Why Do Companies Need Time to Deploy Browsers?

To be clear, I mean browsers that have some level of change to them BESIDES JUST SECURITY FIXES. When it comes to security fixes, I've seen companies deploy those changes immediately.

Throughout the discussion on my previous post, the focus has been on web applications and web compatibility. I thought I'd take some time to bring up all the other issues that go around deploying browsers in an organization.

There was a statement in John Walicki's comment that was missed by most:

Education programs, documentation updates, communications all are planned.

While these changes were between Firefox 3.6 and Firefox 4 which contained major visual updates, there is no promise that these "minor updates" won't include these kind of changes as well. And these changes require all of the internal documentation to be updated as well.

IBM has hundreds of support documents, including walk throughs, screen captures, webcasts, etc. that all reference the user interface of the browser. Every single one of these had to be redone for Firefox 4 (and probably done twice because Mac and Windows Firefox are so different now). And with the new release process, changes like these could happen with as little as 7 weeks to remedy the situation.

There's also the issue of training. As I said in my last post, many companies that use these browsers are NOT technology companies. So the assumption that users will figure out how to use the browser when it changes are simply wrong. When people see things they haven't seen before, or things don't work like they did before, they call support.

Repacking for deployment takes time as well. Most companies would not want an outside entity like Mozilla to deploy software to their machines. So they have to package and certify the application. A lot of changes are also staged, so just because the browser was released on a certain date doesn't mean it will make it down to the user's machine immediately.

There are probably lots of other issues that companies run into in trying to deploy software every six weeks. I'll leave that to other folks to talk about in the comments.

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

25 thoughts on “Why Do Companies Need Time to Deploy Browsers?

  1. This process doesn't make sense anymore. The whole concept has to change because while we complain about browser upgrades coming too often, the criminals are even faster.

    So many companies were hacked because some employee was goofed into running exploits.

    • Pure security updates can easily be deployed within two days. Been there, done that. That's a lot faster than most antivirus vendors manage to update their signatures. Yes, really, personally experienced this month: after one week still 50% of virustotal didn't detect it. And it was not even totally new, just a different variant.

      Not everything in big corporations is slow.

      The problem arises from feature updates, that can break things, or from versions, that come with a changed UI. I even don't want to have this on my home PC without prior testing in a virtual machine and waiting e.g. for some addon-update, or until google can tell me how to reconfigure a feature that I don't like.

    • Security updates don't introduce new features or UI changes - so breaking something is very unlikely and users don't need to learn anything new. For corporate environments that's indeed a big difference.

    • They can, but a) they're generally smaller risk, b) they don't change UI, and c) they're perceived as being more important.

      Don't underestimate the importance of perception. From all I can tell, FF5 isn't actually all that different from 4, and the risk in upgrading is probably negligible. But because it's a major version change, it looks like a bigger deal - it's hard to explain to management that it's closer to a 4.1 or 4.0.2 release. Because if it's that small a change, they wouldn't have changed the version, right?

      • Affirmative -- FF5 isn't the problem. There are, however, two problems:

        1. Discontinuing 4.0 patches without prior warning (with at least one actively exploited 4.0 vulnerability, and others affecting 3.x).
        2. Publicly announcing a disregard for enterprise needs.

        Neither action was necessary. I actually agree with Asa's development decision, but his marketing decision was irresponsible and harmful. Very many users will now be trapped with an inferior browser, and I suspect that Firefox will suffer loss in spite of the advantages of the new development model -- Microsoft already has paid flacks pushing Asa's quotes in people's faces (my coworker, who did the actual work to package FF4 for our enterprise, just showed me one).
        FF's development model is robust enough to support an enterprise team, and Asa could have reached out to RedHat, Debian, and Ubuntu to form a separate team to handle their enterprise needs. I strongly suspect that Debian IceWeasel (or maybe GNU IceCat) will become that type of browser; although technically it'll be a fork, I think that the structure of Firefox's development process is robust enough to make it much more like a parallel development thread with mutual cooperation.

  2. "So the assumption that users will figure out how to use the browser when it changes are simply wrong."

