As part of Tuesday’s Firefox 5 release , Mozilla spelled out vulnerabilities it had patched in that edition and in 2010’s Firefox 3.6, but it made no mention of any bugs fixed in Firefox 4.
That’s because Firefox 4 has reached what Mozilla calls EOL, for ‘end of life,’ for vulnerability patches.
Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 with security updates has been discussed by Mozilla’s developers and managers for weeks.
A mozilla.dev.planning mailing list thread that started May 17 evolved into a back-and-forth about the rapid-release schedule and its impact on Firefox 4.
Christian Legnitto, the Firefox release manager, put it most succinctly in a May 25 message. “Firefox 5 will be the security update for Firefox 4,” Legnitto said.
As Mozilla had said earlier, that means Firefox 4.0.1—shipped in late April to fix eight flaws—was the one and only security update for Firefox 4.
Mozilla is essentially taking another page from Google Chrome’s playbook. Google only outlines the patches it has applied to the current ‘stable’ build, the most polished form of Chrome that is analogous to Mozilla’s final releases. Google does not patch the flaws in earlier editions, primarily because it automatically updates the browser in the background, ensuing that virtually all users are running the most secure version.
Mozilla doesn’t yet conduct automatic updates, but it has changed how upgrades to a new version are offered to Firefox users.
“[For earlier major upgrades] we popped up a window asking people to opt in (major update offer),” said Legnitto in another message on the same thread. “For 4.0.1, users will need to opt out (minor update offer, like point/security releases).”
Mozilla expects the opt-out approach will get more users onto the newest edition faster.
On Tuesday, Firefox 4 users started seeing the upgrade offer for Firefox 5 when a pop-up appeared reading: “A security and stability update for Firefox is available. It is strongly suggested that you apply this update for Firefox as soon as possible.”
In the offer, the default action was ‘Update Firefox.’ Only by clicking the ‘Ask Later’ button or by closing the pop-up can users decline the upgrade.
But some Firefox 4 users may want to opt out of the upgrade, even though that leaves them at risk to exploits of already patched bugs.
One traditional area of concern is add-on compatibility, a pain point known to longtime Firefox users when they’ve moved from one version number to the next.
Mozilla has retired Firefox 4 from security support, and is prompting users to upgrade to the new Firefox 5.
“The add-ons often aren’t upgraded as fast as the browser itself,” Computerworld reader Phillip Campbell wrote in a Tuesday email after hearing about Firefox 5. “This leaves the users of Firefox often sitting and waiting for the extensions to catch up with the version before upgrading.”
While Mozilla claims that 84 percent of the most widely used add-ons in its own download library are compatible with Firefox 5, it has acknowledged that others may not run on the newest version.
“Risk: LOW for AMO add-ons. HIGH for non-AMO add-ons,” a note from a June 16 meeting said, referring to risks associated with launching Firefox 5 on schedule.
AMO, better known as Mozilla’s Add-Ons, is the company’s official download site for add-ons and browser themes. AMO is not the sole source of Firefox add-ons: Developers can market add-ons outside of the site. In that regard AMO is more like Google’s Android Market than, for example, Apple’s App Store.
Another reason why users may hesitate to upgrade to Firefox 5 is because they’re running it in a business environment, where IT staff must usually test an updated application to ensure any changes have not created compatibility problems with other software.
Michael Kaply, a consultant who specialises in customising Firefox and helping clients deploy the open-source browser, objected to the rapid-release schedule on corporate workload grounds.
“Companies simply can’t turn around major browser updates in six weeks,” said Kaply in a blog post Tuesday. “With security releases, there was a reasonable expectation that Web applications wouldn’t break as a result of changes. With these releases, there is no such expectation. So a full test cycle needs to be run with every release.”
By the time a company has tested Firefox 5, the next version—now slated to ship in early August—would be out, Kaply complained.
The corporate problem also came up in the Mozilla discussion thread.
“While I agree that longer [release] intervals would be better for corporate deployments … I’m not at all certain it’s the best thing for the Web or for Mozilla,” said Mike Beltzner, a former director of Firefox who still contributes to the project. “We don’t have the resources — as a community — to focus on their problems and on moving the Web forward.”