Hacker News new | past | comments | ask | show | jobs | submit login
Firefox/Normandy/PreferenceRollout (wiki.mozilla.org)
147 points by mlthoughts2018 3 months ago | hide | past | web | favorite | 113 comments

Relevant context:


> Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.

Further context: https://news.ycombinator.com/item?id=19823701

This partial fix via Normandy means a relevant part of the user base may still be in the dark: tech-savvy power users with many extensions who have chosen to disable normandy. (This is probably also the group which is most affected by reset extension settings)

Indeed, I had opted out of Normandy, SHIELD studies & co after the Looking Glass/Mr. Robot promotional ad fiasco.

Tentatively re-enabled, it's now 2 hours since the announcement but I haven't received the preference flip study yet. A couple more hours before my fox's lastUpdateTime rolls around and my extensions get disabled, patiently waiting to see if I'll have to take manual action!

Edit: Funny, my app.normandy.run_interval_seconds was set to 24h for some reason, the new default seems to be 6h. I wonder how many people are also in that situation.

I found that setting app.normandy.first_run to true and then restarting firefox triggers the hotfix study to be installed (and the pref then automatically sets itself back to false)

I understand that this isn't a backdoor, it's a frontdoor insofar as there is a wiki page about it. What concerns me is that Normandy isn't communicated in the UI of the browser settings, and that Firefox is allowing Mozilla to target me based on any of these:

  Targeting can be based on many criteria, including:
  Firefox version
  channel (release, beta, nightly)
  a percentage of users
  Firefox locale
  installed add-ons
  profile age
  any preference value
  many keys in Telemetry
Any preference value? Is this targeting being done locally or remotely? Once I've been 'targeted' what information about me is then sent to Mozilla?

I'm not sure I want any of those shared, especially the last several. Yet this was enabled by default and the only way to disable Normandy is through about:config? Does disabling that also stop whatever allowed the targeting in the first place?

It just seems like there was a real lack of informed consent regarding this feature and it only came to light when the team used this as a shortcut for fixing the add-on disaster.

Unticking "Allow Firefox to run and install studies" under Settings > Privacy & Security should disable Normandy.

I have all of the privacy options unchecked including studies but Normandy (which I've just found out about via this issue) is still enabled.

It doesn't, Normandy is still enabled and will install studies against the user's will. This is disgusting.

It seems still enabled in about:config

I don't get it. Is someone going (and I don't really care if is from mozilla or microsoft) to RECONFIGURE my browser without my consent? This is unacceptably bad idea.

Yes, sort of. The change is made to _default_ configs, so if you changed something, it won’t touch it. And while I get that changes to that can be annoying, I also find them necessary to keep the application easy to use and productive and cannot think of any piece of software that never have changed their defaults.

The reason for Normandy to exist is to allow the developers to check if some change to that defaults is production ready yet. For example, you can start enabling by default hardware video acceleration for some people and compare the number of browser crashes they experience compared to the general public and use that knowledge to know when this feature is stable enough to be enabled for all.

It should be mentioned that Mozilla had once wrecked their reputation by allowing a corporate-supported study [1] (yeah, Mr. Robot one). It was a really bad PR disaster for Mozilla, and I think Mozilla has at least learned their lesson by not abusing the studies system in such way (as far as I know).

[1] https://drewdevault.com/2017/12/16/Firefox-is-on-a-slippery-...

So they'll put it directly in Normandy instead of wrecking Studies?

Not sure, but Mozilla had taken another PR risk by sponsored contents to the Packet integration [1]. So we need to keep our eyes to Mozilla.

On wrecking Normandy, you can actually see all enabled recipes [2] and nothing seems smoky. It even seems that the hotfix (id=721) was used to unbreak Office 365, supporting the positive uses of this system. But I strongly agree that there should be more approachable list of them.

[1] https://blog.mozilla.org/futurereleases/2018/01/24/update-on... (HN discussion: https://news.ycombinator.com/item?id=16229927)

[2] https://normandy.cdn.mozilla.net/api/v1/recipe/

Between the several HN threads on this, this is just what I was missing. Thanks for clarifying it is the defaults which change. That is completely acceptable. It's like any other feature or aspect of FF that a developer can change.

