Why we need Gecko updates

Gervase Markham gerv at mozilla.org
Wed Dec 9 11:02:42 UTC 2015

On 08/12/15 19:40, Ben Bucksch wrote:
> * JS is disabled by default

It would be interesting to catalogue the security bugs discovered over
the past 2 years to see which required JS (or video or audio playback,
both of which I hope TB disables as well) and which did not.

> Unfortunately, Mozilla gave up on supporting old Gecko versions with
> security patches. Time's over once the ESR release is unsupported, which
> is currently 6-8 months. Anything else was considered not feasible for
> Firefox security team. There's no chance that the Thunderbird team can
> keep up.

I think more analysis is required to say that it would be impossible for
the TB team to adapt or backport the number of security fixes over the
past two years which did not require JS to be enabled.

Re: Postbox:
> If they still use Gecko 9.0, I presume they have lots of security
> holes.

If this is true, why not spend a bit of time proving your point by
finding one? The MFSA list would be a good place to start. :-)


More information about the tb-planning mailing list