Closed Bug 1071597 Opened 11 years ago Closed 11 years ago

Serve OSX Firefox 32.0.2 for all 32.0.x releases

Categories

(www.mozilla.org :: Bedrock, defect)

Product:
www.mozilla.org
Component:
Bedrock
Version:
Production
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: lmandel, Assigned: pmac)

References

Details

(Whiteboard: [kb=1518201] )

Follow-up on bug 1069545. We have confirmed that 32.0.1 and 32.0.2 were added to Apple's white list on Friday, which should now have seen sufficient adoption at this point to offer 32.0.2 directly to users. pmac - I think we should leave the logic that you added in place in case there are any further point releases for Firefox 32. Can you please update the logic in your script to serve 32.0.2 for all 32.0.x Firefox releases?
Assignee: nobody → pmac
Whiteboard: [kb=1518201]
Commits pushed to master at https://github.com/mozilla/bedrock https://github.com/mozilla/bedrock/commit/f4849df4f36dab91e71a96e3325c8096eb78df20 Fix bug 1071597: Remove restriction for OSX downloads. https://github.com/mozilla/bedrock/commit/474916be4162da9b38415735e6827c81ab07b3db Merge pull request #2307 from pmclanahan/remove-OSX-32.0.2-restriction-1071597 Fix bug 1071597: Remove restriction for OSX downloads.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Hmmm. I'm at 32.0.1. I go to https://www.mozilla.org/en-US/firefox/32.0.2/releasenotes/ and click on the Download link https://www.mozilla.org/en-US/firefox/ and it takes me to https://www.mozilla.org/en-US/firefox/new/ and it says Congrats! You’re using the latest version of Firefox. when clearly I'm not.
(In reply to Steve Chessin from comment #2) > Hmmm. I'm at 32.0.1. I go to > https://www.mozilla.org/en-US/firefox/32.0.2/releasenotes/ > and click on the Download link > https://www.mozilla.org/en-US/firefox/ > and it takes me to > https://www.mozilla.org/en-US/firefox/new/ > and it says > > Congrats! You’re using the latest version of Firefox. > > when clearly I'm not. That's because Firefox only passes the major version of Firefox (on purpose) and one minor, but it doesn't include dot released within a minor version. If you look at your comment 0 in bug 1069754, you'll see 32.0. The UA will be the same value for both 32.0.1 and 32.0.2 and the code on /firefox/new/ is looking at the user agent to determine if it is up-to-date or not. While not ideal for 100% of all use cases, it is being improved to include full version numbers only for *.mozilla.org properties via bug 988725 and bug 1065525.
(In reply to Chris More [:cmore] from comment #3) > That's because Firefox only passes the major version of Firefox (on purpose) > and one minor, but it doesn't include dot released within a minor version. > If you look at your comment 0 in bug 1069754, you'll see 32.0. The UA will > be the same value for both 32.0.1 and 32.0.2 and the code on /firefox/new/ > is looking at the user agent to determine if it is up-to-date or not. While > not ideal for 100% of all use cases, it is being improved to include full > version numbers only for *.mozilla.org properties via bug 988725 and bug > 1065525. If I understand you correctly, you're saying "broken as designed and we're planning to fix it." Or did I misinterpret your comment?
Not broken, but working as designed. It is not good for every website in the world to know exactly the patch release version of the browser you're using. If we release a patch version (e.g. 32.0.2) it can be because of a security issue. If that were the case, and a site were to be able to tell that you were on 32.0.1, then they'd know that you were vulnerable and could attempt the exploit with confidence that it'd work and would be undetected. In the bugs mentioned by :cmore in comment #3 we're having changes made to Firefox that would allow it to send full build information to a small set of domains when using a secure connection. This would allow this page at www.mozilla.org and pages at support.mozilla.org to know exactly what you're running and be more able to suggest things to do. This should land soon we hope.
(In reply to Steve Chessin from comment #4) > (In reply to Chris More [:cmore] from comment #3) > > That's because Firefox only passes the major version of Firefox (on purpose) > > and one minor, but it doesn't include dot released within a minor version. > > If you look at your comment 0 in bug 1069754, you'll see 32.0. The UA will > > be the same value for both 32.0.1 and 32.0.2 and the code on /firefox/new/ > > is looking at the user agent to determine if it is up-to-date or not. While > > not ideal for 100% of all use cases, it is being improved to include full > > version numbers only for *.mozilla.org properties via bug 988725 and bug > > 1065525. > > If I understand you correctly, you're saying "broken as designed and we're > planning to fix it." Or did I misinterpret your comment? What :pmac said above. The Firefox team has done this on purpose for security reasons so that websites cannot directly target very specific versions of Firefox is a problem is discovered. The full version number was removed years ago from Firefox, thus mozilla.org and other other website, is unable to detect the difference between 32.0.1 and 32.0.1. What is coming up is the bugs that I mentioned that the Firefox team is working on that will allow specific mozilla websites to be able to get the full version number to improve this situation. Again, this is the Firefox engineering team that needs to do the majority of the work before our websites team can do anything.
I understand the need for security, and am glad you are dedicated to incremental improvement. I apologize for expressing my frustration with poorly-chosen words earlier. In the meantime, I see that Bug 1072538 has implemented a much better workaround for the original problem.
You need to log in before you can comment on or make changes to this bug.