I don’t think restricting the changes to default settings is enough, you can still do quite a lot of malicious or just plain annoying things with that—for example, I didn’t change the default browser theme, but that doesn’t mean that I wouldn’t be pissed if it changed to an advertisement of any sort.

It gives the developers a great power—they can change applications behaviour outside typical venues for this. Most users expect an update to change things, but if my browser would start to behave erratically and I knew I haven’t updated it for a while, it would have send me on a wild goose chase for other things that I might have done that make my Firefox crash or whatever. It wouldn’t have occurred to me that some change to my settings was pushed without my knowledge.

We can only hope FF devs will use that power responsibly. It can be a nice feature or a complete nightmare. And I for one would very much welcome some kind of pushed notification about that (‘hey, there was a problem with this and that, so we changed that and this; here’s how you can revert the change if needed’).

In this case it is being used to push a new certificate which goes beyond the ability to change default preferences and therefore raises questions regarding the full capabilities available to Mozilla through Normandy.

Apparently the expiration date of the certificate ends up as a pref at some point. I don't remember what the name of the pref is, but someone posted it.

Maybe everyone should set app.normandy.user_id to "anonymous".

> compare the number of browser crashes they experience compared to the general public

I'm sure the users who experience said crashes without doing anything in their browsers are happy about this :-P

That "someone" is the author of the browser you installed in the first place, and which you know is going to push whole software updates on a regular basis. That's right, "someone" isn't going to just RECONFIGURE your browser, they're going to REPLACE it! Quarterly!

That concern just doesn't parse. If you don't trust Mozilla to give you working software, why are you running their software in the first place?

There are circumstances and concerns where you might want to limit things like software and preference updates. And both of those are and remain under your control. But the default is to allow updates, for obvious reasons.

On my system authors of software can't push updates to me at all. Instead the software is packaged, there is at least some oversight over what is packaged and plenty of user control over packages.

Yeah, so like the other poster your point reduces to "I trust Fedora to build Mozilla code more than I trust Mozilla to build Mozilla code". Which is nonsensical. At some point you're still trusting "someone" (the scary "someone" from upthread, even!) to give you software, so what's the complaint exactly?

> Yeah, so like the other poster your point reduces to "I trust Fedora to build Mozilla code more than I trust Mozilla to build Mozilla code". Which is nonsensical.

I don’t think it is. That way, you have two authorities checking things over instead of just one.

It's not nonsensical. I trust the distribution maintainers to maintain and update a cohesive system composed of thousands of third-party packages. This is entirely different from trusting those thousands of third-party authors to directly update whatever they want on my system whenever they feel like it.

Edit: I'm not implying anything about the capabilities of this preference-updating system; the subject was software updates and who is trusted to deploy them.

That's hyperbolic. Mozilla can't directly update whatever they want via this system. According to the article they can only "change the default value of a preference" within Firefox.

> trusting those thousands of third-party authors to directly update whatever they want on my system

You have completely misunderstood what Normandy does.

The comment I was replying to was about something much broader than Normandy: "trusting [Mozilla] to build Mozilla code" and "to give you software".

How so? Rolling out changes to default settings in an unannounced, automatic way based on users being automatically enrolled in that preference update program, with difficult to understand opt out settings changes required, sounds _absolutely_ like third party authors able to make unrestricted (and unannounced) modifications to my system.

I cannot understand how anyone could think otherwise of Normandy.

How is that nonsensical? Trusting someone does not imply trusting anybody, and even less everybody.

I trust my mother; it does not mean I trust you, and even less the entire crowd here on HN.

I've stopped using Windows years ago because I didn't trust Microsoft anymore. I'm having minor trust issues with Canonical and Mozilla. I still trust Debian and Arch.

Trust is personal. Hard to get and easy to lose.

Some systems (e.g., Debian, and derived Linux distros) make an exceptional effort not to randomly change user or system settings (via debconf, and governed by Policy).

This has some limits -- it largely applies to systemwide, not user settings, user dotfiles are generally outside of scope (though are also typically unmolested), and some packages, including Firefox, manage to introduce their own configuration management schemas and misbehaviours.

But yes, the general idea that software updates do treat user and local configuration as sacrosanct is well-established, decades-old practice, in at least some parts. And goes a long way to establishing and sustaining user trust in those systems and their update processes.