    You are sorely under-estimating peoples abilities when you say that someone who relies on a computer for their daily work can not figure out the changes to a web browser's interface. Almost every computer in the world comes pre-packaged with a web browser and that web browser gets regularly updated when the OS gets updated. This is nothing new. It's just at an accelerated pace.

    • Never worked in tech support, have we? At a non-tech company with a traditional workforce, you'll never go far wrong under-estimating people's abilities as much as you can... it leads to significantly faster resolutions.

      You're also bizarrely off the mark when it comes to regular updates. For most people, in their personal experiences, there are no such things. Look up some security statistics sometime for an eye-opener on what people are still running. It's better than it was, but it's certainly not "regular" yet.

    • My grandmother has been using a computer for almost ten years now - and she still has issues with the caps lock key breaking everything. You shouldn't treat your users as idiots, but don't overestimate their skills either.

  3. I have worked in large, multi billion companies that are not technologies related. And i cant remember a single instance that something in our companies required a browser for a function / job to carried out.

    Even though in recent times there are changes where email and other specific function would need a browsers. There has never been a need more then Back button.

    I have only seen people had problems with new browsers when they use it to actually BROWSE or surf the internet. ( And most of the time you aren't suppose to surf the internet in office :P)

  4. Mike, how about taking a stroll back through Mozilla's history and counting the number of times Mozilla's "broken the web" (intentionally and not) with security updates, and then with full releases. I'd wager that if it's compatibility that's the concern, you ought to be just as worried about security updates as feature updates. If compatibility is critical, then if you're doing your job, you're testing and certifying with every 6 weeks security update Mozilla's had over the last 10 years.

    As for user training, that's not really as necessary when the browser evolves incrementally. It's the big changes when you jump from something that's three or five years ago to the present that is hardest on users, not the slow and steady refinement and polish that delivers the same kinds of change but over a continuous and smooth process.

    As for deployment, I can't think of an answer other than, "enterprises need to be testing the Beta and running the previous final continuously." Set up an update server, put 5% of your users on the Beta and everyone else on the previous release. Every six weeks you move both groups forward. When your Beta testers find something not working, you file a bug with Mozilla and it gets fixed or you patch locally.

    Basically, enterprises need to get more agile. They need to devote all that test/certify/train every three to ten years energy to continuous testing and roll-out system. It's not more work or more money, it's just a different schedule of work.

    Some will do this and they will have an agility and nimble footing that gives them an advantage over their competitors. Others will stick to the "delay change as long as possible and know that Microsoft gives us 10 years to do nothing between updates" mentality and they will be at higher risk, less agile, using less capable apps, and more likely to be passed up by their competitors.

    The Web platform is going to move forward at an increasingly swift pace, whether enterprises like it or not. There's no stopping that. The Web is much bigger than the enterprise. It is a large and important piece of how we all live and it won't be held hostage to the slow-moving dinosaurs of the past. The companies that learn to leverage Web standards and an incremental approach to staying modern will inherit the Earth.

    • Asa - then give us enterprises that want to be agile the opportunity. Give us a Firefox MSI (with options) so that we can deploy it quickly and with agility, rather than either hack something together ourselves, or use someone else's hack.

      Give us Group Policy templates so we can manage changes that need to be made nimbly and with agility.

      • Exactly...And Enterprises are heavy lifter...If they get benefit from it ...they will contribute it back...one way or other...may be internal addon builder filing interesting issue or company like IBM devote full time employee to work for FF....

      • Why demand a non-profit provide something for you? Why shouldn't the businesses that want it collude and contribute it?

        Thats the most galling thing about this whole discussion. Mega corps that make millions demanding volunteers and non-profit orgs do what they want.

    • With all due respect, Asa, it is evident that you do not understand businesses.

      The purpose of any business is to make money.

      Let me say that, again.

      The purpose of any business is to make money.

      In the vast majority of businesses, IT departments support the rest of the business. IT departments are classified as indirect meaning they do not directly make money for the business. The support that IT departments provide is to enable others in the business to their jobs more efficiently and more repeatably. IT departments enable others to gather and analyze data/information about the business that is then used to run the business better not to mention meeting pertinent legal requirements.

      Businesses also want stability and certainty not only in their sales, but they want it internally, too. Stability and certainty means no unpleasant surprises and no unexpected costs. Introducing new software every 6 weeks does not engender “stability and certainly”.

