Closed Bug 293926 Opened 20 years ago Closed 20 years ago

Website told user to download update not available in specific locale

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: alicaccs, Assigned: Bugzilla-alanjstrBugs)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 (ax) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 (ax) Currently Firefox 1.0.4 is not available in *every* supported locales, but the update.mozilla.org website has already changed to refuse Firefox clients < 1.0.4 to access it. This makes users of zh-TW (and many other locales) localized Firefox cannot access the update.mozilla.org site. This is definitely an unfriendly procedure, because we zh-TW users must: 1) switch to en-US or other locales that are available in 1.0.4 now, or 2) spoof the user-agent string to fool the website, to access the service. Both workaround are not practical for average users to utilize. Reproducible: Always Steps to Reproduce: 1. Use zh-TW localized Firefox to access update.mozilla.org 2. And the redirected page follows Actual Results: The redirected webpage told the user to download Firefox 1.0.4, which is currently not available in zh-TW locale. Expected Results: Normal update.mozilla.org content appears. Alough this bug can be automatically resolved after the actual release of zh-TW localized Firefox 1.0.4, it reveals a severe defect in Mozilla.org's software update cycle. Since the first security update of Firefox 1, Firefox 1.0.1, users of zh locale (both zh-TW and zh-CN) always must wait for about one week to get updates in their language, after the initial release of en-US update. This is unfair for users not using en-US locale, because Mozilla.org's delay in update cause these users to expose under the security threats longer than en-US users. Compare to MS, their slowly-produced patches are always available in every locale of their patched product, at the initial release time. IMHO, Mozilla.org shall accelerate the building process of releases to minimize the delay between different locales/platforms, to provide users of different languages/systems a better update experience.
My understanding is that (1) it's being blocked for security reasons and (2) the delay is due to waiting for the localization teams in question to approve the release.
Assignee: mozilla.webmaster → Bugzilla-alanjstrBugs
Component: webmaster@mozilla.org → Web Site
Product: mozilla.org → Update
QA Contact: danielwang → mozilla.update
Version: other → 0.9
If you do not have 1.0.4 or newer, we are blocking you to protect you from the exploit. In other words, this is on purpose.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
(In reply to comment #2) > If you do not have 1.0.4 or newer, we are blocking you to protect you from the > exploit. In other words, this is on purpose. I mean, there is no 1.0.4 available in my locale, zh-TW. Are you forcing me to switch to en-US?
> I mean, there is no 1.0.4 available in my locale, zh-TW. Are you forcing me to > switch to en-US? No, you don't have to swtich. You just can't use UMO for a while.
(In reply to comment #4) > > I mean, there is no 1.0.4 available in my locale, zh-TW. Are you forcing me to > > switch to en-US? > > No, you don't have to swtich. You just can't use UMO for a while. That's the problem: we zh-TW users have to wait until your release of zh-TW localized 1.0.4 before we can use UMO. We have to wait because the release time differs in different locales; unlike MS, their patch always shipped with every locale of their patched product. This time the expolit relies on UMO service, so you can block clients < 1.0.4 to protect them. What can you do if the next security issue doesn't rely on anything under Mozilla.org's control? This behavior of UMO is useful in advising users to upgrade, but permanent fix of expolit relies on the on-time release of updates for different locales/systems. If zh-TW builds of 1.0.4 is available now, I would be notified to upgrade happily and wouldn't come here to bug this. Shall this bug to be moved to l10n section instead?
I also think that it's kind of pointless to make users upgrade using Mozilla Update. I think what should be expected is that: *If the new version of the locale is already out, display the upgrade notice *If the new version of the locale isn't officially out yes, let the user in That's all.
As stated, we will redirect all vulnerable browsers. We redirect to www.mozilla.org. You are not forced to upgrade; you can choose to not use UMO.
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.