security patches.

        But, Firefox doesn't really need to do that as it's open source and upgrading to a newer version is free.

        • Firefox doesn't really need to do that as it's open source and upgrading to a newer version is free.

          As long as you're not doing any incoming qualification, that's dandy. Of course, in an enterprise setting you just might want to make sure that the new version supports all of your mission-critical applications. If you're running a distribution, you might want to do some QA on it.

          As it is, Gentoo (to name one) still has 4.0 in unstable, and Mozilla's rapid releases are practically guaranteed to keep any of the new releases from ever reaching stable. That's not a joke; running tarballs is a quick way to

          • Re:FSVO "free" (Score:4, Insightful)

            by onepoint ( 301486 ) on Wednesday June 22, 2011 @02:05PM (#36533062) Homepage Journal

            You are not kidding, half of my add-ons/plugins are not compatible to the new release. so I'll sit on the sidelines for a while.

            Now I think that Firefox should find a point and say, clean up time, make a few versions updates, then poll the community for the next official features, this way you get some stability over time and new features, heck I don't mind if they did that every 9 months, at lease I would know that the older versions would be somewhat safe to utilize on the current platform of my firm.

    • However, it looks like Mozilla failed to communicate it well enough, thinking their own notice was enough.

      Um, how much more notice should they provide? An ad in the Times?

  • by Bloodwine77 ( 913355 ) on Wednesday June 22, 2011 @12:21PM (#36531256)

    I would not be surprised if their new release cycle causes their marketshare to start shrinking in a significant fashion.

    I have been a long-time Firefox user (ever since it was Phoenix) and their current release philosophy is really turning me off. They just seem so misguided and detached from reality.

  • I don't get that (Score:5, Insightful)

    by godrik ( 1287354 ) on Wednesday June 22, 2011 @12:21PM (#36531260)

    Are they trying to kill their user base ?

    Anybody serious deploying system WILL NOT ship a mozilla product. Obsoleting a software 3 month after its release is ridiculous. You can't try to get market share and killa release in 3 month. If you don't plan to give any support, call that a development version!

    I am SO disappointed in them!

    • by arth1 ( 260657 ) on Wednesday June 22, 2011 @12:32PM (#36531468) Homepage Journal

      Anybody serious deploying system WILL NOT ship a mozilla product. Obsoleting a software 3 month after its release is ridiculous. You can't try to get market share and killa release in 3 month. If you don't plan to give any support, call that a development version!

      Indeed. For my users, I'm tempted to say "Sorry, I can't support Firefox because Firefox doesn't support Firefox", and switch them all over to Opera.

    • by mwvdlee ( 775178 )

      Would you have been more comfortable installing this release if it were labelled as "4.1"?
      If so, just download the installer, rename the file to "Firefox 4.1" and install it from there.

      • I would have been more comfortable if Mozilla hadn't terminated support for a three-month old release!

      • by godrik ( 1287354 )

        It is not that I am not confortable with them releasing a version 5.

        I won't deploy firefox 5 on any machine I need to provide support for. Because I have to assume there won't be any support for it in 3 month from upstream.

  • Google seems to be updating Chrome at a high rate because they want to control both the server side (all Google properties) and the client side. Google properties now use features that only work in Chrome. It's Microsoft's old "Embrace, extend, devour" applied to the Web. Microsoft tried this with Silverlight, with less success.

    Whether Firefox should cooperate in this effort needs to be questioned. Whether Firefox users should go along is very questionable.

  • by acoustix ( 123925 ) on Wednesday June 22, 2011 @12:26PM (#36531352)

    I really don't want to have to push out a brand new version of FF every few months and risk breaking my users' plugins that they use.

  • by PineHall ( 206441 ) on Wednesday June 22, 2011 @12:28PM (#36531388)
    Version numbers don't matter any more. This is really not a major release. It is an incremental upgrade, just like Chrome and just like the Linux kernel. It is a new way of developing software that has been happening for a while now.
    • by Lunix Nutcase ( 1092239 ) on Wednesday June 22, 2011 @12:43PM (#36531610)

      Except that the version numbers do matter when it comes to plugins and the maxVersion string. They are going to be breaking add-ons left and right with this shit.

