Why don't we use Mozilla ESR in Precise?

[Jeremy Bicha]

On 6 February 2012 06:50, Jason Warner <jason.warner at canonical.com> wrote:
>
>
> On Mon, Feb 6, 2012 at 10:02 PM, Viktor Basso <viktor at basso.cc> wrote:
>>
>> Yes!
>> The LTS should be secure, stable and supported. Not "better, faster,
>> braver" as Jason pointed out.
>
>
> And what if we could be both? ;) In fact, we can. By embracing Firefox
> proper rather than ESR, we are getting the current browser that will get
> security updates and thorough testing as well as being the most stable,
> secure and supported Firefox on the market. ESR, as noted by Mozilla [1],
> will not be the most secure, will not be the most updated and will note be
> the most supported. Additionally, we then get the updates to core components
> and offer a leading edge browser rather than on lagging by as many as 12
> months. As I said earlier, ESR feels like too much risk for too little
> reward.
>
>   Jason
>
> [1]
> - https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal#Risks
>
> Risks
>
> The ESR will not have the benefit of large scale testing by nightly and beta
> groups. As a result, the potential for the introduction of bugs which affect
> ESR users will be greater, and that risk needs to be understood and accepted
> by groups that deploy it. To help mitigate these risks, Mozilla will be
> asking organizations that deploy the ESR for assistance with testing alpha
> and/or beta builds of the ESR with their user base.
> Over time, and ESR will be less secure than the regular release of Firefox,
> as new functionality will not be added at the same pace as Firefox, and only
> high-risk/impact security patches will be backported. It is important that
> organizations deploying this software understand and accept this.

I support the decision of the Ubuntu Mozilla developers to ship
basically the same Firefox on all supported Ubuntu releases. While at
first glance, it may sound like a bad idea, the new Rapid Releases are
actually more reliable and better tested than the old pre-Firefox 4
releases were. Everyone that runs the development release of Ubuntu
(Precise at the moment) and those who opt in to the PPA test what is
basically a release candidate for 6 weeks. This is far more than the
week or so of testing that other releases got.

Do you have any idea how many people will test the 10.0.1 update that
will include some of Firefox 11's security updates (I expect certain
security improvements will be too complex to attempt to backport)? Far
fewer than will test Firefox 11 and probably for far less time than
the 6 weeks Firefox 11 is tested. (And that even ignores the 6
additional weeks of "alpha" testing where no new features are supposed
to land and the weeks of nightly testing.)

There's also a persistent problem with manpower in both Ubuntu's
Mozilla & Chromium teams and shipping multiple versions of these apps
every few weeks would be a significant increase in work for very
little benefit. We can't even ship Firefox 10.0.1 to LTS users until
it's been tested for several days. Each day we delay for QA is a day
that Ubuntu users are at risk from known security bugs. It's a
misconception that Firefox 10.0.* will be any more tested or any safer
than the normal Firefox releases and in fact, I believe the opposite
to be true.

The Firefox update policy in Ubuntu now matches what's already been
happening with Chromium for a long time. Both are also listed on
https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions .
Chris Coulson has also blogged about this, and I also contacted him to
verify what was going to happen as it surprised me too at first read
until I thought through things a bit more.

Jeremy