Mozilla face numerous challenges, including a large multiplatform largely non-expert userbase operating in an overtly hostile environment. The whole browser extension regime is a very unsatisfactory compromise itself. There remain lessons which might be applied from Debian.

Normandy only changes default preference values, not ones changed by users.

When Firefox updates, if there are problems, then I am likely to hear about it (e.g. on hn).

I know when my Firefox updates, so I can expect changes.

My Firefox is vetted by my Linux distribution.

This is the first time I have heard about Normandy, and I certainly would not turn it on, because I prefer my work machine to be a laggard than an early adopter.

You must be Windows or OSX user, sir.

Not for multiple decades, no. Though I'll admit that given the tone of your response I was assuming you were.

Only the trustee changes, so I still can't parse your concern. You don't trust Mozilla to RECONFIGURE (!) or REPLACE (!!) your software unbidden. You trust Canonical or Red Hat or whoever. And that changes what?

A third-party is less likely to have the first-party's motives, which makes a huge difference. Something blatantly stupid happens, there's a better chance of putting a stop to it before it can cause any harm and maybe even gives a little leverage to get the first-party to revert.

Is it an unacceptably bad idea to allow auto updates as well? Anything potentially problematic here could also be done with a code change, but at least this contains a flag to opt-out.

modern software (especially browsers) with auto-update = SAAS.

What you experience is a synced remote interface, you don't own your software anymore.

Granted, the secret lies in providing such an excellent and subtle service that the majority of users actually either endorse or not even notice the dependency.

Which means changes should be subtle and consistent.

Vendor controlled auto-update is worse than SaaS. It's effectively a control over your machine. Your entire security depends on a random employee of a random organization you entrusted with this control to not get compromised, not compelled by the government, not made shady deals with other parties to ship a backdoor to you.

But if speaking about the issue. Why Mozilla even need so much control over extensions? Seems like they built an infrastructure to be able to disable any installed extension remotely. That's just evil.

> Your entire security depends on a random employee of a random organization you entrusted with this control to not get compromised, not compelled by the government, not made shady deals with other parties to ship a backdoor to you.

As opposed to what? How do you test for all that with manual updates, as an individual or a small organization? Even for a huge organization which reviews most of the updates it installs, critical updates should be applied immediately, to avoid the lag.

Firefox is fully open source. Runs locally and even works offline. How is it SaaS exactly?

The auto-update mechanism exists almost exclusively for the benefit of Windows users. None of the Linux distros use it.

I guess the application changing it’s behaviour remotely, as is the case with Normandy, can be somewhat reasonably considered SaaS.

Changing a default setting is SaaS?

Changing a default setting _remotely_. That is a huge field of possibilities, from not SaaS-y at all to very SaaS-y.

Like for example you could make it so the script to be run when a browser encounters a pdf file is put directly in the settings. Thus changing that setting changes what the browser does—you can add, remove or change an in-browser pdf viewer that way.

It’s not what Normandy currently does, but it is something it’s at least theoretically capable of. And hitting that extreme would, in my opinion, made it reasonable to start calling it SaaS.

You could do all that with a regular update as well.

No, not with the _regular_ update. Only with the _remote_ update, which is a part of what makes SaaS SaaS.

deno 3 months ago [flagged]

What is a “remote update”? All updates are remote until you download them.

The distinction is between auto-update and user-chosen update. Some users strongly prefer all software running on their owned hardware is incapable of auto-updating in a way that bypasses explicitly requiring the user to choose to update each time.

It may come across as a nasty dark pattern if a user must opt out of auto-updates (which is loosely what Normandy is, if you extend “auto-update” to also mean tacit enrollment in an experiment).

Instead it should be off by default, with a clear and unambiguous description of the functionality on a menu page if a user wants to opt in.

For example, I am a very privacy-focused browser user, relying on many special settings & extensions. Despite frequently reading about browser updates, I had no idea Normandy functioned like this, nor that it was enabled by default, until reading into this current Firefox certificate bug.

Upon learning what Normandy is and that it is opt-out by default with unclear connections to the traditional privacy dropdown menus to disable experiments or usage stat sharing, I feel that Mozilla violated my trust in a profound and deeply upsetting way.

