InformAction Forums

Somehow, they survived F2 and F3, with a "notify me", so they could install when convenient, and not necessarily in the middle of a session.
That may not be instantaneous,

scrib Tom T.

The central point about a fully transparent service isn't its timeliness so much as its transparency. Social engineering has followed the money with malware "alerts" so when the anxious, alert, but non-tech user encounters one of these ↓

A notification screen, perhaps with a special screen for in-the-wilds -- "THIS UPDATE FIXES AN URGENT SECURITY FLAW" -- but don't cry wolf when it doesn't. For less-urgent, the prompt lets the user update at their earliest convenience.

and they're trained to react to all the security theatre that's around on the web now, are you so sure that they won't be reacting to some clever social engineering?
Did you read my description of most folks' reaction to notifications? I'm not a coder or employed by Mozilla. I experience very different to what you report with non-tech folks; they want someone to set it up so they don't have to make decisions about which they feel unable to have enough knowledge themselves. They've been warned time after time *not* to react to notifications without being completely sure they know what's happening. The browser is a complicated bit of machinery and they want nothing to do with what's under the hood. All they want is a good mechanic. And sadly for most owners of Win machines, they are out on their own after making the purchase unless they have the funds to purchase a tech to look after it.

So I don't agree with you.
Better to have the new service on by default with a new install, but certainly there should be a splash notification of such with any updates so the worried user like yourself would be able to opt out. For exactly the reason I've been arguing: give a novice a reason to ignore some technical notification and they will happily ignore it. A splash page about a background service that they could turn on? TMI. Leave it until they can ask a tech......in the meantime zero days etc etc. I think this is a great move by Mozilla. They're out there taking full responsibility for their web users. Why ever would they go to these lengths of control of the browser in Win machines and not any other OS, do you think? It's not as if Mozilla aren't capable of doing the same for OS X, and other unixes, but there's no equivalent service getting added to their versions. Something to do with the vast majority of browsers being in Win machines, plus Win not having a trusted repository for third-party software, unlike other popular systems. Fx 2 and 3 users in any of the linux distros were already used to having this kind of service running.

The argument about earlier Firefoxes not needing this service is a little disingenuous; Mozilla have judged that they can provide the service now. They didn't judge they could provide it before now. Maybe they could've provided the service for previous versions but chose not to because the tipping point of Win user quota didn't justify it until now? Web2 has made a hell of a lot of people into facebk and twidder morons, so I prefer to analyse Mozilla's actions in this instance as a community-minded attempt to stop the rot.

With the latest Flash, it can "update itself" (install its updates automatically).
What I did on various computers was to set it to Prompt when an update is available.
You are given a notification when it is time & allowed to accept the update or not.
But, this Prompt only shows up after a (computer) reboot. So if you don't reboot regularly, you could be months behind on your update.

And the update (procedure) itself may not be without its own issues.
As in on one computer that I had Flash set to Prompt, when I got the Prompt, I specifically declined it, yet I was unable to get back to the Prompt again (after rebooting & after awaiting the next check cycle).
So for me, on my computers, I set Flash to never check for updates. I'm quite able to do it myself & know that it is done.

Though on other computers, knowing that if I were not there to do it, or if it were not set in some automated fashion, it would not get done, I set those computers to either Prompt (on those I know reboot regularly) or to update automatically.

SeaMonkey (Aurora) updates (virtually) every day (assuming I actually restart the browser). I am prompted, but only if I specifically check for updates, & allowed to actually install the update then or later. Once an update completes (downloads fully) on its own, it will automatically install on a browser restart. I have no problem with this & expect it.

I have multiple versions of FF, though rarely use any of them. In every one of their Profiles, I have specifically turned off updates altogether, because they exist to run tests in specific versions, hence I do not want them to update at all.

Myself, I'll take care of my own business as I see fit.
For others that I deal with, it depends on the person & situation.

But, this Prompt only shows up after a (computer) reboot. So if you don't reboot regularly, you could be months behind on your update.

scrib therube
Yes indeed.

As in on one computer that I had Flash set to Prompt, when I got the Prompt, I specifically declined it, yet I was unable to get back to the Prompt again (after rebooting & after awaiting the next check cycle).

snap! we had this reported by a couple users. Adobe, that well-known company that's so careful of its users' safety and convenience

Once an update completes (downloads fully) on its own, it will automatically install on a browser restart. I have no problem with this & expect it.

