I can't remember any application with worse update system than Firefox. With 14 MB in less than two months you really can't expect your dial-up users to be up to date.

Good occasion is that it is unlikely that there won't be spyware for Firefox for some time, so you can do something about that. But if you don't take this case urgently (read it 1.1) you're risking safeness of your users.

Oh, not to forget that update system is bad not just from the point of its bulkniess, but also from the point of its inteface.

It is redicilous that MS is taking a strong win in something that should be your area.

I assume this release will contain a security fix as well?
If not, I don't think the Add/Remove Program and PluginService bugs warent a new release.

I partly agree with Ivan.
Isn't there a diff-style update mechanism? Why was the 1.0.2 update actually again a full installer?
Thankfully the Firefox install is rather small (at least in broadband-terms).

Also: would it be possible that the new installer with the fixed Windows "Add or Remove Programs" bug not only replaces the 'previous' installed version entry, but clean up any remaining older entries too (1.0, 1.0.1) ?

jed, it looks like the plugin service bug was a security bug.

Irmen, Asa had this to say in the add/remove bug:

"This doesn't clean up the mess we've made in the past but it prevents the
problem going forward. That's good enough for me for 1.0.3."

Irmen,
i think what your are lookin for is binary diff. I dont know about its licensing. I would be great if something like this would become the standard because as a dailup user i get really annoyed at having to download 4mb files, it simply takes to long. I belive that MacOS X uses a type of binary patching. (Thats what i heard at least) I know that there is some other work with making gentoo package system work with Xdelta, but its still very inmature (sorry no link).

anyways.. im happy to see progress being made and bugs being fixed.

Ivan Icin, have you ever implemented an application update service that serves tens of millions of users? I can't tell; are you asking for the free lunch or are you offering to help make it better? If it's the free lunch, we're workin' on it, be patient. If it's the offer of help, let me know and I'll put you in touch with some bugs that could use patching.

- A

Just curious, are there any bugs concerning the updater which are not closely related to the mozilla source? I'd like to get in touch with Mozilla development and I'd like to see some point of entry.

--Greetings

Asa,

I am not asking for free lunch, but I am rather giving free advice.

I don't need any gifts, if I need security and Firefox does not offers it to me, I don't have problem to switch to Opera or IE7 or whatever. Not to mention that I do get money for my marketing/management consultancy.

I installed the 1.0.3 update. I've only started using installer builds recently. What I noticed is if you uncheck to create icons in quick launch, desktop and start up menu. No icons are created, but mozilla firefox entry that is blank with no shortcuts is created in startup menu? Is this a bug or by design. I installed TB and that doesn't happen.

Ivan, your "it's the worst, make it better" post doesn't really offer any new advice. If people pay for that kind of advice, I think I need to change careers.

Or did you think we were unaware of the various problems and weren't already working on solutions?

- A

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.7) Gecko/20050402 Firefox/1.0.3

I found this in the Aviary directory before noticing the announcement here; same file, I think.

Extensions "WordCount" and "ext2abc" from roachfiend.com did install Ok -- I didn't find those listed at Mozilla's official page, unless I missed them.

It seems to be running well on my WinXP machine at work. Though I uninstall the old before installing the new so I can't vouch for how well the upgrade process works.

Irmen, the new installer does clean the "1.0", "1.0.1" and "1.0.2" entries from Add/Remove Programs -list. The only one left for me was "1.0 PR".

Jussi: thanks, good news. I'll install 1.0.3 anyway no matter what but I will pay attention to what happens with my old menu entries :)

black iris: interesting. Binary diffs where rather common on the Amiga back then. I remember that the SAS/C compiler supplied a few (free) tools to make and apply those patches. I have no idea how this relates to more current solutions in this field, but for the Amiga it was nice -- most internet access was done using 14k4 modems :)

Version 1.0.3 did remove the 2 previous uninstall entries so it's a WFM.

Speaking of installer bugs, it's a pity you didn't fix the empty startmenu folder after having unchecked "create startmenu icons"

For those of you seeing all the older add/remove program listings being cleaned up, what OS and version are you on?