The one that is remotely done for you, without any action on your part.

Typically, a user has to click the installer or use package manager or something to get the update, it’s their decision they make locally. If a setting is in place where this decision can be made somewhere else, it’s now a remote thing, a remote update. Quite useful thing in some cases and one of the things that make SaaS possible in the first place.

Firefox is not SAAS. Is it? If it is, show me where it is disclosed. So we can finally migrate away from it.

There should be exactly zero change to it UNLESS I said so, because I am admin of my machines - not someone from Mozilla, nor Microsoft, nor Apple. Is it that hard to understand?

And stop talking about "owning" anything, you clearly do not understand ownership rights - your idea of it does not apply to whole world AND this is not USA.

I'm too old for this "word plays". It seems like there is a need to pay someone, to not listen to mozilla and finally strip firefox from it's newly introduced "features".

Nah, it's an experiment/testing system that's configurable in settings. I don't remember whether it's opt-in or opt-out. It's usually used for things like user studies but I guess it is also used for hotfixes.

If it's opt-out I guess it's not "consent"? I recall opting into it, but I can't be sure they didn't change it.

`app.normandy.enabled` has a default setting of `true`, at least on my machine, so yeah, it’s now opt-out.

That pref doesn't matter. If you turn off the visible checkbox in settings, normandy turns off. This is true for many feature flags. You can try it yourself, I tested it - unchecking the box in settings disabled the hotfix in my user studies tab (all of them were marked as complete).

And you have to go via about:config, which is a no-go for the majority of the users.

You need about:config for that flag, but that flag isn't the only way to turn off Normandy.

You are using a web application named the Hacker News (among others) that always reconfigures and changes without your consent. You probably want to avoid the entire web.

EDIT: In addition, think hard about the update strategy of applications that need to support that moving web.

Simple "I want this feature to be enabled" button in settings (!) is enough. And I mean setting NOT HIDDEN somewhere behind tons of * in about:config.

I'm using (linux) distribution with pretty nice way to deliver software updates. (At least from my point of view) There is no need to have redundant malware entry channel into system.

I very well do understand needs to support moving web.

Auto update is something completely different than remote messing with users settings. I cannot help myself this reminds me of "windows support" scammers from last years.

You need to understand difference between something installed on my computer (run by ME, i pay my HW, electricity bills and connectivity) and a website (run by someone ELSE, doesnt pay my HW or electric energy AND forces me to watch ADS for which I PAY for bandwidth).

I have already edited, but to elaborate:

> In addition, think hard about the update strategy of applications that need to support that moving web.

If you want the web and accept that the web is moving and you can't do anything about that, then it should be recognized that the web browser is hard time catching up. I actually hate most auto update things, but it had been too hard to use any web browser without such facilities. I use Firefox because at least I can see---and have a non-zero probably to alter---what happens to this moving platform.

geofft 3 months ago [flagged]

I take it you don't run any JavaScript or CSS that you haven't audited, either, and you have a download cap on each web request?

Heard of no-script? Heard of application sandboxing? Do you actually understand WHY we run web via HTML, JS and CSS and not as actual compiled applications randomly downloaded from internet? Seems like you do not. Do not ask manipulative c* until you make sure you REALLY know what you are talking about.

> Heard of no-script?

Yes. I have friends that use it. They rarely run it on the entire web; they use it by default on unknown sites but they allow sites they use regularly to run unaudited JS so they can get things done. (The whole point of using NoScript instead of the config option to disable JavaScript is so that you can run some scripts.) This seems equivalent to not running random applications but letting trusted vendors ship you automatic updates.

> Heard of application sandboxing?

Yes. I even briefly worked on it in grad school before I left to join a company that was selling sandboxing for corporate desktops. But you were worried about "HW, electricity bills and connectivity," none of which application sandboxing helps: sandboxing helps which APIs you call but not how much resources you use, and application-level controls don't affect what an individual website uses. Regular ulimit-style limits work for limiting CPU usage. That was why I asked whether you have resource limits on requests from individual websites.

> Do you actually understand WHY we run web via HTML, JS and CSS and not as actual compiled applications randomly downloaded from internet?

