Why don't we use Mozilla ESR in Precise?

Alex Schoof alex.schoof at gmail.com
Mon Feb 6 16:25:21 UTC 2012 

Is the concern that high-severity patches wont be backported from Firefox
11 (or 12 or 13 or 14...)? We should be getting high-severity patches from
upstream through the ESR lifecycle (
http://www.mozilla.org/en-US/firefox/organizations/faq/)

People run their businesses on LTS releases. They need to know that if they
dump dev and ops time into building some custom line of business app
against an LTS release (think internal ticketing add-on for firefox), that
they're business-critical code isnt going to break because a new major
release of firefox came out and changed some internal API or something.

If we can GUARANTEE that the next 7 releases of Firefox (until the next
ESR) will ALL be backwards-compatible with no changes to web and add-on
APIs, etc, then I fully support always shipping the latest Firefox. On the
other hand, if we can't make that promise, then LTS should be shipping the
ESR release, which will be api-stable and get updates from upstream through
its lifecycle.

I feel like we're getting to a level with web apps that bumping the version
of the browser in an "enterprisy" LTS-type release would be like shipping a
new version of gcc or java mid-release, at best it makes people nervous, at
worst it causes outages.

Cheers,

Alex

On Mon, Feb 6, 2012 at 10:23 AM, Jeremy Bicha <jbicha at ubuntu.com> wrote:

> On 6 February 2012 06:50, Jason Warner <jason.warner at canonical.com> wrote:
> >
> >
> > On Mon, Feb 6, 2012 at 10:02 PM, Viktor Basso <viktor at basso.cc> wrote:
> >>
> >> Yes!
> >> The LTS should be secure, stable and supported. Not "better, faster,
> >> braver" as Jason pointed out.
> >
> >
> > And what if we could be both? ;) In fact, we can. By embracing Firefox
> > proper rather than ESR, we are getting the current browser that will get
> > security updates and thorough testing as well as being the most stable,
> > secure and supported Firefox on the market. ESR, as noted by Mozilla [1],
> > will not be the most secure, will not be the most updated and will note
> be
> > the most supported. Additionally, we then get the updates to core
> components
> > and offer a leading edge browser rather than on lagging by as many as 12
> > months. As I said earlier, ESR feels like too much risk for too little
> > reward.
> >
> >   Jason
> >
> > [1]
> > -
> https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal#Risks
> >
> > Risks
> >
> > The ESR will not have the benefit of large scale testing by nightly and
> beta
> > groups. As a result, the potential for the introduction of bugs which
> affect
> > ESR users will be greater, and that risk needs to be understood and
> accepted
> > by groups that deploy it. To help mitigate these risks, Mozilla will be
> > asking organizations that deploy the ESR for assistance with testing
> alpha
> > and/or beta builds of the ESR with their user base.
> > Over time, and ESR will be less secure than the regular release of
> Firefox,
> > as new functionality will not be added at the same pace as Firefox, and
> only
> > high-risk/impact security patches will be backported. It is important
> that
> > organizations deploying this software understand and accept this.
>
> I support the decision of the Ubuntu Mozilla developers to ship
> basically the same Firefox on all supported Ubuntu releases. While at
> first glance, it may sound like a bad idea, the new Rapid Releases are
> actually more reliable and better tested than the old pre-Firefox 4
> releases were. Everyone that runs the development release of Ubuntu
> (Precise at the moment) and those who opt in to the PPA test what is
> basically a release candidate for 6 weeks. This is far more than the
> week or so of testing that other releases got.
>
> Do you have any idea how many people will test the 10.0.1 update that
> will include some of Firefox 11's security updates (I expect certain
> security improvements will be too complex to attempt to backport)? Far
> fewer than will test Firefox 11 and probably for far less time than
> the 6 weeks Firefox 11 is tested. (And that even ignores the 6
> additional weeks of "alpha" testing where no new features are supposed
> to land and the weeks of nightly testing.)
>
> There's also a persistent problem with manpower in both Ubuntu's
> Mozilla & Chromium teams and shipping multiple versions of these apps
> every few weeks would be a significant increase in work for very
> little benefit. We can't even ship Firefox 10.0.1 to LTS users until
> it's been tested for several days. Each day we delay for QA is a day
> that Ubuntu users are at risk from known security bugs. It's a
> misconception that Firefox 10.0.* will be any more tested or any safer
> than the normal Firefox releases and in fact, I believe the opposite
> to be true.
>
> The Firefox update policy in Ubuntu now matches what's already been
> happening with Chromium for a long time. Both are also listed on
> https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions .
> Chris Coulson has also blogged about this, and I also contacted him to
> verify what was going to happen as it surprised me too at first read
> until I thought through things a bit more.
>
> Jeremy
>
> --
> ubuntu-desktop mailing list
> ubuntu-desktop at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
>



-- 


Alex Schoof
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-desktop/attachments/20120206/a55fbbc6/attachment.html>

More information about the ubuntu-desktop mailing list