Closed Bug 1317865 Opened 8 years ago Closed 8 years ago

firefox 50.0 "check plugins" missing from Add-ons Manager

Categories

(www.mozilla.org :: Release notes, defect)

Production
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: nobodyuknow0, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20161104212021 Steps to reproduce: Open Add-ons Manager Select Plugins. Actual results: "Check for Updates" (to plugins) does not appear at the top of the page as it has for recent versions. Expected results: "Check for Updates" (to plugins) link should be at top of page. https://www.mozilla.org/en-US/plugincheck/
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
@Yang: You resolved my bug 1317877 by marking it a duplicate of *this* bug, and then say *this* bug is invalid. How so? The problem still exists, and the link is still missing at the top of the Add-ons Manager page. The Release Notes never said anything about removing the link to the Plugin Checker. So how is that invalid? Are you not seeing it at your end? (There are at least two independent reports...) Or is there a late fix we don't know about or perhaps missed?
>> Clarification: Are you not seeing it at your end? I mean are you not seeing that the link is missing (ie- Are you not *noticing* the bug at your end?)
(In reply to Dan Pernokis from comment #4) > >> Clarification: Are you not seeing it at your end? > > I mean are you not seeing that the link is missing (ie- Are you not > *noticing* the bug at your end?) See the comment 1, it is an expected change in Fx50.
OK, I see. In that case, please update the RELEASE NOTES for FF50 to indicate this as a change. It needs to say that the plugin checker is gone (hence, no link), and I would suggest explaining to the users what to do now instead. Sorry, I had no idea this was coming, as a lot of work went into refining how plugin checker was working. Had the release notes said so, I wouldn't have filed this new normal as a bug.
Status: RESOLVED → REOPENED
Component: Untriaged → Release notes
Depends on: 1277905
Ever confirmed: true
Product: Firefox → www.mozilla.org
Resolution: INVALID → ---
Version: 50 Branch → Production
As a software engineer with more than a decade of experience, if I had made that change, I would have replaced the link with some text indicating, "Plugin check feature has been disabled. Vulnerable Plugins will be blocked by Firefox." To just remove it with no message, knowing lots of users would likely be confused seems to me to be very poor judgment by someone seemingly out of touch with good design practices.
In any case, what is the path to getting those vulnerable plugins replaced? (I'm thinking of the majority of users who don't know how else to download drivers and such, and to be honest, also the serious users too who find it very convenient to have all the updates in one place.) And what about if a plugin is now blocked, yet I might want it to work -- such as on a site I trust?
That's why the era of plugins needs to end. Plugin check has been always a mediocre workardound to detect outdated plugins and update them, because only major plugins are listed. I have ever really used it.
In my mind, there are just three little issues to wrap this up: (i) Update the Release Notes (under "Changes") to indicate removal of Plugin Check, as per my Comment 6. (ii) Add verbiage to the ADD-ONS page as js-jedi suggests in Comment 7 to mention checking is gone. (iii) Explain and reassure FF users that they no longer need to worry about plug-ins going out of date (if this is true) as described below, and if not true explain how they can fix it (see my Comment 8). A user wants to click the browser and do his/her thing. In other words, launch FF and have everything work to do what needs doing. I agree with the philosophy that plugins should go away. We just need to make sure that FF contains everything it needs as "native" (built-in) modules; that FF updates occur frequently enough to update those modules and close off the vulnerabilities; and that these updates actually get performed at the user end. Part (iii) has been lacking, especially in clarity. I've seen nothing that explicitly says FF will take care of things from now on, only that FF will "block" vulnerable plugins. Users are being stranded if they have to do their own updates, don't know they're coming, perhaps don't know how, and then suddenly have something fail (be blocked). It might be prudent to warn the user when FF launches that their current version is outdated or has vulnerabilities. This might also lead to discomfort or panic, but that's probably better than now, where a naive user never checks plugins and runs blindly into something. (Ahhhh... so that's why people should run automatic updates. :) But if FF now updates the plugins (ie, its own modules) frequently enough AND the user receives automatic updates, then perhaps problem solved.
