Likely timing of future Thunderbird Gecko builds

[Ben Bucksch]

R Kent James wrote on 18.04.2017 07:22:
> That means that after Thunderbird 59, we will cease trying to maintain 
> Thunderbird builds based on Gecko 60 and later, but will instead 
> continue all further development of existing Thunderbird (which should 
> be regressions and security patches only) using Gecko-esr59. After EOL 
> of Gecko-esr59, that will require increasing effort to maintain 
> security patches, such that this path is probably only viable for at 
> most a year after EOL of Gecko-esr59. 

Kent, I've said this before, and I'll say it again: The Thunderbird 
project stands no chance at all to maintain security patches of Gecko.

There is a reason why Mozilla provides the ESR only for 8 months: 
Because it gets increasingly difficult as the branch and mainline 
diverge. At Mozilla's security does not have the resources to maintain 
the branch longer. There are security bugs every 2 business days! Some 
of them are easy, some complicated, some very very hard to fix on the 
old codebase.

If the Mozilla security team can't manage, why do you think the 
Thunderbird project can?

On top of that, our TB maintainers even lack the security knowledge to 
understand Thunderbird's security model. Gecko security is 20 times 
harder. There's absolutely no chance we can get this right. We might be 
able to manage in 9 out of 10 cases, but what do we do with the rest? 
With 2-3 security bugs per week, we'll be flooded.

Kent, please stop proposing that as option. It is not. Nobody has 
managed to do that. Ever. Not Redhat, not Debian, not even Mozilla. And 
I have inside information about some commercial projects that I am not 
allowed to share, who are in much worse situations. Not just 1, but 
several. They all made the same mistake. They all started like this 
here. Please take my first hand experience and learn from it. Please 
don't repeat that mistake here.

This is not feasible. If we depart ESR, we have a few months at best 
until *death*.

Ben