It's gonna be interesting to see how well the new Mozilla Win service handles long browser sessions. One mobile user I know just will not restart - they think its an inconvenience when they have to close even a single tab.

Good moderation from you, therube. I also have my own update approach, and it does vary depending on who is serving updates.
For others, I maybe know 3 or 4 who I can be sure understand how to look after their own updates on a schedule. For the rest, auto is best - on Win anyway.

@ dhouwn:

I put the portable on a somewhat-newer flash drive, same brand, same model series, same size, but with very little usage, being mostly kept as a backup for when the main one dies. (Learned that lesson the hard way, too. ) IDK if the newer one is inherently faster on browser-type read/writes, or the old one is just worn, but in fact, F12 Portable is noticeably faster now. The Δ between native and flash is much smaller. Interesting.

ServiceDefinition wrote:... They've been warned time after time *not* to react to notifications without being completely sure they know what's happening.

Whereas starting your browser, and finding that it's very different from when you shut it down yesterday, is a piece of cake... esp. when you can't find the "Check for Updates" menu, and your add-on icons have disappeared ....

So I don't agree with you.

Isn't free speech wonderful? (so long as exercised in a civil manner, at least on this forum )

Our Forum Rules expressly provide for respectful differences of opinion.

..... but certainly there should be a splash notification of such with any updates so the worried user like yourself would be able to opt out.

I haven't heard anything about that being planned.... I support the idea. (See? We *can* agree!)

Why ever would they go to these lengths of control of the browser in Win machines and not any other OS, do you think?

I was unaware that this was Windows-only, thank you. That makes it even more senseless.

Ugly stereotype: "Nearly all Windows users are clueless; all Mac users are tech wizards." (you did this yourself earlier, with "stuck in Winland")

I know many high-tech users of Windows, including Steve Gibson of www.grc.com.

The elderly couple next door to me, and a friend and family a short distance away, have Macs, but they know nothing at all about what's under the hood.
The general reputation of Mac, plus the devastating flop of Vista (and the "I'm a PC/I'm a Mac" commercials in the US) brought to Apple many former Windows novices and new purchasers.

How does MZ justify this -- pushing this on PC and not Mac? (I'll agree that *nix users, by definition, need some tech knowledge, unless a tech friend/relative does it for them... )

plus Win not having a trusted repository for third-party software, unlike other popular systems.

What do you mean, "trusted repository for third-party sw"? I don't trust Windows sw. (I vet their Updates rather than auto-update.)
I don't trust Firefox, else I wouldn't need NoScript. ... or to be more exact, I can't trust Fx to protect me from evil code.
Mac isn't so trustworthy, either. They have their share of vulns, and an insecure/outdated Fx on Mac is no better than an insecure/outdated Fx on Win, is it?

Maybe they could've provided the service for previous versions but chose not to because the tipping point of Win user quota didn't justify it until now?

Sorry, no. Firefox was gaining market share rapidly during the F2 years, and, according to this source, peaked during the F3 years. It started dropping rapidly shortly after the "Rapid Release" got into full swing.
("Rapid Release" = "rapid release of users to other browsers"? )

Sure, Google has pushed Chrome, but Fx users wouldn't defect if they were happy....

Web2 has made a heck of a lot of people into facebk and twidder morons, so I prefer to analyse Mozilla's actions in this instance as a community-minded attempt to stop the rot.

No browser can protect a TwitFace moron from themselves. Therefore, no auto-update can. This point is utterly irrelevant.

Agree to disagree.
Cheers.


ETA: Per the link kindly provided by DJ-Leith,

For Mac OS X and Linux, Silent Updates are currently planned for version 14.

no further comment...

Tom. T wrote:I do seem to remember security updates at shorter intervals then that -- with others at longer intervals. Still averages more than once every six weeks.

Maybe you are right, anyway here one such quote (not sure if that was the one I was remembering):

http://blog.mozilla.org/channels/2011/07/18/every-six-weeks/ wrote:We may decide that 6 weeks is the wrong interval, for instance, though it’s worth remembering that Firefox maintenance releases have been released on 6-8 week intervals for years, and sometimes included major changes.

Tom. T wrote:Thanks for that, unless they change it to the bad way. Any idea whether they will?

With "bad way" you mean that the service will run at the same time as Firefox?

