On 9/4/2013 11:05 AM, Monica Chew wrote: > Looking through http://www.mozilla.org/en-US/firefox/releases/ I see > several minor release fixes that involve flipping a pref (like > 18.0.1). How much easier would our lives be if we didn't have to > chemspill for preference changes?
We don't have to chemspill to flip a pref, that's what the "hotfix addon" mechanism is for. 18.0.1 involved code-level changes, too https://hg.mozilla.org/releases/mozilla-release/pushloghtml?fromchange=8efe34fa2289&tochange=eecd28b7ba09 > Given that many users accept updates very slowly, if at all > (http://en.wikipedia.org/wiki/Template:Firefox_usage_share) it makes > sense to have a generic preference API and eliminate as many of these > minor releases, some of which could be security related, as possible. > Having a browser support API for preferences probably makes Firefox > more secure, rather than less secure. I can't think of a single in-the-wild attack on Firefox that could have been fixed by flipping a pref, unless you count disabling Javascript entirely which people wouldn't accept. Few of the "minor releases" have had security fixes, most recently have been due to stability or incompatibility (web breakage) issues. Since the first ESR release a third of minor updates have contained security fixes, or 1 out of 7 since the last ESR. * 10.0.1 * 10.0.2 13.0.1 14.0.1 15.0.1 * 16.0.1 * 16.0.2 17.0.1 18.0.1 18.0.2 19.0.1 * 19.0.2 (Pwn2Own) 20.0.1 23.0.1 There's no API you could come up with that would have fixed those (unless your API is an updater, which we have). > To Kevin's point about hardcoding known badd addons, I don't think > that works given the length of the release cycle (up to 4 months to > get from Nightly to stable), and that would be much less responsive > than the blocklist ping already offers. I agree, even granting that a list of known bad addons is likely to be considered safe enough to be uplifted to Beta right away. -Dan Veditz
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