I do—but again, that's about the API surface available to applications, not about the CPU or bandwidth resources available to applications, which is what you said you care about.

I am 100% sure of what I'm talking about. That's why I'm asking whether you are. I'm not being manipulative, just trying to figure out if you have a coherent threat model or not.

I'd love mozilla to implement resource limits, yes that would be excellent. I tried to implement something similar to ulimit, i even did complete disabling of tabs (using SIGSTOP, that didn't work nicely as you might have guessed).

"HW and electricity bills" are just examples, to tell you they're messing with someone elses stuff. Is it OK for someone from SAMSUNG to come to your kitchen and mess with TV settings? Or from IKEA to take your sheets and maybe give you something completely else? Also clerk would have keys, because using security cams they took picture of your keys while you were shopping and made "backups for you". You wondering what happened they would calmly tell you that it was OPT-OUT and you agreed to it by entering the shop. For me this is equivalently illegal.

> This seems equivalent to not running random applications but letting trusted vendors ship you automatic updates.

That would be equivalent only if you were running applications from trusted vendors each in a sandboxed VM that can't access anything on your system and only provide narrow functionality, not platform-like stuff.

I absolutely hate this because it is so tone deaf.

What is the point of people like me using Firefox Nightly? Do your tests on me. Don't do stupid shit with people who choose Firefox Stable. Who came up with this idea anyway?

Unfortunately the population of Nightly users is too small to get relevant data in many cases.

That would seem to be a market signal indicating people generally don’t want to be experimented on by Mozilla.

How is a lack of data for Mozilla my problem? Why does it mean that can inject default preference changes?

>How is a lack of data for Mozilla my problem? Why does it mean that can inject default preference changes?

It would mean they can't roll out things like hardware acceleration or Stylo or Webrender as quickly despite their numerous manifest benefits.

I don’t understand. If users valued those things more than having the browser be a stand-alone piece of software after it is installed, then users would opt in to testing.

By not opting in, users would indicated that experiment-avoidance is a feature that gives them more value than the fast rollout of those other features.

Would you prefer stable only getting crucial security updates and never release updates to speed things up? Eventually Nightly would be completely different from stable, especially with the switch to Rust. So then Mozilla would have to maintain 2 completely different versions of FF - that's a lot more work!

A better middle-ground is to let things get tested by those who opt-in to it (using Nightly and Beta versions), and slowly trickle changes down. That way none of the published versions are so different that Mozilla needs more staff to handle the different versions. And of course, stable users have far fewer issues than nightly/beta users. Certificate expirations throw a wrench in the whole system, but even if you made FF stable never update, you'd still have a problem because the cert expired.

GP said

» It would mean they can't roll out things like hardware acceleration or Stylo or Webrender as quickly despite their numerous manifest benefits.

You said:

» Eventually Nightly would be completely different from stable, especially with the switch to Rust. So then Mozilla would have to maintain 2 completely different versions of FF - that's a lot more work!

As unofficially mandated by the new owners of the Internet - the Google Chrome team - the time between two "major" versions of Firefox is six (to eight) weeks. Yes, we can wait six to eight weeks for new features or twelve to eighteen weeks from trunk to stable (x2 of six to eight).

What we should do is enourage a wider swath of the population to adopt Firefox developer edition and Firefox nightly.

» A better middle-ground is to let things get tested by those who opt-in to it (using Nightly and Beta versions), and slowly trickle changes down. That way none of the published versions are so different that Mozilla needs more staff to handle the different versions.

Thank you. This is exactly what I want. I am not saying things should never change. I'm just saying don't experiment in stable. We are already hemorrhaging market share as is and this nonsense doesn't help.

Not to mention there was an almost identical scandal surrounding "studies", then they rename the covert replacement (which is NOT effected by anything in the GUI settings menu, is enabled by default, and is used to run studies on users) "normandy", you know the famously covert all out assault on the french coast.

Mozilla seems to be culturally broken these days, and learned absolutely nothing from the previous studies crap.

This wasn't a new bug in an experimental feature. It was a timebomb (accidental) that's been in the codebase a long time.

I had never heard of this Normandy nonsense. I have certainly never willingly enabled it. Yet according to my preferences, it's enabled. And apparently it's a feature that lets Mozilla remotely mess with my preferences. What the actual fuck? When did Firefox go from being a privacy-conscious browser to being this pile of nonsense? I'm not amused.