Tom. T wrote:They can hunt actively for flaws in F12 and exploit them. If MZ isn't committed to fixing any exploit as soon as there is evidence of it in the wild *or* reported responsibly, then there is the same window of opportunity.

Ah so you are talking about flaws in new code, well AFAIK Mozilla is trying to combat this with security reviews and sometimes fuzzy testing, would be really interesting to know how long it takes for a flaw in a new piece of code to be found and how old the code where the flaws are found is on average.

Tom. T wrote:Some average users I've heard from don't want to start their browser and find out that it's different from the last time they started it, with no notice.

Does the average user want to have a notice or not, that's a good question.
But if you think of large web services as application which update constantly, these certainly don't notify the user about any but the biggest changes.

Tom. T wrote:Recall that IIRC, geolocation was default-enabled until enough people screamed. OK, "we'll always ask".

I don't recall that, you sure they did that? In what browser version, Firefox 3.5 alpha (when it was still called 3.1)? Should have been apparent that this would not have been a very good idea. I couldn't find any info on this on the quick.

Tom. T wrote:To save work and interrupt for average user, I say: Default to auto-notify of new release or update; ask user "Install now? Later?"
interrupt ask

The idea is to not ask in order to not interrupt the user, esp. if asking a question where there is no real "no" option.

Tom. T wrote:Good, then it can be disabled like any other Win service.

AFAIK, it can even be uninstalled separately. The idea is (or was at least originally) to have only one service for all Mozilla software.

Tom. T wrote:No, which is why I had to ask -- didn't see it anywhere.

Is the updater deactivated for the portable builds? Have a look whether you find "--disable-updater" on the about:buildconfig page. Since the service makes no sense without the updater it would just be logical to have all references to it removed.

Tom. T wrote:Somehow, they survived F2 and F3, with a "notify me",

That was the default back then? I thought it was automatic but they asked for major and minor releases anyway.

Tom. T wrote:What do you mean, "trusted repository for third-party sw"?

I believe he is referring to central package manager systems (as on Linux distributions) or "app store" concepts (e.g as will come with Win8).

Tom. T wrote:no further comment...

Just want to point out that in case of Linux it only applies to the version from the Mozilla site, not if you get it from the package manager (which might be a better idea for various reasons).

Ugly stereotype: "Nearly all Windows users are clueless; all Mac users are tech wizards." (you did this yourself earlier, with "stuck in Winland")

scrib Tom T.

Your inference from anything I wrote that I subscribe to the Win users are stupider than (insert OS here) trope is wrong.
Mac users on the other hand are brainwashed dummies * However the novice mac user does have access to some fine post sale support that doesn't need a subscription to a third party technical service. And a little more thought has gone into the very clever permission elevation structure for users than ever did with Win. Try reading "stuck in Winland" in its context if you wouldn't mind. I really don't enjoy your style of cherry-picking quotes out of context, mainly because it makes me have to write a novel in response
The user stats for Mozilla may be in decline, having peaked in Europe about a year ago, but I stand by my point that Mozilla has now a responsibility to cater for Win users because it outranks IE on Win systems in Europe and has a significant, even if much smaller, proportion of users in the USA.
Nice for Mac users to anticipate this in 14. Much smaller user base, but nice to include them all the same.
It might prove to be a little more complex for some linux users; the current Mozilla updater can break installs on quite a few distros, so for most that I look after there, I disable it in favour of their particular repository - which can be a subscription to the main distro's repository, or a third party one maintained by a trusted group. It's all a context thing, as therube showed so well upthread. Ubuntu, I believe, dhouwn can correct me if I'm wrong, disables the in-browser updating by default - in favour of its own Canonical Update Service. It's a great model, the trusted repo, and I'm rapt to read here that it's getting incorporated into Win8!

No browser can protect a TwitFace moron from themselves. Therefore, no auto-update can. This point is utterly irrelevant.

It's only irrelevant if you ignore the point that acquired malware affects more than individuals, and that the main vector for malware infection continues to be unpatched software.

Agree to disagree

Yep. I disagree that Mozilla are behaving badly in this matter and that's why I bothered to post. I do agree however that Mozilla should have splashed the introduction of the new Win service for updated users *on the update splash page* so that opting out could've been done straight away. It's only polite, after all.
Not sure about your reference to the forum's rules. I hope you haven't been upset by anything I've contributed here.