      • by QuasiSteve ( 2042606 ) on Wednesday June 22, 2011 @12:56PM (#36531880)

        They are going to be breaking add-ons left and right with this shit.

        But that is merely a symptom, not the cause.

        If nothing else, the new release philosophy causes the incredibly stupid approach to add-on compatibility to be highlighted.

        People have complained about add-ons 'breaking' for years with other (point) releases, usually stating that after updating the maxVersion string manually, or using Nightly Tester Tools to override, the add-on continues to work perfectly fine.

        Perhaps it's wishful thinking.. but part of me is hoping that the new release schedule forces Mozilla, and the community, to re-think add-on compatibility reporting; flagging add-ons as 'broken' not by default, but after testing.

    • by Maltheus ( 248271 ) on Wednesday June 22, 2011 @01:13PM (#36532224)

      It is a new way of developing software that has been happening for a while now.

      And that's the problem. It needlessly pisses people off. Who are the developers who start using this scheme when I don't know a single developer who thinks it makes sense?

      • And that's the problem. It needlessly pisses people off. Who are the developers who start using this scheme when I don't know a single developer who thinks it makes sense?

        Clearly, they are developers you don't know.

        And many of them work for projects that have been very successful using this approach, which is more relevant to assessing the utility of the approach than random people on the internet claiming that it "needlessly pisses people off".

        Its a pretty obvious approach that reduces waste and duplicatio

  • by digitalderbs ( 718388 ) on Wednesday June 22, 2011 @12:29PM (#36531400)
    This is the exact behavior that will drive users away. It's more disruptive than the KDE 4.0 debacle.

    I've been a committed Firefox user for many years, using daily many plugins that I find irreplaceable (zotero, noscript). I'm now seriously considering alternatives. I find it irresponsible that Mozilla would not stand behind the major release of one of their products for more than three months.
  • This really sucks. A copy of Firefox that I leave running 24/7 on an older notebook near my bed is already nearly worthless after having switched from Firefox 3.x to Firefox 4 because of the absurd memory demands of Firefox 4 (had dozens of sites open under 3.x, now opening 2 sites in 2 tabs is a challenge). One of the key things that I do with this systems depends on using a plug-in. Can't run Firefox 5 until the plug-in is ready and even then fear that the memory issue may get even worse. Now I'm told tha

  • Mozilla just keeps making more and more retarded decisions. The last good branch was 2.x. It's been all downhill since then. I'm still using 3.6.x since I refuse to upgrade to version 4 or 5.

    The only real options left:
    1) Put up with their decisions
    2) Fork it
    3) Jump ship

    I'm choosing option 3.

    • by 0racle ( 667029 )
      Jump to where? Ad Block, noscript, firebug, flash block and the like have become pretty much required for my browsing needs. Who else has something like this?
  • by linebackn ( 131821 ) on Wednesday June 22, 2011 @12:37PM (#36531526)

    This whole version number thing is insane and pissing off anyone who needs a singe stable version that is supported for a reasonable length of time.

    If they wanted to up the version number they should have just skipped 4, 5, 6, 7, 8, 9, 10 to 11 or 12. Or since everyone skips 13 anyway just go directly to 14 and be done with it. Then keep it there for at least a year.

    • by jovius ( 974690 )

      I think version numbering should be dropped completely from public view.

      Software improves over time (hopefully) but the name (brand) remains the same. When updates are around it could be indicated to the user by telling that you are lagging so many days or being so many percent from complete. Being 100% complete would mean you'd have the latest 'version'. This would make the whole process feel like a game where you catch up with the others.

  • before the new one is even fully ready for release. IOW, they deliberately break their own software. Can someone please explain what kind of sense this makes?
  • by Ron Bennett ( 14590 ) on Wednesday June 22, 2011 @12:38PM (#36531562) Homepage

    Mozilla Corporation gets most of its funds from Google. Something to keep in mind in regards to the future of Firefox...

    My gut says, barring some significant change in funding / lead developers, that Firefox's future is bleak - what's happening now feels to me so much like what happened back when Netscape jumped the shark with their bloated Communicator suite. People bailed in droves.

