How to permanently disable FireFox updating...

[tom66]

When software is released so full of vulnerabilities and has to be updated so frequently to me it means the makers are being very careless and maybe should be subject to civil liability when their software causes damages. That would probably change things for the better. It is very shoddy software if it has to be updated so often for security.

I disagree with this statement.  If you look at what a web browser did 20 years ago, that was...
* decode SGML markup
* maybe parse basic CSS
* limited or no JavaScript support
* limited image file formats
* only HTTP

Now what does a web browser have to do?
* XHTML + HTML 4.0 support + SVG, XSL, JSON and others
* video decoding in multiple formats (YouTube, Netflix, etc.) (WebM encapsulation, codecs AV1, VP9, H264/H265... up to 4K rendered on graphics cards directly)
* multiple types of new file formats, such as WebP, JPEG2000, MNG/APNG...
* support a vastly more complicated HTML and CSS standard
* support complex JavaScript environments including JIT compilation
* support vastly more protocols such as HTTP2.0,  HTTPS,  multiple new forms of SSL (TLS 3.0), async HTTP requests and so on

There is a much larger attack area.  This is necessary to support the modern web.  If you do not want these features that is fine, but you would need to disable them or find a very old secure build of Firefox or something that did not have them.  This would probably break most of the things you use on the internet.

Many older browsers did have serious security flaws.  For instance, IE5.5 had a bug in it which allowed remote code execution via a maliciously crafted PNG image.  It took Microsoft ages to patch that.  Companies, including Microsoft, are far better now.  For instance in shared libraries they cooperate to disclose a fix at the same time to avoid an attacker having the opportunity to exploit one system before others have had a chance to patch it.

The modern way is not to necessary exploit your system to put an annoying virus on it, either.  Some exploits can be essentially hidden and be used to exfiltrate data such as passwords or CC data to a server somewhere. 

The idea of attaching any civil liability to free open source software is laughable in the courts.  If you read the GPL, the "No Warranty" part is very clear, it is literally in all caps.  Nonetheless, even commercial software usually excludes liability for losses.  Only in B2B services do you tend to find liability put on the supplier, but you can bet that will be baked into the cost of the software and service.

[soldar]

When software is released so full of vulnerabilities and has to be updated so frequently to me it means the makers are being very careless and maybe should be subject to civil liability when their software causes damages. That would probably change things for the better. It is very shoddy software if it has to be updated so often for security.

I disagree with this statement.  If you look at what a web browser did 20 years ago, that was...
* decode SGML markup
* maybe parse basic CSS
* limited or no JavaScript support
* limited image file formats
* only HTTP

Now what does a web browser have to do?
* XHTML + HTML 4.0 support + SVG, XSL, JSON and others
* video decoding in multiple formats (YouTube, Netflix, etc.) (WebM encapsulation, codecs AV1, VP9, H264/H265... up to 4K rendered on graphics cards directly)
* multiple types of new file formats, such as WebP, JPEG2000, MNG/APNG...
* support a vastly more complicated HTML and CSS standard
* support complex JavaScript environments including JIT compilation
* support vastly more protocols such as HTTP2.0,  HTTPS,  multiple new forms of SSL (TLS 3.0), async HTTP requests and so on

There is a much larger attack area.  This is necessary to support the modern web.  If you do not want these features that is fine, but you would need to disable them or find a very old secure build of Firefox or something that did not have them.  This would probably break most of the things you use on the internet.

Many older browsers did have serious security flaws.  For instance, IE5.5 had a bug in it which allowed remote code execution via a maliciously crafted PNG image.  It took Microsoft ages to patch that.  Companies, including Microsoft, are far better now.  For instance in shared libraries they cooperate to disclose a fix at the same time to avoid an attacker having the opportunity to exploit one system before others have had a chance to patch it.

The modern way is not to necessary exploit your system to put an annoying virus on it, either.  Some exploits can be essentially hidden and be used to exfiltrate data such as passwords or CC data to a server somewhere. 

The idea of attaching any civil liability to free open source software is laughable in the courts.  If you read the GPL, the "No Warranty" part is very clear, it is literally in all caps.  Nonetheless, even commercial software usually excludes liability for losses.  Only in B2B services do you tend to find liability put on the supplier, but you can bet that will be baked into the cost of the software and service.

Well, there would be a lot that could be said and discussed.

I would put security first. If you cannot do it securely then don't do it. And this goes not only for the browsers but for the web sites and servers themselves. Do not use unsafe technology until proven it can be used safely.

The legal aspect of liability is complicated. First because different countries have different legal systems that work in different ways, based on different principles.

In general terms, just because a product is free does not mean it is free from all liability. In America, under contract law, there has to be consideration for there to exist a contract so, yes, you cannot sue for contract. But there may be other avenues. Even with no contract between parties there may exist a Duty of Care the breach of which is the tort of negligence which creates a cause of action for remedy.  If I invite a person onto my property, for free, I have a duty of care and if this person suffers an accident which the courts determine to be caused by my negligence then I would be liable. Negligence and liability would probably be construed even more strictly for a commercial product than for a home owner. Note that even uninvited persons and even burglars can sue for damages. If I have a swimming pool I have the duty of preventing accidents and if the neighbor's child falls in and drowns, even though I did not invite him, I would be found liable for not taking measures to prevent it. 

