Hi guys :) First of all I want to say thanks to Mozilla and everybody who is helping to make Firefox, Thunderbird and Firefox OS as great as they are! :D For more than ten years now I am a happy Firefox user. :D
I bought an Firefox OS Phone (Alcatel One Touch Fire E) a week ago and Firefox OS is simply as great as Firefox is. But there is an important problem that needs to be discussed, because it is a general problem in Firefox OS and it is security relevant: ##### # 1 # The problem ##### If you use the browser in Firefox OS you normally use an outdated version with security vulnerabilitys. So why is the browser so outdated? ##### # 2 # Source of the problem ##### The reason why the browser is outdated is because it uses the Gecko browser engine that Firefox OS was build with. This means that if Firefox OS does not have the latests security updates your browser is also not up-to-date. The big problem is that at the moment it looks like we are only getting security updates (new versions of Gecko and so on) in new firmware updates. If I am right, this update has to be done by the device manufacturer. Usually this only happens a few times a year, if at all. This is far not often enough for security updates. But even if the device manufacturers would release the new firmware updates often enough, it would not be fast enought: We all know how often security updates are released for the desktop Browser Firefox. And even the best device manufacturers normaly need months to bring out new firmwares. Here is an example how outdated the browser can be: ##### # 3 # Example ##### At the moment this is the current status on my Alcatel One Touch Fire E: Firefox OS 2.0 is the current OS for this device so it is using version 32 of the Gecko-Browser-Engine. Gecko 32 is also used in Firefox 32 (the Browser) so we can have a look at the 'Security Advisories for Firefox' to get an overview how many vulnerability are open in the browser: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/ As you can see we got a lots of vulnerabilities open in version 32 because allready 10 new versions of Firefox/Geko came out. :( far to much to call it 'safe browsing' :(( So waiting for firmware updates by the device manufacturers is not fast enought ... we need other ideas: ##### # 4 # Possible solutions ##### So here are some ideas how we could get faster security updates: This is just brainstorming and all of you are invited to discuss, find new ideas and tell me if I understood something wrong :D ####### # 4.1 # Let the browser become an app ####### If the browser would be an app, with its own Gecko-Engine, it would be a lot easier to apply updates because the whole OS can stay unchanged and just the app needs to be updated over the marketplace. So the device manufacturer has to do nothing and updates can be applied by Mozilla as fast as possible. But I could imagine that there is not enough RAM left on the devices to load another full version of Gecko but maybe I am wrong. ####### # 4.2 # Gecko security updates from Mozilla ####### Mozilla already integrated a update routine that can just patch Gecko and Gaia in Firefox OS ist is called 'Gecko/Gaia OTA updates': https://developer.mozilla.org/en-US/Firefox_OS/Building_and_installing_Firefox_OS/Firefox_OS_update_packages#Gecko.2FGaia_OTA_updates_2 This is interesting because this means that it is possible to update Gecko and leave Gonk unchanged. Leaving Gonk unchanged is interesting because Gonk is the hardware nearest part of Firefox OS. So if nothing is changed in the Gonk part, the device manufacturer may not needs to be involved. Gecko actually can be updated without reboot and in the background. The only 'problem' is that sometimes Gecko can not be updated without Gonk beeing updated. In this case a complete new firmware is necessary, which has to be done by the device manufacturer. But maybe Gonk does not need to be updated often if just vulnerabilitys are fixed. ##### # 5 # Questions ##### So what do you think about this topic? Do you have other ideas how to fix this problem? Did I missunderstand something? Is there already a planned solution? Is this just a problem of my device or my device manufacturer? Are the 'Gecko/Gaia OTA updates' mentioned in 4.2 under control of the device manufacturer or can Mozilla already use this to supply updates without to involve the device manufacturer? best regards, Mark _______________________________________________ dev-b2g mailing list dev-b2g@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-b2g