- A

Asa,

do you remember that 'uninstall Firefox deleted C:/Program files'? Do you remember that you urgently asked for fixing of this bug near the Firefox 1.0.1 release? May be it is a coincidence, but you suddenly 'got awared' on this bug right after my comment in one mozillazine thread (which you have also replied, so you have read it). Do you remember Ben Goodger's reaction? Do you think that he was 'awared' of importance of this bug fixing, even after your asking? I don't think so.

Did you (MoFo) criticized MS update system on its bulkniess? Was it your selling point at that time? Were you 'aware' at that moment how it is hard to make good update system? Were you 'aware' that it is marketing mistake?

Finally, to answer your question clearly. I was aware that you are working on improving update system, there were some posts on your blog if nothing else. From the linked text in that post, it seemed that you are more worried about your servers pressure than on the user problems.

On the other hand, I have no idea how this is important for you. As far as I can get, it is not a priority. All I want to say that next year might be too late for this. Security is your strongest selling point, and if you screw it, you'll screw everything.

I am sure that you, as a developer, understand that this needs to be fixed. However, I am not sure that you understand strategical importance of this. Even if you do understand, I doubt that all decision makers in MoFo understand that. So, according to your current schedule, this needs to be implemented in Firefox 1.5 IMHO. I would be very happy to hear from your that it is already planned like that. But I would bet on the opposite side.

I regret the style of my previous comment, as I should have been aware that it will cause the reaction.

win xp home sp2

Ivan, if you're happy for this to be fixed in a Firefox 1.5 timeframe (assuming that is the case), then why are you kicking up a stink over another security release on top of 1.0.x?

You know that the auto-update mechanism isn't up to scratch yet, and judging by your comments, you probably know that 1.0.2 didn't (and could never) change this.

can someone please tell me why firefox folks can not release a simple patch file like M$ does??? ... instead of making me download the 4.6 meg again and doing the window add/remove and reinstall number ....

this is starting to become a pain ...

what really needs to be fix in a 1.0x update is the loosing of your bookmarks due to a OS/firefox crash ...

later, Richard

so using the 1.0.3 installer install FF over 1.0.2?
do I have this right? or should we still uninstall 1.0.2 first

all this talk about an update system has me a bit confused atm

Richard, I don't think it is as easy/simple as you think.

I must have missed something in Asa's first post

but installing 1.0.3 over 1.0.2 didn't cause any problems
when I run across a manual plugin install .. I'll post back here with the results

if anyone needs a nice tiny utility give Backupfox a try .. I use it a lot when I'm trying out different builds
http://www.neowin.net/forum/lofiversion/index.php/t291258.html

Win XP Pro SP2, 1.0.3 over 1.0.2 worked fine (no extra add/remove entries)

OT: Just noticed I have remove enrty for both Thunderbird 1.0 and 1.0.2. Will there be a fix for Thunderbird too?

>For those of you seeing all the older add/remove program listings being cleaned >up, what OS and version are you on?

I noticed this too. Update from FireFox 1.0.2 to 1.0.3 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050402 Firefox/1.0.3), Windows XP SP2

This worked beautifully on Windows XP Home SP2. I forgot to uninstall Firefox 1.0.1 before doing 1.0.2, but after installing this, the 1.0.1 is gone too. Thanks a lot - I don't mind downloading 4 MB if it installs cleanly and works great.

Worked fine on Windows XP Pro SP2. Glad this has FINALLY been addressed.

What a lot of the complainers are forgetting is that a lot of IE's patches and security updates are actually bigger downloads than the full Firefox installer. Therefore I think the full installer method is a satisfactory solution for now, of course anything that improves on this will be welcome.

I'm lovin' it...........

working nice on the Add/Remove programs. installing from 1.0.2 to 1.0.3
old entries removed.
Thanxs.

Worked like a charm here (Win XP, from ver. 1.0.2)! Keep up the fine work. I understand what it's like to be an IT person that's underpaid/overworked but it feels good to continue fighting the good fight.

~ Kevin

Just to help the developers I will say that I have never had duplicate entries and I have always just installed over the old versions without removing them. Firefox/Thunderbird show up as just "Mozilla Firefox" and "Mozilla Thunderbird" with no version numbers after them in the add/remove programs dialog. I am running Win XP Pro SP2.

