Open Bug 1749783 Opened 3 years ago Updated 3 years ago

Be less aggressive about update notifications for non-critical updates

Categories

(Toolkit :: Application Update, enhancement, P3)

Product:
Toolkit
Component:
Application Update
Type:
enhancement

Tracking

()

People

(Reporter: bytesized, Unassigned)

References

Details

(Whiteboard: [fidedi-ope])

This is sort of just a vague idea at the moment but I wanted to open a bug for it, in part to help me remember to look into this more seriously when I have more time.

I have long had a goal of showing fewer update notifications. We know that users don't like seeing them because we see them mentioned in the uninstall survey. But this isn't an easy problem to address because, of course, updates are important and we have good reasons to notify users about them. In a world where users routinely run untrusted and malicious code, it is important that they have the latest security updates when they do so.

But I'm not sure that every update is equally important. Perhaps we could distinguish between important security updates and other updates. This would allow us to do two things: (1) delay notifications and/or make them less intrusive if the update is of lower priority, and (2) improve our messaging about why the important updates are so important.

Ideally, I think it would be good if we could explain why the update is so important. I know that we don't like to let people know how Firefox can be exploited until after the patch has been distributed, but maybe it could be reasonable to tell the user what sorts of risks they are taking by not upgrading. For example, "A malicious script could intercept sensitive communications", or "Malware that already has access to your computer could elevate its privileges".

See Also: → 1749806

We already have the concept of "major" and "minor" updates in the update system (both in Balrog, and I believe in the client side as well). It used to be used to distinguish between major releases (ie: 3.0) and point releases, where major releases would usually throw up a big splashy dialog. This metadata could probably be repurposed for this bug though.

I often get e-mail notification of FF/TB updates from CISA before I notice any graphical indication update are available in either. I would like to see more prominent update notification. Especially when the same thwarts threat actor(s). I can also report 1 out of 15 of our support tickets are resolved by client updating FF/TB.

You need to log in before you can comment on or make changes to this bug.