|| ||Zack Weinberg <zackw-AT-panix.com> |
|| ||mozilla-dev-security-AT-lists.mozilla.org |
|| ||Re: Security fallout of hiding tabs-on-bottom mode |
|| ||Mon, 12 Nov 2012 15:33:34 -0500|
|| ||Article, Thread
On 2012-11-12 11:45 AM, Johnathan Nightingale wrote:
> On Nov 12, 2012, at 9:46 AM, Zack Weinberg wrote:
>> Obviously, refusing to upgrade Firefox opens up these users to
>> serious security risks. I would like to suggest that we put that
>> toggle back in, and commit to preserving tabs-on-bottom mode for
>> the foreseeable future, *just because* it will encourage this upset
>> minority of users to continue upgrading.
> It's true that sometimes non-security changes have major security
> impacts (c.f. session restore making people more willing to apply
> updates). I also agree that each poster in our newsgroups represents
> a constituency (100x may or may not be right, let's say it is).
> Nevertheless, I disagree. We've got a decade of experience with UI
> changes having vocal critics that turn out, in hindsight, to be
> minorities (e.g. tab close button position militancy around FF2).
> I don't believe that the discussion around tabs
> on bottom will result in any significant portion of our user base
> turning off updates. I do believe that our tab strip code is in
> desperate need of clean up, and full of edge cases that hurt
> performance, maintainability, and quality.
I am the last person in the world to stand in the way of code cleanup.
I find it difficult to believe that allowing two possible relative
orders of toolbars within the chrome is more than a couple lines of CSS,
but I am not remotely an XUL person and am happy to be shown wrong.
And I think this particular change represents the last straw for a
*large* minority of users who really, really liked Firefox 3.0 and have
been getting progressively more fed up with UI changes since, but I have
no numbers to back that up.
But with my security hat on, even a small minority of our users is still
tens or hundreds of thousands of people, and if their computers are
0wned because they refused security updates because they didn't like our
UI changes, that potentially has cascading fallout upon a much larger
population (as the 0wned machines become malware sources themselves).
That's not something I think is justifiable by code cleanliness concerns
on our end.
to post comments)