No problems at all installing over 1.2 and only one entry in add/remove.
This build is working very smooth here..installation was fast.
All extensions, bookmarks, settings carried over just fine.

What firefox installer needs is a proper upgrade system, like that which already exists with NSIS. I have no idea why firefox needs its own special installer, when other systems do a far better job of managing large scale deployment and simple upgrading.

Another problem with the installer is that you cannot type the path you want to install to - you can do this on the Nvu installer but not on firefox. Also, on the last installer build I tried, when you tried to install to a custom folder, it always defaulted to a temporary folder rather than the one i installed the previous build to.

In short, there are many seemingly obvious areas in which the installer needs to be improved.

Farhad, I think that may due to licensing issues. NSIS is licensed under something called "zlib/libpng license". I don't know if it is compatible with MPL/GPL/MGPL.

P.S. I love Moz installer (for Windows). I can go through all those wizard pages using keyboard only.

In pl-PL version "Help->About Mozilla Firefox->authors", and there is animated list of authors. In Firefox 1.0.3 this list is blinking while moving. There was no such issue in Firefox 1.0.2 pl-PL.

Was there any patch checked into the branch that might affect gfx code?

Richard Martin: A modular (is that the right word?) upgrade system has not yet been implemented in/for Firefox. That's why.

Dave: Good point.

Farhad: The installation path can be changed if you choose the 'advanced' installation. (Can't remember what they actually call it now.)

David, you are wrong, what farhard means is Bug 233746 "install directory picker doesn't allow user entry - must browse", one of the most unfriendly installer bugs. ;)

OSX: Looks in 2 places for a plugin, fails; tries twice to download the plugin, fails; crashes the Console application (Firefox stays open).

Log:
/Applications/Firefox.app/Contents/MacOS/firefox-bin: can't map file: /Applications/Firefox.app/Contents/MacOS/plugins/Default Plugin.plugin ((os/kern) invalid argument)

/Applications/Firefox.app/Contents/MacOS/firefox-bin: can't map file: /Library/Internet Plug-Ins/MRJPlugin.plugin ((os/kern) invalid argument)

### MRJPlugin: getPluginBundle() here. ###

### MRJPlugin: CFBundleGetBundleWithIdentifier() succeeded. ###

### MRJPlugin: CFURLGetFSRef() succeeded. ###

*** loading the extensions datasource

/Applications/Firefox.app/Contents/MacOS/firefox-bin: can't map file: /Library/Internet Plug-Ins/MRJPlugin.plugin ((os/kern) invalid argument)

### MRJPlugin: getPluginBundle() here. ###

### MRJPlugin: CFBundleGetBundleWithIdentifier() succeeded. ###

### MRJPlugin: CFURLGetFSRef() succeeded. ###

*** loading the extensions datasource

Apr 3 14:35:15 Hank /Applications/Firefox.app/Contents/MacOS/firefox-bin: *** Warning: ATSUMeasureText has been deprecated. Use ATSUGetUnjustifiedBounds instead. ***

Apr 3 14:35:19 Hank crashdump: Started writing crash report to: /Users/hank/Library/Logs/CrashReporter/Console.crash.log

Apr 3 14:35:20 Hank crashdump: Finished writing crash report to: /Users/hank/Library/Logs/CrashReporter/Console.crash.log

Guest12345: Sorry, you're both right. Hadn't thought of that ;-)

Like any software it's going to have it's bugs, but security issues should be addressed before the bugs gets fixed.

Mozilla Products Arbitrary Memory Exposure Test

Introduction

A vulnerability has been discovered in various Mozilla products, which can be exploited by malicious people to gain knowledge of potentially sensitive information.

Please see the test below for an example of how this vulnerability can be exploited.

http://secunia.com/mozilla_products_arbitrary_memory_exposure_test/

So when is the update available

Although Ivan Icin's words are a bit harsh, I have to agree with most of what he said. Three of my friends and I would really appreciate it if there was a smaller upgrade file and not a full installation file whenever there is a small upgrade like this. Thank you.