    The ideal situation would be for a group of developers to fork Firefox 3.6.x, throw in some of the improvements from 4, and run with it. Many would be greatly appreciative, and likely support it in both time and donations; don't make the same mistake as Mozilla Foundation has in regards to relying too much on any one major donor.

    • Correction: In the last sentence, I meant to write Mozilla Corporation.

    • What is holding Opera back from the mainstream? They have been around for eons and have innovated a lot of features (or at the very least implemented said features well before their competitors). Still, Opera seems to remain a niche web browser.

      Granted, I don't use Opera myself and I can't quite put my finger on why I don't use it. The first time I tried many years ago I didn't like ad banner in the interface of the free version (I think they got rid of the paid version of Opera and the ad banners in free O

      • Opera the closed-source browser with a BSD-sized user base? Yeah I have no idea why it's less popular than Firefox or Chrome.

      • What is holding Opera back from the mainstream?

        A number of things. Most users will relate with at least one of these points:

        • It doesn't come pre-installed on any of the popular desktop operating systems (maybe it does come standard on some devices?).
        • It's not open source.
        • It will always carry the stigma it received during the time when it was nagware.
        • It's a very decent browser, but it simply doesn't surpass other browsers by a wide enough margin for most* people to justify switching from what they're already comfortable with.

        * Although, those few w

      • What is holding Opera back from the mainstream? They have been around for eons and have innovated a lot of features (or at the very least implemented said features well before their competitors). Still, Opera seems to remain a niche web browser.

        No proper adblock plugin*. That has been the killer feature for EVERY normal user I've switched from IE to firefox over the years. That, and firefox is big enough that it gets tested these days, along with IE. Some small yet critical for some user website breaks in o

        • If it's "stealing" to view a web site without "viewing" the ads, then it's "stealing" to mute the TV during a commercial, or change the channel, or go to the bathroom. Same for the radio.

          I have made no agreement with any web site owners to look at or download any content they may place in their pages. Site owners who make content freely-viewable do so at their own risk, without any guarantees.

          Don't let the **AAs co-opt the meaning of "theft". Don't let them brainwash you.

          Next thing you know, people will

    • Fork 3.6? What's wrong with v4/v5? You don't like the speed and memory efficiency improvements?

      • by 0123456 ( 636235 )

        Fork 3.6? What's wrong with v4/v5? You don't like the speed and memory efficiency improvements?

        Don't like using an interface designed for a tablet or mobile phone on a desktop with a 1200 pixel high screen?

      • Because 3.6 was the best version? Version 4 is completely different UI for no discernable reason, it's not easier to use that's for sure, it feels like your typical change-for-the-sake-of-change feature. Who knows if it's faster if it takes longer to use overall? FF4 sucks and from the news it seems that FF5 will be worse.

  • by swsuehr ( 612400 ) on Wednesday June 22, 2011 @12:46PM (#36531686) Homepage

    Who, exactly, is the rapid release schedule helping? It's certainly not helping web developers and organizations who try to list their supported browser versions and actually try to code towards those versions. The quickest path to get the corporate PHBs to stop supporting your browser is to have the IT staff say "Guess what, the next version of Firefox is already out so we need to make updates." At some places, support for browsers other than IE is tenuous at best, so making it more difficult to support these browsers only hurts the browser manufacturers.

    Want to gain more support? Release a stable product, with wide support for standards and add-ons, and do so on a sane, well-publicized schedule. People don't care about version numbers; updating software isn't something people want or like to do. Why are you making it more difficult and cumbersome for users to use your product?

  • Here's the thing, Mozilla. If/As you screw over extension support, I have no reason to stay with you.

    You'd better rethink the implications of your "rapid release"... nomenclature. And really, it's just nomenclature. So, you are willing to toss your competitive advantage for the sake of bumping version numbers like Chrome?

  • Dear Mozilla (Score:5, Insightful)

    by m0s3m8n ( 1335861 ) on Wednesday June 22, 2011 @12:50PM (#36531748)
    Dear Mozilla: Pull your head out of Chrome's ass.
  • by the_raptor ( 652941 ) on Wednesday June 22, 2011 @12:56PM (#36531884)

    I am still using Firefox 3.6 and will stay that way until either Mozilla lay down the crack pipe or I find another browser whose UI designers aren't similarly crack addled (sorry Chrome).