      Does that mean that businesses cannot handle “change and uncertainty”? No. In fact, those businesses that can adapt to changes in the marketplace are often the most successful. However, that does not mean they are fine with a supplier who purposefully introduces changes such as Mozilla is now doing with Firefox especially when those changes mean limited resources must engage in testing while taking time away from other responsibilities the lack of "major" changes to Firefox not withstanding.

      With that being said, it is pretty arrogant to sit as the keyboard and basically diss businesses as being “behind the times”. Few businesses will not adopt the “latest and greatest” software just because. Why? Because few of them can ill afford, first, the added cost to do so—think training and updating of systems for the new software in addition to any purchase costs—and, second, the downtime and/or loss of productivity during the transition from old to new IF any gains from that change are small.

      Businesses will only introduce new software—or make any change for that matter—when the cost/benefit ratio justifies making the change. Think of the cost of the change being much lower than the increased productivity and/or additional money that can be made by implementing the change.

      It is also not a matter of the IT departments being more efficient. The do not exist just to test new software. They must maintain the networks, servers and individual systems throughout their businesses.

      Let’s be honest here. Most individuals will be more likely to use the browser that they use the most. If their employers use IE, they will be more likely to use IE at home simply because they are familiar with IE.

      In conclusion, dismissing corporate customers and their concerns with new software is a serious oversight with the potential for significant long-term negative ramifications for Mozilla and Firefox. If you, Asa, cannot grasp the importance of corporate customers, perhaps you should resign from your position as Product Manager for Desktop Firefox.

    • >> Some will do this and they will have an agility and nimble footing that gives them an advantage over their competitors.

      Imagine that, in the middle of a battle, a general decides to upgrade the software on all the computers in his division. Just because they are, you know, enthusiastic about web technologies. Good idea, right?

      Businesses have other things to do than testing experimental features in browsers. Do you think Safeway or Shell (for example) would get any measurable increase in profit if they would madly update their hundreds of thousands of computers to the latest version of any apps out there? Even if this could breaks their line-of-business apps even for a brief time? (which could means millions of $ lost per hour). Probably not. Instead, their profit will tank as they will be now busy (on a weekly basis) with internal customer support and broken LOB apps instead of focusing on their business. And, yes, they might have bugs in those apps that they migth not even be aware of.

      >>> Others will stick to the “delay change as long as possible and know that Microsoft gives us 10 years to do nothing between updates” mentality and they will be at higher risk, less agile, using less capable apps, and more likely to be passed up by their competitors.

      Actually, those will the ones who would probably win. Agility in business has nothing to do with irrationally jumping to every beta product out there. For this, there are already beta users that do that on their free time.

      It's a bit sad that Firefox guys have essentially gave up opening the web for businesses around the world. With this move, they have ensured that Firefox will *not* be anymore a preferred browser in a business. Which, BTW, probably goes directly against the stated goal of Mozilla Foundation to make the web more open for everyone...

    • Deploying on older systems requires new library dependencies all the time and can be a real pain to get it to work, really ! If at least there was still a static build, it could be a lot easier. FF4 and FF5 are unusable on my laptop, it is possible that it's due to the libs I had to install to let them start, but it can also be the browser. Still, since old versions such as 1.5 were running correctly with native libs, I experience the forced upgrade as a real pain and a breakage for my use. I was forced to keep older versions to start them by hand in order to be able to use the web, that's really not an acceptable situation for an end user.

  5. Here's my suggested fix: if Mozilla won't do an LTS, some other community-minded open source group can. They might even be able to make a buck in the process (hint, hint).

  6. "The Web platform is going to move forward at an increasingly swift pace, whether enterprises like it or not."

    Actually, I don't think that's true. The web platform has been evolving rapidly for the past 6 years because it was *so* far behind other platforms and hadn't yet implemented what was simple, possible and sensible. This will continue for another 2-3 years because there's still a bit of basic ground to cover. But once JS engines have become fast enough and include enough good interface abstractions to hardware, evolution of the web platform will slow down because javascript modules (such as jsmad, pdf.js and especially jslinux and emscripten) will have the power to do what they need to do without waiting for the browser makers to do it for them.

