Security support for Mozilla products in the LTS
With rapid release now a reality in Oneiric and presumably in Precise, we should discuss the potential impact of updates that can affect people that were just expecting security updates, but getting a whole lot more (new features and potentially breaking stuff that used to work).
After this session, a clear path forward for supporting the existing LTS and Precise should be established and documented.
Blueprint information
- Status:
- Complete
- Approver:
- Jamie Strandboge
- Priority:
- Essential
- Drafter:
- Micah Gersten
- Direction:
- Approved
- Assignee:
- Micah Gersten
- Definition:
- Approved
- Series goal:
- Accepted for precise
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Jamie Strandboge
- Completed by
- Jamie Strandboge
Whiteboard
Work items:
[micahg] Ensure Firefox 3.6 -> current rapid release is a supported upgrade - email (0.5): DONE
[micahg] Ensure Thunderbird 3.1 -> current rapid release is a supported upgrade - email (0.5): DONE
[micahg] Coordinate with release team (skaet) an announcement to ubuntu-announce and ubuntu-
[micahg] Prepare Firefox rapid release in security-proposed PPA (4): DONE
[micahg] Prepare Thunderbird rapid release in security-proposed PPA (0.5): DONE
[micahg] Coordinate with release team (skaet) an announcement to ubuntu-announce and ubuntu-
[mdeslaur] Upload empty package for bindwood for rapid release migration (0.25): DONE
micahg - 2011-10-25 - We're definitely going to need to build up our beta channel testing to try to catch issues while there's still time to fix the issues.
jdstrand - 2011-10-25 - potential work item is documenting the mozilla update policy in Ubuntu and the reasons behind it (perhaps the SecurityTeam/FAQ)
mdeslaur - Plugins are starting to have compatibility issues with older firefox releases - see flash hang bugs on Lucid and Maverick
= From etherpad =
Intro
Rapid release is a reality. Mozilla releases every 6 weeks for firefox and tbird
Potential issues- corporate customers. LTS users want stable browser
Options
Upstream will have an 'extended release'. Upstream doesn't want people to use this, but we would need to provide a 2nd package. Issues:
- limited testing from upstream
- behind on release
- only backport high and critical
- community maintained/driven
- branch off newest stable, but code will quickly diverge
- only 42 weeks
- user visible changes are actually more pronounced with this technique
- ways of looking at it
- pure security view: rapid release fixes all issue and adds new security features
- regression view: once release then in house stuff fails, but browser plugins test against the latest, not the
extended release. New websites may not work with old, but company internal sites may break
- all browsers are moving, it isn't just us. the world has change
If release on 6 week cycle, there are more little breaks rather than a few big breaks
Precise (firefox and probably tbird):
- have rapid release in the the distribution
- track esr in a ppa
lucid
- probably need to in a few weeks
- how to do it?
- can push 3.6 to -security for a release or 2 and the rapid release in -updates
- esr/3.6 tracked in a ppa as well
- when to transition lucid? undecided
does mozilla support version jumps (eg, 4 to 7)
- upstream says "should work", but not supported
thunderbird will probably follow firefox' model, eg a version will follow the firefox ESR
How to communicate to lucid users
- extra pre-USN
- [ACTION] micahg to coordinate with skaet announcement to ubuntu-announce (eg, EOL) letting people know that things are changing and why
Upstream info:
https:/
https:/
Work Items
Dependency tree
* Blueprints in grey have been implemented.