Why we need Gecko updates

Axel Grude axel.grude at gmail.com
Wed Dec 9 01:25:51 UTC 2015

I wonder how Postbox manages, AFAIK they still use Gecko 9.0

Did Mozilla ever consider splitting Gecko from M-C? I would believe if it was in a 
separate branch it would be much easier to stay in sync.


*Axel Grude <mailto:axel.grude at gmail.com>*
Software Developer
Thunderbird Add-ons Developer (QuickFolders, quickFilters, QuickPasswords, Zombie 
Keys, SmartTemplate4)
AMO Editor Get Thunderbird!

> *Subject:* Why we need Gecko updates (was: Future Planning: Thunderbird as a Web App)
> *To:* Tb-planning, Gervase Markham
> *From: *Ben Bucksch
> *Sent: *Wednesday, 09/12/2015 00:40:09 00:40 GMT ST +0000 [Week 49]
> Gervase Markham wrote on 18.09.2015 15:32:
>> To put it another way: "what would we have lost if we had forked m-c two
>> years ago"?
> Hey Gerv,
> That's simple to answer: Security patches.
> As you know from being at the Mozilla Security Group and the public advisories, the 
> Gecko rendering and JS engine has security holes fairly regularly. Every month (or 
> every few months), there's a critical security hole, whereby "critical" means that 
> any random ad published via an ad server on a website you visit can read all your 
> files on your computer, install random malware, impersonate as you, and generally 
> can do whatever you can do on your own computer.
> In Thunderbird, the risk is even larger than in Firefox. In Firefox, you need to 
> actively go to a website, and that website needs to attack you (possibly via an ad 
> server). We still assume that an attacker will manage to get you to his website 
> somehow, and we consider such a critical bug the end of the computing world. In 
> Thunderbird, the attacker has it even easier: He just needs to send you an HTML 
> email. You view it, and you're done. Dead.
> The default in Thunderbird is the HTML viewer.
> Mitigation:
> * JS is disabled by default
> * "View | Message body as | Simple HTML", which tries to prevent most security holes 
> with HTML.
> Neither is bullet-proof and some classes of bugs, e.g. in the parser, or image 
> decoders or - worse - in the complex native video codecs, are still going to hit you 
> with their full force.
> Unfortunately, Mozilla gave up on supporting old Gecko versions with security 
> patches. Time's over once the ESR release is unsupported, which is currently 6-8 
> months. Anything else was considered not feasible for Firefox security team. There's 
> no chance that the Thunderbird team can keep up.
> So, as much as I'd like that personally, forking Gecko is not an option.
> (These dreaded security holes and the lack of patches have crossed many plans, in 
> many different areas and products and companies.)
> _______________________________________________
> tb-planning mailing list
> tb-planning at mozilla.org
> https://mail.mozilla.org/listinfo/tb-planning

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20151209/55f6b80f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: thunderbird_blog2.png
Type: image/png
Size: 846 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20151209/55f6b80f/attachment.png>

More information about the tb-planning mailing list