When Mozilla released Firefox 126.96.36.199 last Monday, the release notes made it out to be a relatively minor update correcting, as usual, a small number of security issues. As it turned out, however, the release contained a nasty surprise for developers whose sites relied on
A bug report was quickly filed, and helpless developers began reporting in. “Customers are complaining because their Firefox automatically updated to 188.8.131.52 and now they can no longer order photo prints in our shop,” wrote Klaus Reimer, highlighting just how serious a bug like this can be in the real world.
Mozilla developers mobilized quickly, and were able to produce a fixed version of the browser just 16 hours after the original bug report. The release team then took over to push Firefox 184.108.40.206 out the door in record time. “It’ll be the fastest turnaround between Firefox releases to date,” wrote Firefox developer Nick Thomas ahead of the new version.
With Firefox 220.127.116.11 now generally available, Mozilla is reviewing the circumstances under which this bug was allowed to make it into a public release. Automated regression tests have been put in place to prevent this particular bug from reappearing, of course, but other steps are being taken too. Mozilla developer Marcia Knous responded to requests for web developers to receive early notification of upcoming product releases by announcing a new Betatesters mailing list for developers interested in testing new Firefox and Thunderbird releases before they go live.
Summing up the episode, Jonathan Flack, Tools Architect for Feature Film VFX at GMP Worldwide, posted his thoughts:
[...] in our book the response to this was absolutely stellar. As developers ourselves we recognize that from time to time you are bound to introduce bugs like this. Anyone who claims that their company is procedurally immune from this kind of thing is completely delusional.
This, in our book, is a bright example of why open source development of this sort is working. I could never have imagined a closed source vendor responding to a critical fix with an actual release in +/- 48 hours.