June 22, 2011, 7:06 AM — Unnoticed in the Tuesday release of Firefox 5 was Mozilla's decision to retire Firefox 4, the browser it shipped just three months ago.
As part of Tuesday's Firefox 5 release , Mozilla spelled out vulnerabilities it had patched in that edition and in 2010's Firefox 3.6, but it made no mention of any bugs fixed in Firefox 4.
That's because Firefox 4 has reached what Mozilla calls EOL, for "end of life," for vulnerability patches.
Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 with security updates has been discussed by Mozilla's developers and managers for weeks.
A mozilla.dev.planning mailing list thread that started May 17 evolved into a back-and-forth about the rapid-release schedule and its impact on Firefox 4.
Christian Legnitto, the Firefox release manager, put it most succinctly in a May 25 message. "Firefox 5 will be the security update for Firefox 4," Legnitto said.
As Mozilla had said earlier, that means Firefox 4.0.1 -- shipped in late April to fix eight flaws -- was the one and only security update for Firefox 4.
Mozilla is essentially taking another page from Google Chrome's playbook. Google only outlines the patches it has applied to the current "stable" build, the most polished form of Chrome that is analogous to Mozilla's final releases. Google does not patch the flaws in earlier editions, primarily because it automatically updates the browser in the background, ensuing that virtually all users are running the most secure version.
Mozilla doesn't yet conduct automatic updates, but it has changed how upgrades to a new version are offered to Firefox users.
"[For earlier major upgrades] we popped up a window asking people to opt in (major update offer)," said Legnitto in another message on the same thread. "For 4.0.1, users will need to opt out (minor update offer, like point/security releases)."
Mozilla expects the opt-out approach will get more users onto the newest edition faster.