*no, I'm not saying that for real, they're not, that is humor

ServerDefinition wrote:Ubuntu, I believe, dhouwn can correct me if I'm wrong, disables the in-browser updating by default - in favour of its own Canonical Update Service.

The Firefox package Ubuntu ship's through their package manager simply does not have the updater included (compiled with "--no-updater"), it does not fiddle with existing installation, so you can have a Firefox installation from Mozilla side-by-side with the one from Ubuntu, whereas Mozilla's updater takes care of former and Ubuntu's update manager with latter.

Trying to avoid cherry-picking, which is this writer's way of ensuring that the reader understands what part of what post is being replied to:

@ dhouwn: I just divided 27 updates by 27 months of support, and got an average of more than every 6-8 weeks. "bad way" referred to the Bugzilla link you posted, which said that they might change the policy of *not* updating *an existing, running instance of Firefox*. .. not sure how they could; wouldn't that force a restart? versus just d/l the installer that runs at next browser start.

Very glad to see the fuzzy testing and "Security Reviews", except that the SecRvw for F3.6 still has three reviews yet to be scheduled, fron 2009. Not confidence-inspiring.

Large web services as apps that update constantly -- IDK what you mean. Open Office lives in my HD and USB FD, and I control when to install updates (appreciate the notification). Same with firewall, AV -- they'll notify, I'll install. Which web services? I try to avoid most of the cloud stuff, precisely because the only thing I can control is my own machine and what's on it.

geo.enabled *still* defaults to true. Glad you agree that that is a bad thing. There may be a bugzilla thread about changing the default, should you care to search there, but check your about:config for this setting and its default.

One service for all MZ sw? Right now, I have no services.msc for *any* MZ sw, and seem to be doing fine.

Is the updater deactivated for the portable builds? The auto-updater is, per the quote from PortableApps.com earlier in the thread, and always has been, even before silent update was introduced in F12. However, notification works exactly as native install, which is good.

about:buildconfig Configure arguments:
--enable-update-channel=release --enable-update-packaging --enable-jemalloc --enable-official-branding

Errata: I meant that they survived F2 and F3 without *silent* auto-updating, sorry. Whatever the default was, it wasn't silent. The user knew.


@ ServerDefinition:

Please don't feel obligated to write novels on my account.

I did think of another not-so-novice Windows user (check the UA), just for laughs.

OEM-preloaded Windows machines get Win support from the OEM, not from MS. This quality and promptness of support varies widely among OEMs, and both research and experience influenced purchase decisions. (Guess they deserve the plug: Toshiba, by a long shot. IDK if they still have that rating today, or if Dell has improved its terrible rating since I last bought some years ago.)

Regarding TwitFaces, agree that insecure sw is a major vector. But these are people who don't use NS, and by definition, don't care about security or privacy. They'll click whatever and allow it. What you allow passes through both new and old browsers, that's all I was saying.
Or, as far greater minds than mine have said, "The biggest security flaw in any machine is the one at the keyboard".

Of course I'm not upset. I was quoting the rule that specifically says that differences of opinion are always welcome. (You could read it should you like, wink). It asks only that the opinion itself be addressed, rather than attacking the person. Common decency.

Airing such differences as these is valuable, IMHO. Many others will read, even if they don't post. (This thread has about 230 views ATM.)
This gets people thinking. Perhaps other solutions will be found that incorporate parts of our various ideas. This is the benefit of the free marketplace of ideas, which I wholeheartedly support --- as does Giorgio Maone (who provides the bandwidth, hosting, etc. for all of this), which is another reason that it's a pleasure to be on his team.

Cheers.

As I, and the link I posted above in this thread, have been cited several times I have been meaning to give MHO too.
However, I have been dealing with other things IRL and also, in MHO, more important topics.
So I apologise for the delay in posting.

See Changes in Firefox "-no-remote" switch and running Fx
http://forums.informaction.com/viewtopi ... =10&t=8626
In the first post in that thread I described my use of Firefox (and Aurora) in detail. I'll not repeat that here.
Also, I note in passing, NoScript has had more than 30 Updates since 27 April 2012 while the only other
Add-on that is shown in Picture #01 - that has had an update - is RequestPolicy (now at 0.5.26 - I updated it
on 18-06-2012, I see it was released on 04 June 2012).