  • With Linux 3.0, Firefox 5, and the weekly Chrome version bump, "version numbers" are essentially meaningless.

    Version numbers are really a relic of the boxed software, major release days anyway. Rolling updates seem to be the future, so build numbers may be more appropriate.

  • by christurkel ( 520220 ) on Wednesday June 22, 2011 @01:05PM (#36532058) Homepage Journal
    End Of Life after THREE FUCKING MONTHS?? Who the fuck thought this was a good decision?
    • It's a minor update: just like they didn't keep updating 4.0 when 4.0.1 came out, they don't keep updating 4.0.1 when 4.0.2 came out. But for marketing reasons, they decided that 4.0.2 would be called "5.0".

    • by leenks ( 906881 )

      It's just a release. Releases are deprecated almost immediately with security updates, new features / API changes etc. The only difference here is the version numbering is insane which makes it harder to see what has broken.

  • by leamanc ( 961376 ) on Wednesday June 22, 2011 @01:50PM (#36532860) Homepage Journal

    They are trying to copy or catch up with Chrome on the version numbering thing, but they are missing something important here. With Chrome, it gets auto-updated all the time (at least mine is, on both OS X and Ubuntu), to where I've always got the latest and greatest, and all the inherent security fixes and such. If I had to manually download a new copy of Chrome regularly, even every three months, I would grow tired of it. But the auto-updater does it for me; I installed Chrome once and am now done with that part of it. I couldn't tell you what version of Chrome I am running, except for I know it updated itself earlier this week.

    Firefox, on the other hand, won't auto-update to a "major version", like going from 4.x to 5.x. Mozilla should know they had a hard enough time getting people to download a new copy, even when it took 18 months between major versions. People are not going to re-download it on such a quick schedule.

    And Mozilla needs to update Firefox's handling of extensions, with its "max version" attribute. Once again, it was bad enough when there was a new FF update every 18 months and it took forever for the extension developers to make the simple integer change. All I have read this week with FF5 is how this extension and that extension disabled itself, when it will probably work just fine.

    I was a long-time Firefox supporter and didn't like Chrome at first. Now I am either going with Chrome or Safari all the time, and feeling sad for the days when Firefox was the shiznit.

  • by QuietLagoon ( 813062 ) on Wednesday June 22, 2011 @02:11PM (#36533140)

    Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 has been discussed within Mozilla for weeks.

    Who cares what the users think about EOL'ing a product that was only released a few week ago. We The Developers are going to do what we want, users be damned.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Wednesday June 22, 2011 @02:25PM (#36533338)
    Comment removed based on user account deletion
  • by hduff ( 570443 ) <hoytduff@[ ]il.com ['gma' in gap]> on Wednesday June 22, 2011 @03:20PM (#36534172) Homepage Journal

    Christian Legnitto, the Firefox release manager, put it most succinctly on May 25: 'Firefox 5 will be the security update for Firefox 4.' Problem is, users are being prompted to upgrade now but are hesitant because the new rapid release of updates means many add-ons are not compatible. And without security updates in between, many could be left exposed with unpatched browsers."

    Came to say that.

    Don't the people in charge think these things through? It appears not.

    The new versioning schema is the new security hole in Firefox.

    And all done for no real gain or benefit.

    Idiots.

    • by jesser ( 77961 )

      Or maybe it's a security hole in your extension that it prevents you from keeping Firefox up to date.

  • by ewanm89 ( 1052822 ) on Wednesday June 22, 2011 @05:54PM (#36536046) Homepage
    Firefox 5 is more like Firefox 4.1 in truth, the only thing this rapid release crap has done is confused everyone with thinking what is actually a minor update is a major break lots of extensions update.
  • by johncandale ( 1430587 ) on Wednesday June 22, 2011 @07:01PM (#36536674)
    the only real reason to stay with firefox is the add-on's, just like one few the few reasons to stay with windows is the huge software library. They need to fix breaking add-ons, and they need to do it now

No spitting on the Bus! Thank you, The Mgt.

Working...