I think that as long as https://www.mozilla.org/en-US/plugincheck/ is deemed appropriate to continue existing, then firefox should link to it. If the link is no longer needed, then the page is no longer needed and should be deleted. Then I guess users will go back to manually (or automatically) checking their plugins via the plugin software itself (silverlight, flash, etc). But I don't understand why you would have firefox still working with plugins, but remove the logical and convenient feature of helping users check and update those plugins. I actually think that firefox should combine all the locations and methods of checking/updating things to one updates screen (so that's Help About, notification, popup window, plugincheck page, view available theme&extension updates - all put into one)
The plugin page is still -- so far -- linked from Thunderbird, so we shouldn't delete it just because FF isn't using it. (At least it is easily and supportably accessible.) Question is: Will it still be supported for long?
Benjamin, your thoughts about the plugin check link?
Flags: needinfo?(benjamin)
The link has been removed intentionally from Firefox in bug 1277905, so in essence this is WONTFIX. I've pinged Ritu about possibly adding this change to the Firefox 50 release notes. As for *why* we made this change: we believe the Firefox blocklist provides a much better experience for users. We don't have to warn users about plugins that they never use, and when we do warn, we can do it in the context of the site that is trying to use the plugin. In addition, the plugincheck site was lagging behind or otherwise inconsistent with the internal blocklist, which led to the pretty terrible experience of Firefox warning users that a plugin was out of date, but linking them to plugincheck which said it was fine. I am not in charge of the decision to keep or remove plugin check itself. However it will continue to be linked by Firefox ESR versions well into next year, so I suspect it won't be immediately removed.
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago
Flags: needinfo?(benjamin)
Resolution: --- → WONTFIX
Benjamin, today https://www.mozilla.org/en-US/plugincheck/ (which I just happened to visit) says that my flash plugin is vulnerable and shows me the orange Update Now button. (I have 23.0.0.207, and the latest is 24.0.0.186) But if I go to a website that has flash video, for example https://student.testmasters.com/portal/online/Test.aspx (which is just some page I found with a sample test flash video on it) the flash video plays normally. "Firefox blocklist" (whatever that is (not being snarky I just literally don't know about it)) doesn't seem to work. The experience I am getting from Firefox is a worse experience. Firefox doesn't warn me about my out of date vulnerable plugin. And Firefox removed the feature to help me manually check the vulnerability/up-to-date status of my plugins, and it doesn't block the operation of the plugin even when the plugincheck page says the plugin is out of date and vulnerable. Is Firefox supposed to be blocking Flash when it's vulnerable? Am I experiencing a bug?
I also had Flash go out of date -- same versions as Blud -- and updated it with the plugin-checker via Thunderbird's "add-on" link. I was under the impression that Firefox was going to take care of everything for us, that we wouldn't have to worry about updates. No warning, no update -- not good. So where do we stand on this? Do we wait for FF to automatically replace the modules? Do we have to enable auto-updates of FF for that to happen? (I prefer to manually update FF when I'm ready.) At least plugin-checker is still somewhat up-to-date and working in the meantime...
Unless there is a known exploit in the wild, the Firefox block is deployed the Monday following the regular Adobe patch-Tuesday release.
I specifically waited and did not update our laptop's Adobe Flash from the vulnerable 23.0.0.207 to the latest (24.0.0.186). It took until January 5th (3 weeks!) for FF on the laptop to finally block Flash. I then did the update from the FF prompt in the block message. Is this the new normal? IMO, three weeks is a bit long for this to kick in, even allowing for the holiday season -- understandably, not everybody is fully at work, but the bad guys ARE. If FF knows something is vulnerable, it should be blocked right away. More precisely, the plugin should be updated automatically ASAP and/or we should be given the tools to do so manually. I happened to know (because I checked for another machine) that the vulnerability was there. I chose to test the system and waited. But in a real situation, one wouldn't know and would just go blindly ahead without the updates. I don't like that.
(In reply to Benjamin Smedberg [:bsmedberg] from comment #18) > Unless there is a known exploit in the wild, the Firefox block is deployed > the Monday following the regular Adobe patch-Tuesday release. the Monday following seems alright to me since I might manually check that slow anyway (ie: once a week). But it just took 2 weeks to deploy the most recent Firefox block for Flash, so I still think Firefox should have a manual update link/mechanism for plugins.
You need to log in before you can comment on or make changes to this bug.