To summarise this thread.
The OP asked about Updating Add ons. The discussion evolved into the Updating of Firefox itself and the new
"Mozilla Maintenance Service".

My personal view for my personal use
As I proposed (above on Tue Apr 17, 2012 5:29 pm) manually checking for NoScript Updates, you will
not be surprised that I am happy continuing to do this. I also, like Tom T., have 'full manual control' of the
update process even though I have several Profiles to keep up to date.
However, I do have Automatic updates (of Add ons) on some Profiles that I rarely use.

I can see a place for 'more automatic updating'. Like many readers here I offer informal (unpaid) support to
friends and family. Here, one often finds - like the OP wachobc - an automatic solution is desired.

I can also see the logic behind the 'rapid release' philosophy that Mozilla have adopted for Firefox since early 2011.
The new versions are more like the old 'point releases'. As I write my Fx is 13.0.1 and my Aurora is 15.

The new "Use the background service to install updates" is controlled per Profile, per Windows User
As I have described, at length, I have many Fx Profiles.

In Menu, Tools, Options, Advanced
you can check (tick) "Use the background service to install updates"
Obviously, if you do NOT want this then you have to uncheck (untick) this for ALL your Profiles.

I tried the following experiment.
Several weeks ago I set the following - to see what would happen when Fx went from 12 to 13 and
to see how often Aurora would Update.

User who is an Administrator

Aurora (15)
Profile set to
"Check for updates, but let me choose whether to install them"
"Use the background service to install updates" is checked (ticked)

Firefox (13)
All Profiles set to
"Check for updates, but let me choose whether to install them"
DO NOT "Use the background service to install updates"


User who is NOT an Administrator

Aurora (15)
Profile set to
"Check for updates, but let me choose whether to install them"
"Use the background service to install updates" is checked (ticked)

Firefox (13)
All Profiles set to
"Check for updates, but let me choose whether to install them"
DO NOT "Use the background service to install updates"


In my Firewall I controlled the "MAINTENANCESERVICE.EXE"
Set Firewall to "Ask" and log 'Outgoing attempts'.

Also, you will recall, I try and do as much as possible as a Windows User who is NOT an Administrator.
My 5 year old Laptop has Windows Vista and I am happy with the UAC.

Mozilla Maintenance Service respects the OS
Over the last few weeks, using Aurora (14) and now Aurora (15) and while logged in as a Windows User who is NOT an
Administrator the Mozilla Maintenance Service has not even 'raised a UAC prompt', never mind 'done a silent Update'.

So, all is as before. Well very nearly: there is no UAC prompt (on Aurora when you have Administrative rights).
MAIN POINT
You need to be a Local Windows Administrator to update Aurora 15 (or Firefox less than 15).

So, what happens if I login as a User who has Administrative rights?

User who is an Administrator
Aurora
Help, About Aurora
Press the 'button' called "Check for Updates", ==> downloads the Update,
then the 'button' becomes "Restart to Update".

Press this and Aurora begins the restart.
Then the Firewall Asks me! I would have expected sooner.

After the restart,
"About Aurora" shows the new version (typically dated the previous day)
e.g. "15.0a2 (2012-06-17)".

Checking the Firewall log, the "Ask" was indeed the that was attempting an outgoing connection.
The User was "SYSTEM" (not the Windows User who has Administrative rights).


User who is an Administrator
Firefox
Help, About Firefox
Press the 'button' called "Check for Updates".
Like Aurora, ==> downloads the Update,
then the 'button' becomes "Apply Update".

Then Firefox restarts, there IS a UAC prompt.

About Firefox shows the new version, e.g. "13.0.1".

As the MAINTENANCESERVICE.EXE is 'not enabled for this profile' (not enabled for any Fx Profile) there was
no "Ask" from the Firewall. 'Firefox itself did the Update', not the new MAINTENANCESERVICE.EXE

I have done this for Aurora Updates (since 12 May 2012) and for the Firefox Updates to 13 and again to 13.0.1.

DJ-Leith

DJ-Leith wrote:then the 'button' becomes "Restart to Update".

Press this and Aurora begins the restart.
Then the Firewall Asks me! I would have expected sooner.

That's because only at this point he tries to write to the Firefox folder in the program files directory directory which needs elevation. The update package is downloaded to a location that needs no elevation.

The update package is downloaded to a location that needs no elevation.

%APPDATA%