On Monday, October 17, 2016 at 1:33:06 AM UTC-5, Peter Dolanjski wrote: > Thanks for taking the time to provide thorough feedback. > > 3) For Windows Vista, I don't see where the fire is. I realize that it has > > a vastly smaller user base, but it is close to Window 7 code base and API > > wise. > > > I'm sure the engineering team can probably provide a more detailed response > on this one, but as I understand it the main issue is that the sandboxing > effort [1] makes use of Chromium's sandbox [2] which now only supports > Windows 7+. > The challenge would come from maintaining a separate version for Vista > (which given the relatively low user numbers is hard to justify). > > [1] https://wiki.mozilla.org/Security/Sandbox > [2] http://www.chromium.org/developers/design-documents/sandbox > > Peter
Greetings again. First, I didn't think about OS support as a problem for Vista, but it makes sense considering how Vista failed in the market. When Mozilla does the press release stating that it is dropping Vista and XP at the same time, the explanation for Vista's dropping should include information about the lack of tool and library support so that people don't think Mozilla is just copying Google again. Over the past week, since I responded to your post, I had to use old laptop because it was storming (it's not good to have a computer on during a lightning storm I learned that the hard way). It was a Vista x32 that I upgraded to Windows 7 x64, but using it got me thinking. In your initial post, you basically laid out that Vista and XP would be left a ESR 52 and that ESR 52 would be feature frozen with only security updates. Said security updates past the first year would be on an 'as user base size justified' basis. My concern is about something else along the lines of security: what about TLS and digital certificates? In 2014 arstechnica did a story "My coworkers made me use Mac OS 9 for their (and your) amusement" (http://arstechnica.com/apple/2014/09/my-coworkers-made-me-use-mac-os-9-for-their-and-your-amusement/). On page 2, the author talked about trying to do work and failing. He had found the last remaining modern OS 9 web browser, Classilla, and tried to log in to the server to do work only to find that the lack of modern encryption made working from an OS 9 machine impossible. Cameron Kaiser did update Classilla after that article ("And now for something completely different: Classilla is back", https://tenfourfox.blogspot.com/2014/10/and-now-for-something-completely_28.html). Reading through his blog post, he described needing to update NSS (Network Security Services) to recognize TLS 1.0 and SHA-2. Furthermore, the release notes (http://www.floodgap.com/software/classilla/releases/) describe the SSL root certificates having to be refreshed. My point for the above paragraph is that even if Mozilla stops security updates for ESR 52, these computers will still need to get around on the Internet. These machines will still need to do log ins and banking. The world isn't the same as back in the day when Netscape 4 roamed the web or even in 2008 when Mozilla dropped support for Windows 98 SE with 2.0.0.20. Part of securing the web means making sure that every server has a digital certificate with Let's Encrypt. But that part only works if the browser has up to date TLS and digital certificates. What happens to Vista and XP on ESR 52 or even OSX 10.6-10.8 on ESR 45 when a POODLE style attack drives everyone from TLS 1.2 to TLS 1.3 with no fall back? What happens when older certificates are found to have been compromised by a third party like a crime syndicate or government intelligence agency? Do ESR 52 and ESR 45 get stuck with corrupted certificates while the latest versions of Firefox get their certificates refreshed ? I'm just wondering what your thoughts on if this is an issue or how to handle it if it is. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform