Security releases: How long?

BAUVENS Laurent laurent.bauvens at cnamts.fr
Mon Jul 23 16:40:08 UTC 2012


AFAIK, the great majority of security flaws comes from Gecko. So I
understand "security update from Mozilla" as the integration work of all
security patches coming from Firefox development teams. I think security
flaws coming from "community innovations" won't be fixed by Mozilla. So,
while Thunderbird will exist and use Gecko, I think Mozilla will do the
Gecko security maintenance and integration. I think Mozilla doesn't do
that for SeaMonkey.

In my mind, Gecko is the only reason why rapid release policy was
applied to Thunderbird. By themselves, as Mitchell Baker wrote it, the
mailing functionalities are very stable and very satisfying for lots of
users. So one can say Gecko isn't a good stuff for Thunderbird because
it leads to a management à la Firefox which doesn't make sense for a
mail client. In my opininon, the first big "community innovation" should
be to replace Gecko by a more simple and stable javascript and rendering
engine in order to cut once for all the deadly link with Firefox.

The new policy proposed converts ESR as the stable release for all users
and maintains the 6 week rapid release cycles only for Gecko
maintenance. I.e back to the old release cycle known for Thunderbird
previous its version 3.0. In fact even a slower cycle because by that
time, Thunderbird had 2 Mozilla devs to enhance it.

As part of a corporate IT staff, I think the main problem will be this
slower innovation rate beyond version 17 which could lead the top
management in the next two years to decide to replace Thunderbird by a
more living mail client. Moreover, webmails seem already very
interesting because of their centralized maintenance, their zero
deployment cost and their advanced UI similar to a classic mail client.
As an individual, I will certainly keep Thunderbird to be sure to have
my mails on my PC and not in a cloud which will analyze them for profit.

Le 23/07/2012 12:41, Ben Bucksch a écrit :
> I have asked it a few times in various other emails, but gotten no
> response to it. I really really need this question answered, because
> it decides what we have to do now, today.
>
> How long will Mozilla Foundation/Corporation, using paid staff,
> provide security updates to Thunderbird, in terms of years and
> decades? This includes making the required changes to Thunderbird to
> adapt to Gecko / Mozilla platform changes, which is considerable work.
>
> Users need assurance that they will still have a email client without
> security holes in e.g. 5 years. If the future is not guaranteed
> long-term, we need to start building a new one now, so being concrete
> here is important.
Regards,

-- 
Laurent BAUVENS




*****************************************************
"Le contenu de ce courriel et ses eventuelles pièces jointes sont confidentiels. Ils s'adressent exclusivement à la personne destinataire. Si cet envoi ne vous est pas destiné, ou si vous l'avez reçu par erreur, et afin de ne pas violer le secret des correspondances, vous ne devez pas le transmettre à d'autres personnes ni le reproduire. Merci de le renvoyer à l'émetteur et de le détruire.

Attention : L'Organisme de l'émetteur du message ne pourra être tenu responsable de l'altération du présent courriel. Il appartient au destinataire de vérifier que les messages et pièces jointes reçus ne contiennent pas de virus. Les opinions contenues dans ce courriel et ses éventuelles pièces jointes sont celles de l'émetteur. Elles ne reflètent pas la position de l'Organisme sauf s'il en est disposé autrement dans le présent courriel."
******************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20120723/b3e86846/attachment.html>


More information about the tb-planning mailing list