Most large software projects have something like this. The typical use case is rolling out a feature gradually, to limit the number of users impacted if a new feature has problems: first you include the feature in a release, but disabled by default; then you turn it on for a small percentage of users. If instrumentation from those users reports crashes, you abort; otherwise, you enable it for everyone else.

An important detail is that it only changes the default preferences. It will not change anything that you have changed yourself.

Dear Mozilla, Please, please, please stop the automagical updates. Is it really so hard to prompt your users if they'd like to allow a temporary fix/feature to be installed? You use webcompat to push quick fixes for specific sites (hidden) you use Normandy to push future features/fixes (hidden), when your users check their version number via the help/about option you automatically d/l and update the next version(!!??). Why is it so hard to ask if this is something that your users want to do???

>Is it really so hard to prompt your users if they'd like to allow a temporary fix/feature to be installed?

People might say no, and that would likely very much anger a PM somewhere.

It's okay to change certain settings if they don't touch privacy, for eg testing WebRender on some subset of users. But it shouldn't touch Privacy related settings. They should separate the settings into Privacy Sensitive and non Privacy sensitive and be only able to remotely change the latter ones

Technically, this is just a lightweight way to package up minor settings changes as an alternative to pushing a normal update to do the same. Both are perfectly normal and I think today's situation totally justifies using this to fix this. They do offer a way to turn this off just like you can opt out of security updates if you insist. For the vast majority of users, automated updates are a good thing.

It's kind of cool that this worked without a browser restart. My extensions just reappeared while I was watching some netflix.

My computer at one point used to lock up and have to be forcibly rebooted whenever something tried to use OpenGL, which was fine since I didn't use any OpenGL applications.

If Mozilla started playing around with the rendering preferences, perhaps enabling OpenGL hardware acceleration, that would definitely not have been OK. I don't need my browser deciding to suddenly surprise me by crashing my system.

With a changing of the guard, the honor system can handily disappear. We saw this transpire with the burying of the JavaScript toggle. A new guy showed up, and decided that disabling JavaScript was “an advanced feature” and just too dangerous for ordinary folk. [1, 2]

Of course it begins with good intentions, and promises to leave explicit privacy options alone, but new devs show up with different opinion and the old devs are gone, and suddenly privacy options are getting toggled any old time.

Beyond even that, we all know that the realities of privacy are never ever cut and dry. Leaky details can expose people in peculiar ways. Fingerprinting preferences and hardware facts for forensic purposes has taught us that much. Viewport size, OS, connection speed, graphics capabilities, hardware acceleration profiles. Even stylometry, choice of words, manner of speech can give people away. In that sense, exposing any user choices might prove to compromise identity to some degree.

1. https://bugzilla.mozilla.org/show_bug.cgi?id=873709

2. https://limi.net/checkboxes-that-kill/ (seriously breathless persuasive writing about how urgent it is to hide the toggle for javascript, among other things, but make no mistake, the high value target was the javascript checkbox)

So I have Normandy turned on and 'install and run studies' turned on and STILL my extensions have been disabled just now, hours after Mozilla pushed the temporary fix through Normandy which I presumably haven't got, despite having it turned on. Latest Firefox on Windows 10.

I launched Firefox about 10 minutes ago and saw no change. I looked up at the window again a minute or so ago and saw that my addons were back. I'm guessing there's a timer for it to check for new studies?

I had Normandy enabled, but Studies disabled. Same version and OS. A couple minutes after I enabled studies, my add-ons came back online. Maybe try a toggle/pause/toggle?

Indeed. Toggling app.normandy.firstrun from its usual false forces a check upon next browser restart and the addons are back.

Changing default settings when upgrading the version of a software can be useful sometimes (especially if the new default value is a value that was not possible before), although you should be allowed to force a setting to have a specific value even if that value is the same as the old default value, and be able to require a list of changes to be mentioned so that you can individually enable and disable them before installing the new version of the software.

"Pref Rollout is a feature that allows Mozilla to change the default value of a preference for a targeted set of users, without deploying an update to Firefox."

Maybe if we put this in terms of user stories...