  7. As I understand it, Mozilla is panicked because Firefox is losing share to Google's Chrome, in particular. So the answer to that particular problem is...to imitate Chrome's release schedule and strategy?

    If people want Chrome's release schedule and strategy, then there's a great solution for that: Chrome. Google is a big Web corporation, and to the extent anybody can make that sort of release schedule work it's Google, not Mozilla. To use an analogy, if your choice is between the Republican and the Democrat acting like a Republican, why would you pick the Democrat? If you're not different, then people are just going to choose the best in that category.

    Shouldn't Mozilla be trying to find more ways (not fewer) to *distinguish* itself in an increasingly crowded browser marketplace? One of the big ways Firefox has distinguished itself is as the stable (in its full meaning) and secure browser, across all platforms. Now it's trying to be a bad imitation of Chrome, which inevitably means it's going to be less stable and less secure. (Does anybody think that Firefox's marketshare is going to be improved if IBM announces that the company is ditching Firefox because they cannot rely on its stability or security any more?)

    I don't know who came up with the idea that corporations and individuals are so different. What corporations want ("it just works") is the same thing my grandmother would want. I wouldn't want my grandmother calling me because she updated her browser to Firefox 23 (because the "screen said so") and she can't find the back button any more because it jumped from the left side to the right side, or it has a blue triangle instead of a black arrow. I would want my grandmother calling me only for other reasons, like she found a recipe on the Web that she wants to try the next time I visit.

    Google is weird. Google also manufactures its own servers. Do you think Ford wants to? Or that most individuals want to build their own PCs? Google has more money to throw at its browser than even Microsoft. Does anybody seriously think imitating the expensive part (insane release schedule) of Google's browser is going to result in anything but misery for both individuals and corporations? And why do you think Google has that sort of release schedule? Maybe because Chrome is the newest browser and needed it?

    Well, no thanks. I'm getting off that ride. I switched to Safari yesterday. I have better things to do with my time, and Safari "just works." And (shock, horror!) they're only at Version 5.05. :-)

  8. Those large enterprise are also dependent on what the suppliers of the various CRM, ERP and other software packages typically used by large enterprises will support in the way of browsers. If a new version of Firefox isn't on the list then they know that it's potentially going to cause problems when trying to get support from say SAP, or Oracle because the suppliers also haven't tested that version.

    This rapid release policy is going to have a big knock on effect. Sure, companies can fallback on a second browser for those mission critical apps but at certain point in time they will question the value of a two or multiple browser policy.

  9. My company supplies an SaaS application to large corporations, many of our customers are Global 2000 companies.

    To solve our web application browser problems we've spent the last 4 years promoting Firefox, with some success as IEbrowser stats have plummeted from 95% to 60%. As I write, less than 50% of Firefox users have migrated to V4, let alone V5.

    These companies need to get some reasonable support visibility before they will deploy something to 1000's of users.

    Could Mozilla follow the tracks of Ubuntu, and commit for long-term support for some versions ? I do not see any of these large sophs deploying any browser if security fixes are not going to be available for at least 2-3 years.

  10. It's not just businesses. Linux distros in particular take a little time to tweak Firefox (or rebrand it in Debian's case) when a new version comes out. If this keeps going, some of them might just drop Firefox entirely and use Chrome or Chromium. Is that really what you want users to be doing?

  11. Ok, I admit my previous comment probably was harsh.

    What I my concerns and notes what went wrong (in my opinion):
    1) Enterprise clients - as a lot of people mentioned it before me, the enterprise clients need time to migrate. Yes it's there problem - they have to test, their application and I don't mean only web applications but addons/plugins. About the standards a little bit later i'll give my thoughts.
    The enterprise and developers that produce programs for the business need road-map, they need to know in advanced what new feature they can use and which features are gone be droped. Yes, this is hell of a job to produce a road-map and to follow it.
    2)End User - as my self - they don't care when will be the new release (major/minor/etc). They just need that the web sites that their using are working. And not to forget that many banks provide online banking - some of them rely only on https and the combination of username/password, _but_ also there are banks/gov/etc that provide to their users more security when they communicate via web application. They provide usb dongles with certificates/codes and so on - the one of the best feature of FF for years is the add-ons/plugins - and how easy is to implement them. As I mentioned in 1) - this add-ons/plugins are developed by company and the company needs to have roadmap of the API and what will change and when it will chagne, so that they can make new version.

