Security releases: How long?
ben.bucksch at beonex.com
Tue Jul 24 13:06:33 UTC 2012
On 23.07.2012 18:40, BAUVENS Laurent wrote:
> AFAIK, the great majority of security flaws comes from Gecko. So I
> understand "security update from Mozilla" as the integration work of
> all security patches coming from Firefox development teams.
Yes. The problem is the that integration work. It's not feasible to
backport security patches, so "security update" means "port to newer
Mozilla ESR". The problem is that Mozilla / XULRunner is a rich platform
(like Windows) with a big API beyond just HTML, including XUL, toolkit,
XPCOM IDL APIs, strings and many other things. This platform is shared
with Firefox, and they take the liberty to change the APIs as they see
fit - now probably even more so than before, with even less respect to
Thunderbird. That means that an update to newer Mozilla needs work to
adapt to these API changes, e.g. thread proxies go away, SSL error
callbacks change etc.pp.. This is considerable work. And it's very
boring work, nothing anybody wants to do in their free time.
However, there is no alternative. Backporting the security fixes from
the new Mozilla to an old Mozilla is not feasible - the Mozilla security
team has tried that a lot in the past and always failed after a year or
so, because there are too many too big changes.
OTOH, not updating at all is not an option either, because that means
that any incoming email can take over your computer.
So, the only option is updating Thunderbird to the changes that Firefox
devs make in the Mozilla platform, and that alone costs 1-2 developers
working full time, I would estimate.
This is what Mozilla Corporation promised to do for the time being. What
I need to know is how long (how many years) they commit to do that.
Because if that ends in 2 years, we need to find a solution now already,
because getting the solution in place (e.g. finding sponsors) can take a
More information about the tb-planning