On 03.06.2011 23:45, MCBastos wrote: --- Original Message ---
> Interviewed by CNN on 04/06/2011 00:14, Jay Garcia told the world: >> On 03.06.2011 20:49, Paul B. Gallagher wrote: >> >> --- Original Message --- >> >>> Jay Garcia wrote: >>> >>>> If Mozilla is the only one supplying the updates then how do you >>>> figure that's a dangerous move, i.e., How is malware,etc. going to >>>> get injected into a Mozilla-0nly supplied update? By your thinking, >>>> Microsoft automatic updates are also "dangerous". >>> >>> Without taking a position either way, how does the user know it's really >>> Mozilla supplying the update? Is there some kind of authentication >>> process, or do we just have to close our eyes and trust? >>> >>> If I were a malware author, I would LOVE to be able to tap into one of >>> these update pipelines and infect millions of trusting users within >>> hours. But I'm not, so I don't understand what safeguards are in place, >>> if any. >>> >>> I was briefly an AOHell sufferer in the days Phillip describes, and I >>> absolutely HATED having my computer taken captive without notice and >>> without my consent to install something they thought was essential. >>> Fortunately, that's not Mozilla's way. >>> >> >> I can only go by example since Mozilla hasn't enabled this feature yet >> so there isn't any history yet. However, as long as Microsoft hasn't had >> any problems with their auto-updates I would have to assume that MS >> would be a prime target for malware authors to invade. AFAIK there >> hasn't been any malware attached to MS updates. >> > > > Actually, Firefox 4 by default auto-updates: when online, it checks > periodically with the Mozilla servers if there's a new minor version or > a patch. If there is one, it will download it and install on next > Firefox restart. > > It's a complicated equation. Google auto-updates even major versions of > Chrome. The downside of it is that yes, you are giving them the > privilege to install stuff on your machine. And new major versions might > break compatibility with stuff you need -- for instance, I ran into an > odd problem with Flash ads that only appeared in IE9 (downgrading to IE8 > solved the issue), and Firefox 4 is incompatible with the current > version of a (required) plugin used by several Brazilian banks. > > The upside? Well... > > Some 10-20% of IE users are still using IE6 -- which is *three* major > versions old, and has been superseded by IE7 almost *five years* ago. > That's a very long lingering tail of old versions. Even Microsoft is > concerned. > > Things are slightly better on the Mozilla front -- but I still find LOTS > of users using FF 3.6.x (and not always the latest update), a fair > number using FF 3.5, a few using FF 3.0, and now and then one using FF > 2. So, there's quite a bunch of old Mozilla around. Not as much or as > old as IE, but still a lot. > > Meanwhile, most Chrome users are already using Chrome 11. You will still > find some with Chrome 10, a few with Chrome 9 but hardly anyone with > Chrome 8 -- which was superseded just *four months ago*.(*) > > So, auto-update does have its points: it turns over users very quickly > to the latest version. > > > (*)There's exceptions, of course. The main ones are people who > deliberately turned off auto-updates, and people who installed via MSI > package instead of using the default Google Update installer. Thanks, we already know how this works. What we're speaking of here is that Mozilla is contemplating silent updates where no user input is required. -- *Jay Garcia - Netscape Champion* www.ufaq.org Netscape - Firefox - SeaMonkey - Thunderbird _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
