Is the concern that high-severity patches wont be backported from Firefox 11 (or 12 or 13 or 14...)? We should be getting high-severity patches from upstream through the ESR lifecycle (<a href="http://www.mozilla.org/en-US/firefox/organizations/faq/">http://www.mozilla.org/en-US/firefox/organizations/faq/</a>) People run their businesses on LTS releases. They need to know that if they dump dev and ops time into building some custom line of business app against an LTS release (think internal ticketing add-on for firefox), that they're business-critical code isnt going to break because a new major release of firefox came out and changed some internal API or something. If we can GUARANTEE that the next 7 releases of Firefox (until the next ESR) will ALL be backwards-compatible with no changes to web and add-on APIs, etc, then I fully support always shipping the latest Firefox. On the other hand, if we can't make that promise, then LTS should be shipping the ESR release, which will be api-stable and get updates from upstream through its lifecycle. I feel like we're getting to a level with web apps that bumping the version of the browser in an "enterprisy" LTS-type release would be like shipping a new version of gcc or java mid-release, at best it makes people nervous, at worst it causes outages. Cheers, Alex <div class="gmail_quote">On Mon, Feb 6, 2012 at 10:23 AM, Jeremy Bicha <<a href="mailto:jbicha@ubuntu.com">jbicha@ubuntu.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div class="HOEnZb"><div class="h5">On 6 February 2012 06:50, Jason Warner <<a href="mailto:jason.warner@canonical.com">jason.warner@canonical.com</a>> wrote: > > > On Mon, Feb 6, 2012 at 10:02 PM, Viktor Basso <viktor@basso.cc> wrote: >> >> Yes! >> The LTS should be secure, stable and supported. Not "better, faster, >> braver" as Jason pointed out. > > > And what if we could be both? ;) In fact, we can. By embracing Firefox > proper rather than ESR, we are getting the current browser that will get > security updates and thorough testing as well as being the most stable, > secure and supported Firefox on the market. ESR, as noted by Mozilla [1], > will not be the most secure, will not be the most updated and will note be > the most supported. Additionally, we then get the updates to core components > and offer a leading edge browser rather than on lagging by as many as 12 > months. As I said earlier, ESR feels like too much risk for too little > reward. > > Jason > > [1] > - <a href="https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal#Risks" target="_blank">https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal#Risks</a> > > Risks > > The ESR will not have the benefit of large scale testing by nightly and beta > groups. As a result, the potential for the introduction of bugs which affect > ESR users will be greater, and that risk needs to be understood and accepted > by groups that deploy it. To help mitigate these risks, Mozilla will be > asking organizations that deploy the ESR for assistance with testing alpha > and/or beta builds of the ESR with their user base. > Over time, and ESR will be less secure than the regular release of Firefox, > as new functionality will not be added at the same pace as Firefox, and only > high-risk/impact security patches will be backported. It is important that > organizations deploying this software understand and accept this. </div></div>I support the decision of the Ubuntu Mozilla developers to ship basically the same Firefox on all supported Ubuntu releases. While at first glance, it may sound like a bad idea, the new Rapid Releases are actually more reliable and better tested than the old pre-Firefox 4 releases were. Everyone that runs the development release of Ubuntu (Precise at the moment) and those who opt in to the PPA test what is basically a release candidate for 6 weeks. This is far more than the week or so of testing that other releases got. Do you have any idea how many people will test the 10.0.1 update that will include some of Firefox 11's security updates (I expect certain security improvements will be too complex to attempt to backport)? Far fewer than will test Firefox 11 and probably for far less time than the 6 weeks Firefox 11 is tested. (And that even ignores the 6 additional weeks of "alpha" testing where no new features are supposed to land and the weeks of nightly testing.) There's also a persistent problem with manpower in both Ubuntu's Mozilla & Chromium teams and shipping multiple versions of these apps every few weeks would be a significant increase in work for very little benefit. We can't even ship Firefox 10.0.1 to LTS users until it's been tested for several days. Each day we delay for QA is a day that Ubuntu users are at risk from known security bugs. It's a misconception that Firefox 10.0.* will be any more tested or any safer than the normal Firefox releases and in fact, I believe the opposite to be true. The Firefox update policy in Ubuntu now matches what's already been happening with Chromium for a long time. Both are also listed on <a href="https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions" target="_blank">https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions</a> . Chris Coulson has also blogged about this, and I also contacted him to verify what was going to happen as it surprised me too at first read until I thought through things a bit more. Jeremy <div class="HOEnZb"><div class="h5"> -- ubuntu-desktop mailing list <a href="mailto:ubuntu-desktop@lists.ubuntu.com">ubuntu-desktop@lists.ubuntu.com</a> <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop</a> </div></div></blockquote></div> -- Alex Schoof