Also I would be liable for any damages caused by my automobile even if I am not driving it, even if it was stolen from me. The fact that I had no contract with the person who suffered the damage does not absolve me from liability.

I would allege that the maker of software, even if given for free, has a duty of care to the user, maybe not of great care but of ordinary care and the software manufacturer does indeed bear responsibility and liability if the user suffers damages in the ordinary use of the product. The fact that the user does not pay them directly but indirectly, as a class, does not diminish the fact that they are making money by providing a product to the public and they have a duty of care.

It is not as simple and easy as simply putting a disclaimer in the conditions. Those have been held to be invalid many times and on may grounds.

In Spain it is much simpler. The law is whatever the judge says it is and whatever the judge interprets. It is a lottery where anything can happen depending on the point of view and sympathies of the judge. Expensive lawyers can most often make the judge "see things my way" but some times a judge will just take pity on "the little guy" and rule in his favor even if it makes no sense in legal terms.

It's complicated and that's why lawyers make good money.

[tom66]

Well, there would be a lot that could be said and discussed.

I would put security first. If you cannot do it securely then don't do it. And this goes not only for the browsers but for the web sites and servers themselves. Do not use unsafe technology until proven it can be used safely.

Security is paramount in the development of modern software.  Most of the unit tests done on software today are intending to detect crashes and security violations. Nonetheless, there are still areas that are missed, because developers are not infallible.  Bugs are found in old software all the time.

Do be aware that the organisations that are finding these vulnerabilities are often nation-states or large criminal gangs.  Think about Stuxnet, it used four zero-day attacks to get into Iranian systems in an attempt to damage centrifuge hardware.   It was likely developed by the US and possibly Israel. A zero-day, if you were not aware, is a vulnerability not previously disclosed to the public, so developers have no time at all to fix it before it is exploited.  These are very rare (and extremely valuable to bad guys); most bugs *are* caught before they are actively exploited, but once they have been patched, all systems must be updated in order to protect them against exploitation of the now public vulnerability.  Attackers will start as soon as a patch is dropped, which is why coordinated disclosure is such a big deal, so all systems can be patched as quickly as possible.  It is literally an arms race.

Now, you could ask: should we never disclose source code so vulnerabilities cannot be discovered?  This has long been an argument against open source software but it is unconvincing.  Windows has as many if not more severe bugs than Linux does yet the source is proprietary.  There are many other examples and in general open source software is regarded as at least as secure if not more so than closed source software.  Many friendly eyes and a few bad eyes are better than no friendly eyes at all and someone who is dedicated enough to reverse engineer software to exploit it.

The legal aspect of liability is complicated. First because different countries have different legal systems that work in different ways, based on different principles.

In general terms, just because a product is free does not mean it is free from all liability. In America, under contract law, there has to be consideration for there to exist a contract so, yes, you cannot sue for contract. But there may be other avenues. Even with no contract between parties there may exist a Duty of Care the breach of which is the tort of negligence which creates a cause of action for remedy.  If I invite a person onto my property, for free, I have a duty of care and if this person suffers an accident which the courts determine to be caused by my negligence then I would be liable. Negligence and liability would probably be construed even more strictly for a commercial product than for a home owner. Note that even uninvited persons and even burglars can sue for damages. If I have a swimming pool I have the duty of preventing accidents and if the neighbor's child falls in and drowns, even though I did not invite him, I would be found liable for not taking measures to prevent it.

It really isn't that complicated.  The GPL and other free software licenses are quite clear.  Here is the GPL 3.0's section on warranties and liability:
 

15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

As far as I am aware, no one has ever successfully sued a free software developer for a defect in their software, even without clauses disclaiming liability.

As for commercial software you may be correct as to there being liability.  In the past this has resulted in class action suits where the supplier might end up refunding the cost of the software to users.  Microsoft for instance has lost a number of those class action suits.  I don't think it has substantially improved their security approaches. 

Also I would be liable for any damages caused by my automobile even if I am not driving it, even if it was stolen from me. The fact that I had no contract with the person who suffered the damage does not absolve me from liability.

In this case, you have placed a vehicle onto the public road and are legally responsible for it.

It is your decision to use open source software and no one is forcing you to use it, so I cannot see how this argument can apply.

I would allege that the maker of software, even if given for free, has a duty of care to the user, maybe not of great care but of ordinary care and the software manufacturer does indeed bear responsibility and liability if the user suffers damages in the ordinary use of the product. The fact that the user does not pay them directly but indirectly, as a class, does not diminish the fact that they are making money by providing a product to the public and they have a duty of care.

Most open source developers work on software as a hobby. What you are suggesting would kill open source software for good.  It would create a chilling effect since no one would want to risk being sued because of buggy software.  The author of the code that introduced the Heartbleed vulnerability, Robin Seggelmann, was just a PhD student at the time; senior reviewers for the software package, and many others, missed the bug for years to come.  It is not reasonable and fair to place the burden on any particular individual, especially given these guys are almost always unpaid.