Security releases: How long?

Ben Bucksch ben.bucksch at
Tue Jul 24 13:06:33 UTC 2012

On 23.07.2012 18:40, BAUVENS Laurent wrote:
> AFAIK, the great majority of security flaws comes from Gecko. So I 
> understand "security update from Mozilla" as the integration work of 
> all security patches coming from Firefox development teams.

Yes. The problem is the that integration work. It's not feasible to 
backport security patches, so "security update" means "port to newer 
Mozilla ESR". The problem is that Mozilla / XULRunner is a rich platform 
(like Windows) with a big API beyond just HTML, including XUL, toolkit, 
XPCOM IDL APIs, strings and many other things. This platform is shared 
with Firefox, and they take the liberty to change the APIs as they see 
fit - now probably even more so than before, with even less respect to 
Thunderbird. That means that an update to newer Mozilla needs work to 
adapt to these API changes, e.g. thread proxies go away, SSL error 
callbacks change etc.pp.. This is considerable work. And it's very 
boring work, nothing anybody wants to do in their free time.

However, there is no alternative. Backporting the security fixes from 
the new Mozilla to an old Mozilla is not feasible - the Mozilla security 
team has tried that a lot in the past and always failed after a year or 
so, because there are too many too big changes.
OTOH, not updating at all is not an option either, because that means 
that any incoming email can take over your computer.
So, the only option is updating Thunderbird to the changes that Firefox 
devs make in the Mozilla platform, and that alone costs 1-2 developers 
working full time, I would estimate.

This is what Mozilla Corporation promised to do for the time being. What 
I need to know is how long (how many years) they commit to do that. 
Because if that ends in 2 years, we need to find a solution now already, 
because getting the solution in place (e.g. finding sponsors) can take a 
long time.


More information about the tb-planning mailing list