Closed Bug 1627518 Opened 5 years ago Closed 4 years ago

Download links for the latest Firefox Fennec Nightly are broken

Categories

(Webtools :: Bouncer, defect)

Product:
Webtools
Component:
Bouncer
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: w8vpztmm, Assigned: rail)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0

Steps to reproduce:

I download Firefox Fennec Nightly from one of these three links:

https://download.mozilla.org/?product=fennec-nightly-latest&os=android&lang=multi
https://www.mozilla.org/de/firefox/all/#product-android-nightly
https://ftp.mozilla.org/pub/mobile/nightly/latest-mozilla-esr68-android-api-16/

Very similar, but I didn't want to revive an old thread https://bugzilla.mozilla.org/show_bug.cgi?id=1565863

Actual results:

Instead of the latest version, I got an old version (versionCode: 2015676753, apkmirror.com listed this version as "Firefox Nightly for Developers 68.5a1 (Early Access)" 20.01.2020)

Expected results:

I should get the newest version - (the same version like from the Google App Store, versionCode: 2015732627)

Assignee: nobody → rail

Any updates?

I'm the maintainer of the FFUpdater app (https://f-droid.org/de/packages/de.marmaro.krt.ffupdater/) and I need the https://download.mozilla.org/?product=fennec-nightly-latest&os=android&lang=multi API for installing the latest version of the fennec nightly.

https://download.mozilla.org/?product=fennec-beta-latest&os=android&lang=multi is now broken, too. It redirects to the app with the version code 2015687505. This version is from 16.03.2020!

This silent failure of the API is a severe security problem - it seems that the latest version is being downloaded. Instead the user installs an outdated browser with security holes.

Let me ask the Pro :)

Johan, do you know the future of these bouncer entries?

Flags: needinfo?(jlorenzo)

Hi Tobias!

Thank you for filing this detailed bug, Tobias!

I have some good and bad news. Good news: You made the right choice by filing a new bug and not resurrecting bug 1565863 - this is a different issue. Bad news: These URLs are correct and there are delivering the expected APKs, even though they're old. There's is an explanation πŸ™‚

Fennec is being replaced by our new state-of-the-art mobile browser codenamed "Fenix". We're slowly migrating users in order to make sure the experience is as painless and as enjoyable as possible. We started to migrate users who were using Fennec Nightly in January (bug 1608882). It took us several weeks to be sure of the result and to finally offer Fenix Nightly to all users using Fennec Nightly. Another few weeks later, we repeated the same process with Fennec Beta (bug 1614287). Fenix Beta has been offered to the whole Fennec Beta population on April 22nd. We're planning to do the same with Fennec Release sometimes this year. The schedule is still to be determined.

The Google Play Store[1] has a lot of nice features, but it's still pretty basic whenever a software publisher wants to slowly migrate users. Once a migration is started, we can't provide any Fennec updates to the population who wasn't offered Fenix, yet. I can say this restriction is painful to manage for Android developers, Mozilla included. Because of it, we had to stop shipping Fennec Nightly/Beta APKs at the beginning of each migration. This explains the dates of the last builds. At the same time, we stopped building Fennec Nightly/Beta because it enabled us to save technical resources[2] as well as people's time[3].

Thank you for bringing up FFUpdater! I didn't know such an application existed. We did look into download.mozilla.org (aka "bouncer") in bug 1614765. Originally, download.mozilla.org links were used on www.mozilla.org. This website has had many changes since the first Fennec came out and it's been a while since it used bouncer to let people download the latest APKs. Instead, it points users to Google Play. Thus, Mozilla decided to not put Fenix on download.mozilla.org.

That said, I think you can use new links in your app πŸ˜ƒ Is the source code available somewhere? This way, I can have a look at what you app does and provide the most efficient link you can use πŸ™‚

How does this sound to you, Tobias?

[1] which is our main distribution medium on Android.
[2] each type of builds has its own compilation and test suites
[3] for instance, QA wouldn't have time to test both Fenix and Fennec.

Depends on: 1614287, 1608882, 1614765
Flags: needinfo?(jlorenzo) → needinfo?(lastman823+mozilla)

Thanks for the fast reply and the information about the next steps in the Firefox development.

