Security support for Mozilla products in the LTS

Registered by Micah Gersten on 2011-10-25

With rapid release now a reality in Oneiric and presumably in Precise, we should discuss the potential impact of updates that can affect people that were just expecting security updates, but getting a whole lot more (new features and potentially breaking stuff that used to work).

After this session, a clear path forward for supporting the existing LTS and Precise should be established and documented.

Blueprint information

Status:
Complete
Approver:
Jamie Strandboge
Priority:
Essential
Drafter:
Micah Gersten
Direction:
Approved
Assignee:
Micah Gersten
Definition:
Approved
Series goal:
Accepted for precise
Implementation:
Implemented
Milestone target:
None
Started by
Jamie Strandboge on 2011-11-17
Completed by
Jamie Strandboge on 2012-04-26

Related branches

Sprints

Whiteboard

Work items:
[micahg] Ensure Firefox 3.6 -> current rapid release is a supported upgrade - email (0.5): DONE
[micahg] Ensure Thunderbird 3.1 -> current rapid release is a supported upgrade - email (0.5): DONE
[micahg] Coordinate with release team (skaet) an announcement to ubuntu-announce and ubuntu-security-announce about the plans to jump from Firefox 3.6 to the rapid release version (ended up just sending to ubuntu-security-announce) (0.5): DONE
[micahg] Prepare Firefox rapid release in security-proposed PPA (4): DONE
[micahg] Prepare Thunderbird rapid release in security-proposed PPA (0.5): DONE
[micahg] Coordinate with release team (skaet) an announcement to ubuntu-announce and ubuntu-security-announce about the plans to jump from Thunderbird 3.1 to the rapid release version (0.5): DROPPED
[mdeslaur] Upload empty package for bindwood for rapid release migration (0.25): DONE

micahg - 2011-10-25 - We're definitely going to need to build up our beta channel testing to try to catch issues while there's still time to fix the issues.
jdstrand - 2011-10-25 - potential work item is documenting the mozilla update policy in Ubuntu and the reasons behind it (perhaps the SecurityTeam/FAQ)
mdeslaur - Plugins are starting to have compatibility issues with older firefox releases - see flash hang bugs on Lucid and Maverick

= From etherpad =
Intro
Rapid release is a reality. Mozilla releases every 6 weeks for firefox and tbird
Potential issues- corporate customers. LTS users want stable browser
Options

Upstream will have an 'extended release'. Upstream doesn't want people to use this, but we would need to provide a 2nd package. Issues:
- limited testing from upstream
- behind on release
- only backport high and critical
- community maintained/driven
- branch off newest stable, but code will quickly diverge
- only 42 weeks
- user visible changes are actually more pronounced with this technique
- ways of looking at it
 - pure security view: rapid release fixes all issue and adds new security features
 - regression view: once release then in house stuff fails, but browser plugins test against the latest, not the

extended release. New websites may not work with old, but company internal sites may break
 - all browsers are moving, it isn't just us. the world has change

If release on 6 week cycle, there are more little breaks rather than a few big breaks

Precise (firefox and probably tbird):
- have rapid release in the the distribution
- track esr in a ppa

lucid
- probably need to in a few weeks
- how to do it?
- can push 3.6 to -security for a release or 2 and the rapid release in -updates
- esr/3.6 tracked in a ppa as well
- when to transition lucid? undecided

does mozilla support version jumps (eg, 4 to 7)
- upstream says "should work", but not supported

thunderbird will probably follow firefox' model, eg a version will follow the firefox ESR

How to communicate to lucid users
- extra pre-USN
- [ACTION] micahg to coordinate with skaet announcement to ubuntu-announce (eg, EOL) letting people know that things are changing and why

Upstream info:
https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal
https://wiki.mozilla.org/Enterprise/Thunderbird/ExtendedSupport

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.