Wow, if I see it correctly that emergency release was brought out in just two days. Impressive.

I am still getting feedback from the local community about problems updating when there is no admin privileges to the user or using Vista with UAC protection active. That should be investigated in order to make sure it won't happen in the future for any user.

By the way, Linux repositories still lack this emergency update...

I don't think Vista users without admin privs can update apps within Program Files at all no matter what. I think this is part of the way Vista is designed, for better or for worse. Vista users should be made aware of it within Firefox, but I doubt there's anything we can actually do about it other than let the end user know and to have an admin log in to update it due to Vista's restrictions.

Zero-day exploits. And if I'm not mistaken, users still are not even NOTIFIED of updates if they are running XP from a nonadministrative account! What does it take to get that fixed?

Vanilla, got a bug number?

- A

It's bug number 407875.

Thanks. It looks to me like it's being worked on.

- A

Tomer, the Fedora 10 datestamp on the download of Firefox 3.0.8 was 18:36 on 27th March, which is impressively close to the 13:36 27th March timestamp on the Linux binary download from ftp.mozilla.org. Ubuntu was a little slower (03:18 on 28th March), but still within 24 hours of Mozilla's 3.0.8 release and before Tomer's posting. I suspect that Tomer may have been using a mirror, which will naturally involve a time lag (which could be any number of hours - I don't know how fast mirrors get updates) before the updates appear.

Now that you mention it, I see that there HAS been some sound and fury in recent months. But they've apparently got a newbie working on it, after Robert Strong declared in September that it would be the next thing he worked on. Uh-huh.

It's already been well over a year, and the bug was first duped against one that's over 3 years old. It's not even a blocker. I'm not going to comment on the bug, but I'm shaking my head in amazement.

Vanilla, we update about 95% of our users in four or five days after a security release. I don't think anyone in the industry with more than a few tens of millions of users beats that or even comes close.

- A

Oh, so that's why Mozilla guys don't think it's urgent. I doubt very much if you get 95% of your users. Maybe you get 95% of the ones that ping daily for updates, but the only ones that ping daily for updates are those who are running from privileged accounts. Right? Or is there a ping even if it's ignored?

Are you saying that only 5% do the right thing and run from a limited account? How could you know that? Am I missing something here?

Are you sure of that? How would you know? Maybe you get 95% of people whose computers ping daily for updates, but Windows computers running from limited accounts don't ping for updates--right? Are you saying that only 5% of people at most run from limited accounts? I don't see how you could know that. Know wonder Mozilla guys don't think this is urgent, if that's how it's figured. It's a great system when it works, but for those who do the right thing and run from a limited account, it's broken.

Sorry about the two posts. Ignore the first and read the second, more polite one. Just updated (this computer is set up specially to circumvent the problem).

You should realize that responses do not show up on your blog until refreshing the page, so you often get duplicate posts. I don't know, it may have something to do with routinely blocking JavaScript.

It's interesting watching progress on notifying users about updates. Let's see if I understand this correctly. Reading between the lines, it appears that there is no intention to fix bug 407875, but to go whole hog with 318855 instead. Fortunately, steady progress has been made on bug 318855 in the last 39 months, to wit:

* 11 character strings have been written and approved.

Well, technically, I suppose that does actually qualify as progress. However, from comments 97 and 98, it appears that 3 1/2 months later we're still waiting for some of the strings to be translated, i.e. "localized", and we're darned well going to wait for that to happen before doing anything. Meanwhile, the freeze is approaching for 3.1 (3.5?), but no code has been written yet. Maybe by version 4?

Like I say, I'm amazed by the lack of urgency, and the total lack of response to pressure. But maybe it's OK. Remember, only 5% of users run responsibly from limited accounts, and apparently they don't need to be notified of updates.