I didn't realize that Fennec Nightly and Fennec Beta are outdated. I will replace them with "Fenix Beta" and "Fenix Nightly" in my app.

And thanks for your offer to help πŸ‘

This is how the app is downloading the browsers:

Fennec Release, Fennec Beta or Fennec Nightly:

  1. get the latest version names from https://product-details.mozilla.org/1.0/mobile_versions.json and check them against the installed browsers
  2. download the browser from https://download.mozilla.org/?product=%s&os=%s&lang=multi

Firefox Klar, Firefox Focus, Firefox Lite or Fenix Release:

  1. query the Github API for the latest release https://api.github.com/repos/%s/%s/releases/latest
  2. if the latest release doesn't have assets, then query all releases and search for the latest release with assets https://api.github.com/repos/%s/%s/releases
  3. use regex and string operations to determine the version name and the ABI from the release

But the Github API has some disadventages:

Here is the source code for the app: https://notabug.org/Tobiwan/ffupdater
and the code for getting the latest version names and the download links: https://notabug.org/Tobiwan/ffupdater/src/master/ffupdater/src/main/java/de/marmaro/krt/ffupdater/version

Flags: needinfo?(lastman823+mozilla)

Great! Thanks for explaining the logic thoroughly. I'll read it carefully and get back to you on Monday πŸ™‚

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (Backlog,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)

Severity: normal → --

I agree, the Github API isn't great for this specific case. We are willing to automate the publication of APK at each Github Release and this way we don't forget to upload APKs there anymore. That said, we don't have the bandwidth to take on this project at the moment.

I have a question for you: do you know roughly how many requests the users of your app generate? I don't need an exact number, I would love to have an order of magnitude. This way, I can think of a good solution - suited for your load πŸ™‚

Flags: needinfo?(lastman823+mozilla)

Thanks for the reply. I hope there will be time to implement such API but I sadly know the problem of limited budget/manpower.

I think the app will generate on average 10 requests per day because:

  • the app checks for updates in the background: 4 times per day = 4 requests per day = each 6 hours (but the user can increase the number up to 96 times = each 15 minutes)
  • when the user (re)opens the app, the app will make a network request. When a user installs the app for the first time, he definitely opens the app more often than the regular user. I think in the worst case scenario this will cause 40 additional request on the first day and will decline to 1 additional request per day.
  • the user can trigger an update check (aka a network request) by down-swiping (but I think this feature is hardly used)

I can implement a cache which could reduce network traffic if necessary.

Flags: needinfo?(lastman823+mozilla)

Sorry for the delay in my response. Let's try these links then:

They get updated every time a new Nightly is produced. You can explore the index (namely mobile.v2.fenix.nightly.latest) by going to https://firefox-ci-tc.services.mozilla.com/tasks/index/mobile.v2.fenix.nightly.latest. Please let me know if this works for you. In the meantime, I'm going to close this bug. No worries, we can continue the conversation there. It's just that there's nothing we can do on the bouncer side, at the moment. Feel free to reopen if you disagree or if the context changes πŸ™‚

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX

Thanks for your response and your advice!

I've rewritten FFUpdater to use the Mozilla CI Server for downloading the APK files. The app monitors the task.created value from the chain-of-trust.json to determine the release of a new version. I havn't released the new FFUPdater version yet but it works flawlessly on my smartphone.

Small question - on the CI server are many repositories. Have I chosen the correct repository for the correct app?

And I can't find Firefox Lite https://github.com/mozilla-tw/FirefoxLite and Firefox Lockwise https://github.com/mozilla-lockwise/lockwise-android/releases on the CI server. Are there plans to build them on this CI server or are they managed by completely different teams?

Sounds sane to me, Johan can confirm.

Flags: needinfo?(jlorenzo)

Looks good to me too!

As far as I know, Firefox Lite and Lockwise don't use Taskcluster. They're built on a different product. I don't know whether they provide public links other than Github's.

Flags: needinfo?(jlorenzo)
You need to log in before you can comment on or make changes to this bug.