What happened to hiring an architect?

Magnus Melin mkmelin+mozilla at iki.fi
Sat Dec 17 12:10:14 UTC 2016


On 16.12.2016 17:24, Disaster Master wrote:
> On 12/15/2016 7:02 PM, R Kent James <kent at caspia.com> wrote:
>> Postbox's new release is on Gecko 7.0.1, which is now over 5 years old. I have not heard any great outcry about their security issues, and someone on this list (...cough..  BK...cough..ensa) keeps telling us what a great product that is, and how popular it is in Mozilla. So clearly forking Gecko is a CHOICE, and if people at Mozilla are using it then some people at Mozilla must not care that it is based on old Gecko, either.
>
> This supports my feeling that the security risks are actually much 
> smaller for TB than they would be for, for example, Pale Moon.

The security risks are very present, you're just living on hope 
thatnobody bothers to target you. Just to put things in numbers: there 
have been 96 security advisories from Mozilla this year alone. So with 
Gecko 7.0.1 (from 2011) there are virtually hundreds of holes just 
looming along in Postbox. These are so old security bugs that they are 
public by now, many with explicit instructions...

>
>> You don't like that choice, and neither do I, but it is clearly an option.
>
> And using this as an example, if it was forked, say, in a years time, 
> then TB could theoretically be OK for a number of years after that, 
> even as many as 5 or more.

Hardly. If you make it easy, Thunderbird is large enough to be an 
interesting attack target.

  -Magnus


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20161217/9943cee9/attachment.html>


More information about the tb-planning mailing list