As a user, I don't want to be "targeted".

As the person deploying updates, I don't want the deployment updating without an update having been deployed.

An example of "targeting" in this context is "windows user with an Nvidia graphics card". For example, enabling WebRender (the new rendering engine) for those users once it is determined to be sufficiently stable.

That sounds like a new version of the software and should be deployed as a new version, with release notes noting that WebRender is now enabled for Nvidia users, so that users are prepared for the change.

The point is gather information on whether it's ready for a full scale rollout. The Firefox developers might know that it might be ready, but the sheer number of software and hardware combinations out there might reveal unknown issues. So instead of rolling it out to 100% of targeted users, you roll it out to 1% of targeted users, and measure regressions to your metrics amongst that group.

I'm one of those users who had data collection (including studies) disabled. Changing `app.normandy.run_interval_seconds` to 60 (via about:config) didn't work until I restarted Firefox AND enabled data collection including studies (via Preferences).

Then all my plugins came back, and I disabled data collection once again.

Does the fix reach tor browser as well? Is Normandy available in tor browser?

Seems like tor browser is unaffected.

I didn't realise Firefox came with that sort of backdoor.

Browser updates can also change default preferences, and change a lot of other things too. How is this a backdoor any more than auto-updating of the browser is a backdoor? The one issue I can think of is that if you turn off browser auto-updates, this should probably be turned off too.

it's one step closer and more direct control, which is why this is now being used to deliver the quick fix.

The downside is that the process of updating the software becomes a bit fragmented, which is probably confusing users now.

I don't understand the criticisms in this thread. Why would anyone trust Mozilla's code but not their preferences configurations?

Trust isn't a single static Boolean value. It depends on the situation, reputation, and many other factors. Trust is continuously re-evaluated; just because someone's coding ability was trusted in the past does not imply that their current or future actions will also be trusted.

However, the current problem people are criticizing is not about Mozilla's choices for default preferences. The specific changes they ship with the browser or update with Normandy are not (currently) particularly interesting. The problem is that a new way to remotely control the browser was added unannounced that bypassed existing update methods.

If you want to change other people's property, you get permissio9n first. If someone doesn't want to give you permission and you change their property anyway, we usually call that something like "trespassing", "vandalism". It doesn't matter if you think it's an important change or if you don't understand (or even know) their reason for not granting permission; their computer is their property, and they don't have to justify why they want to use it in any particular way.

Yes, technically code and preferences are both the exact same thing: code. Preferences are declarative code, but so are Webpack configs and Rails apps and UI schemas and all kinds of things.

Firefox has done so much lately to hurt its image, that I wonder if Google has double agents working inside Mozilla to sabotage Firefox.

about:config > app.normandy.enabled > false

One thing that’s still unclear to me is whether you must disable this entry of about:config even if you go through the traditional privacy & settings drop down menus and disable the Firefox studies and usage stats options.

If the _only_ way to prevent having a remote entity modify your settings unannounced (even if not for malicious purposes) is to enter about:config and change app.normandy.enable to false, that seems like a situation where the absolute best case, most charitable interpretation is to call it an incredibly deceptive dark pattern from Mozilla.

This. After extensive reading about studies and Normandy here and elsewhere, I’m unable to find a straight answer about this. Does anyone know?

Studies and Normandy are different things, the former often using the latter. Only 'studies' has a checkbox in about:preferences, 'Normandy' is hidden in about:config .

Oh, I get it now. "Look how fast we could fix an issue with our Normandy preference rollout feature!" Best keep Normandy activated at all time, eh?

Isn't this an abuse of the system, breaking the contract about what kind of changes will be pushed on users without their knowledge?

I don't know. Ironically, I had Normandy enabled (without my knowledge) and that "hotfix" they supposedly rolled out didn't reach my own client. So, what ever that feature is for - it doesn't even work. Apparently you also need to have "studies" enabled as well. It didn't work either. So, I'm waiting for official updated release. If they don't fix this soon - I'm done with Firefox and Mozilla.

The client checks periodically, they can't really "push" out that change immediately to everyone.

I'm willing/trying to pull the fix manually, but that doesn't work either.

Why not just update their SSL certificate?

Because it's not an SSL certificate.

I switched to Vivaldi today.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact