While this may have a side effect of inciting some to disable updates that does not alter this to a security issue in need of solving. Change is part of life and it is part of software and regardless of what is changed some faction of the user population is going to object and possibly disable updates to remain on an outdated version. While it is concerning when users choose to resist change in hazardous manners we cannot and should not halt forward movement due to the real or perceived threat that some portion of the user base will make ill conceived choices. This would allow anyone to hold up anything with the cry of "I won't update" and then we get nowhere. We are going to have to accept this as a normal process of change and move forward.
The discussion thus far on other lists shows the reasons for this alteration and the need for it and as such any further discussion about it should remain there as this does not rise to the level of a "security issue" -- Curtis Koenig Sr. Security Program Manager @curtisko On 2012-11-12 15:33 PM, Zack Weinberg wrote: > On 2012-11-12 11:45 AM, Johnathan Nightingale wrote: >> On Nov 12, 2012, at 9:46 AM, Zack Weinberg wrote: >> >>> Obviously, refusing to upgrade Firefox opens up these users to >>> serious security risks. I would like to suggest that we put that >>> toggle back in, and commit to preserving tabs-on-bottom mode for >>> the foreseeable future, *just because* it will encourage this upset >>> minority of users to continue upgrading. > .... >> >> It's true that sometimes non-security changes have major security >> impacts (c.f. session restore making people more willing to apply >> updates). I also agree that each poster in our newsgroups represents >> a constituency (100x may or may not be right, let's say it is). >> >> Nevertheless, I disagree. We've got a decade of experience with UI >> changes having vocal critics that turn out, in hindsight, to be >> minorities (e.g. tab close button position militancy around FF2). > .... >> I don't believe that the discussion around tabs >> on bottom will result in any significant portion of our user base >> turning off updates. I do believe that our tab strip code is in >> desperate need of clean up, and full of edge cases that hurt >> performance, maintainability, and quality. > > I am the last person in the world to stand in the way of code cleanup. > I find it difficult to believe that allowing two possible relative > orders of toolbars within the chrome is more than a couple lines of > CSS, but I am not remotely an XUL person and am happy to be shown wrong. > And I think this particular change represents the last straw for a > *large* minority of users who really, really liked Firefox 3.0 and > have been getting progressively more fed up with UI changes since, but > I have no numbers to back that up. > > But with my security hat on, even a small minority of our users is > still tens or hundreds of thousands of people, and if their computers > are 0wned because they refused security updates because they didn't > like our UI changes, that potentially has cascading fallout upon a > much larger population (as the 0wned machines become malware sources > themselves). That's not something I think is justifiable by code > cleanliness concerns on our end. > > zw > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security