Mozilla plans to silently update Firefox

Joins Google, Adobe in auto-update movement to take patching out of users' hands

Taking a page from rival Google's playbook, Mozilla plans to introduce silent, behind-the-scenes security updating to Firefox 4.

The feature, which has gotten little attention from Mozilla, is currently "on track" to make it into the final of Firefox 4, the major upgrade slated to ship before the end of the year. Mozilla has released two beta previews of Firefox 4 in the last four weeks, and has set a third beta for next week.

Firefox 4's silent update will only be offered on Windows, Mozilla has said.

Most updates, including all security updates, will be downloaded and installed automatically without asking the user or requiring a confirmation, said Alex Faaborg, a principal designer on Firefox.

"We'll only be using the major update dialog box for changes like [version] 4 to 4.5 or 5," Faaborg said in a late July message on the "mozilla.dev.apps.firefox" forum. "Unfortunately users will still see the updating progress bar on load, but this is an implementation issue as opposed to a [user interface] one; ideally the update could be applied in the background."

Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update.

Chrome is the poster boy for automatic updates. Google's browser kicked off in September 2008 with a then-controversial mechanism that removed the user from the update equation. Chrome continues to rely on an automated service that updates the browser in the background, and can't be switched off.

Taking updates out of the hands of users keeps them safer, Google has claimed. A May 2009 paper co-authored by a Google engineer argued that, "Any software vendor [should] seriously consider deploying silent updates, as this benefits both the vendor and the user, especially for widely used attack-exposed applications like Web browsers and browser plug-ins."

According to "Why Silent Updates Boost Security" (download PDF), 97% of Chrome users were running the latest version of the browser within 21 days of the last update's release. By comparison, 85% of Firefox users were up-to-date in the same span, while only 53% Safari users could say the same.

Faaborg and Robert Strong, the Mozilla engineer who has been writing the behind-the-scenes updater, defended the move toward a Chrome-like service.

"I think the majority of users would prefer an application that doesn't bother them with what they view as little details, where a little detail is a minor update," said Faaborg. "We get a lot of complaints that Firefox updates too often, people can't see the difference with the new version (it was actually a security patch), that we change our mind too much and should just ship one version (it was actually a security patch), etc."

"There are people that don't like being notified of updates," Strong said on the same Mozilla discussion group. "There is 'no one size fits all' behavior for this that will please everyone."

Strong also took exception to the use of the term "forced" to describe how Firefox would keep users up-to-date. "As for 'forced' update ..., Chrome accomplishes this in part by forcing the install of Chrome into the user's profile which has a set of issues associated with it that we don't want to have, so we aren't taking that route," he said.

Mozilla isn't the only major developer toying with changing how its users receive patches: Adobe has added a silent updater to Reader and Acrobat, for instance. At the moment, users must manually switch on the new tool, and Adobe has said it has no plans to enable fully-automated updates without some kind of user permission.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies