Later in June when Firefox 5 was released, Firefox 4 users where prompted to update to the new version. I was so excited, I had to blog about that too.
Now Mozilla has decided to introduce silent updates to Firefox. From Mitchell Baker's blog we can learn that:
Before Mozilla instituted the rapid release process, we would sometimes have new capabilities ready for nearly a year before we could deliver them to people. Web developers would have to wait that year to be able to make their applications better.And why is that a problem?
A browser is the delivery vehicle for the Internet. And the Internet moves very, very quickly.
The key motivation for the change is the lack of agility required to meet new or changing demands in a timely manner. The internet evolves, which means that the requirements for browsers also change rapidly. If capabilities have to wait for a year, something is definetely wrong. Across the software industry there are made great efforts to change software development processes to reduce the time needed to put a new feature or bugfix into production. Many of these efforts push towards agile software development.
With Mozilla's rapid release process came concerns for enterprise deployments, add-on compatibility, and update fatigue for users. Mitchell Baker addresses these in her Rapid Release Follow-Up. One requirement mandated by more frequent releases is to silently take care of the update process for the user. Brian Bondy, a Mozilla developer, mentions the concrete features they're working on as part of the silent update on his blog. Check them out, they're all of the type "Get out of the user's way".
So why is this important for security? For one, there's a lot happening on the border line between browser security and web application security, e.g. the recently added security mechanisms: Strict Transport Security, X-Frames-Options, and Content Security Policy that are triggered by the web application but enforced by the browser. Web browser adoption of such mechanisms is key to their adoption in web application. Second, there's a lot going on with the internal security in the browsers, one interesting example being Chrome's plugin sandboxing initiative. There's only one way to keep users safe, keep them up-to-date.
The broader effect of this will be interesting. Firefox, Chrome, and Opera accounts for about half the browser market. If the major browsers are successful with their rapid releases, they've set an important standard. They've then shown that it can actually be done for widely deployed client software. We're witnessing a paradigm shift on the desktop, version numbers are soon irrelevant. How cool is that!?!
As a final note, how Mozilla organizes their rapid release cycle is explained in more detail on their blog, it will be interesting to see how it works out, and learn about their experiences.