Mozilla releases new versions of Firefox and Thunderbird [LWN.net]

Mozilla releases new versions of Firefox and Thunderbird

Posted Jul 21, 2010 20:27 UTC (Wed) by gerv (subscriber, #3376) [Link]

> And bug 492200, opened more than a year ago, upgrades FF's horrible
> built-in libpng (which is 'extended' with a non-upstreamed extension

Not for want of trying.

> nobody uses,

Well, we use it. :-)

> but nonetheless is always used in preference to the systemwide copy)

Er, because it's got an extension (Animated PNG) which we need. The other option was making the Firefox download hundreds of K bigger to include a library (libMNG) of which we would be using a tiny fraction.

> to 1.2.37. The current 1.2.x version is, of course, 1.2.44, with
> multiple extra security fixes. Sigh.

Having said all that, this isn't good. Is there a new bug open on a further upgrade?

Gerv

Bug 564792 - Update libpng to version 1.4.3

Posted Jul 22, 2010 1:55 UTC (Thu) by CChittleborough (subscriber, #60775) [Link]

See bug 564792, reported by Glenn Randers-Pehrson in May.

Mozilla releases new versions of Firefox and Thunderbird

Posted Jul 22, 2010 2:31 UTC (Thu) by cesarb (subscriber, #6266) [Link]

> because it's got an extension which we need.

Would it be possible to, instead of upstreaming the extension, upstream a small hook which could be used to add the extension (and others like it) externally? Then Mozilla would only need to maintain some sort of libapng while using the system copy of libpng. I have not looked, so I have no idea how hard it would be.

Mozilla releases new versions of Firefox and Thunderbird

Posted Jul 22, 2010 16:39 UTC (Thu) by nix (subscriber, #2304) [Link]

When I said 'nobody uses', I didn't mean nobody used the library, I meant that the Animated PNG extension is if anything even rarer on the web than MNG. If Animated PNG dropped off the face of the Earth tomorrow, would it affect more people than the loss of <MARQUEE>? I personally doubt it.

Mozilla releases new versions of Firefox and Thunderbird

Posted Jul 22, 2010 19:05 UTC (Thu) by gerv (subscriber, #3376) [Link]

AIUI animated PNG was not designed primarily for the web, it was designed because the Mozilla UI needed animated images and transparency at the same time (so you can't use animated GIF), but we didn't want a 100k library to accomplish it.

Gerv

Mozilla releases new versions of Firefox and Thunderbird

Posted Jul 22, 2010 21:09 UTC (Thu) by nix (subscriber, #2304) [Link]

Oh, right, it was a UI thing. I see. (I'm not sure I've ever seen transparent animations in FF though. Was it all just for the spinner animation?)

(I'd ask why not use something compatible enough that you could fall back to MNG, but the libmng spec is so horrifically overdesigned that I'm fairly sure that's impossible.)

Mozilla releases new versions of Firefox and Thunderbird

Posted Jul 22, 2010 22:12 UTC (Thu) by foom (subscriber, #14868) [Link]

Surely if it's *just* for the spinner, it would make more sense to just support animated spinners made from multiple images, than to fork libpng? Or heck...just rotate a single image using CSS animation...

Mozilla releases new versions of Firefox and Thunderbird

Posted Jul 22, 2010 22:29 UTC (Thu) by gerv (subscriber, #3376) [Link]

I don't know how widely its used, and whether it's used for more than the spinner; but of course CSS animation only just came along. :-)

APNG _was_ an attempt to support animated images in the lightest and most backwardly-compatible way possible (APNGs show the first frame when decoded as PNGs).

Gerv

Another batch of critical security issues

Posted Jul 21, 2010 20:31 UTC (Wed) by gerv (subscriber, #3376) [Link]

> I'm concerned that almost all Firefox releases fix more than one critical
> security issue. Normally a single critical security fix should be
> sufficient to trigger a new software release. It seems there are so many
> problems in Firefox that it's impractical,

A web browser is highly complex software, exposed to a uniquely wide selection of possibly malicious inputs. We try and ship an update every 4-6 weeks. The other browsers have a similar release schedule (although Chrome just upgrades itself without asking you, so it's less noticeable).

When there is an actively-exploited flaw, we can now do an emergency release in a very small number of days (that's from initial report to final ship via automated and manual QA, on 3 platforms in 75 languages). Here's some idea of what the awesome release engineering effort involved is just to ship (never mind producing a fix and QAing it):
http://oduinn.com/blog/2010/06/29/firefox-3-6-6-by-the-wa...

Gerv

Another batch of critical security issues

Posted Jul 22, 2010 19:38 UTC (Thu) by proski (subscriber, #104) [Link]

It means that Mozilla is proactive when it comes to release engineering. It's ready to make a quick release when the need arises. But I was asking about being proactive in the code. That means analyzing previous bugs to see how they could have been prevented or detected automatically.

Another batch of critical security issues

Posted Jul 22, 2010 22:04 UTC (Thu) by gerv (subscriber, #3376) [Link]

We have an internal security mailing list which definitely discusses that, among other things :-)

Gerv

Impressive

Posted Jul 22, 2010 21:24 UTC (Thu) by man_ls (subscriber, #15091) [Link]

It is an impressive job. Having participated in several large projects (but nowhere as large as complex as Firefox), it seems almost impossible to do full QA testing in about 10 hours. I never cease to be amazed by the power of software automation.