    Many people in the other two articles said - write the web applications using the standards. :) Standards, RFC, and so on ... there are millions of devices/software/application that are supposed to work by given standard, _but_ every vendor that produce some device/software has "personal" view of it. I am in the Telco business and believe me when I say: I've seen the biggest and smallest company in the world to produce software/products with bugs/undocumented feature/etc that came from wrong interpretation of the standard - and I'm the guy that have to found solution for their madness.

    So After trying to explain my view and critics, let's give some advice:
    1) Create roadmap for the releases that will have _BIG_ changes in the API/SDK, what feature will be dropped and when.
    2) Suggestion for the releases and all the big/small changes that are included: DIVIDE them in two:
    -The first one let's call it "USER/Elite" version - don't use beta or unstable (it can scare lots of users). In this release add all the new features that you want - by doing this the developers can test their software/application and most importantly the users that want the newest and the best of the web can have it. By this you can polish the FF from bugs and security problems that comes with new _big_ feature.
    -And second release that has major update once in a year. This updates can/must/could include the features that are already polished from the first release. The name of this release can be STABLE/Enterprise or even Long Term.

    The security updates are must - as fast as possible for the both.

    By doing this you'll have the perfect platform with happy users that have the best and happy enterprise customers that can rely on you for stable releases - so that they can have the best enterprise browser.

    Regards

  12. I work for a Fortune 500 company in the United States. There were visual breakages in our internal web applications from Firefox 3.5 to Firefox 3.6. There is a cost to discovering all of the potential minor breakages in all of our internal applications and having to fix them.

    How about the other massive concern:

    We have absolutely zero impetus to upgrade. We're not unhappy with Firefox 3.6. There are no features in FF 4, 5, 6, 7, etc that we want. We are only using Firefox 3.6 because Firefox 3.5 and 3.0, and 2.0 all went End of Life.

    We are running applications in our production Intranet that were written over 5 years ago. They were written to work with a browser that was old then.

    Every time the bulk of the users in our organization are faced with a browser upgrade, there is a massive cost to the company to go through every internal application and ensure that all of them will have the proper look and feel for their CSS rendering, their Javascript engines, etc.

    As a Corporation, we want complete control over the browsers. We NEVER EVER EVER want new features bundled with a security update. Maybe I could repeat that a few more times. Security updates are required to be installed within 30 days to meet external requirements (PCI). These Security updates must NEVER contain new features. They must be as automated as possible, and as low risk as possible.

    Sometimes, when the browser goes end of life for security updates, we are forced to move to a new browser. As has been repeated before, this costs us money. It would probably be cheaper to pay someone to back port security fixes into old software than to go through and re-certify every corporate web based application on a new browser.

    Now we see that Firefox 4 is already end of life! I am so glad that we didn't start down the path of trying to test Firefox 4. That would have been like flushing money down the toilet. This is the exact problem. Trying to certify a moving target is not going to happen.

    If you're not google, and you're trying to have a public website where you're inviting people to spend money with your company, you can't afford to tell them to go download another browser. Public facing websites are a whole different can of worms, and extremely costly to test. Fortunately, in theory, they have a revenue stream that enables that testing to still be cost effective. Internal applications, as others have said, are just a cost to the company, and all those costs must be minimized.

    I also want to address the nonsense that some people are spouting about the version numbering being no big deal. They are partially correct, but missing the point when they say that FF5 is like 4.1, and that FF6 will be like 4.2. It doesn't matter what the version numbers are. If there are new features, corporations incur costs in re-certifying the new features in the browser. No matter how incremental the feature release cycle is, Corporations must re-test / re-certify every new feature release of the software they use for internal mission critical business. It would be even worse if the browsers auto-updated on the desktops. I would come in to work one day and hear "Everything has gone to hell, the new version of firefox broke our internal web site. We have to take rapid action." Our choices at that point would be to roll back the browser, or deploy some manner of fixes to the internal websites. In the end, the solution is simple: DON'T INSTALL NEW BROWSERS.