LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Front page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The end of the road for Firefox 2

By Jonathan Corbet
November 5, 2008
By some accounts, the Firefox browser is now responsible for a full 20% of web traffic. As the number of Firefox users grows, so does the need for top-quality support; 20% makes for a large number of potential attack points. So it is interesting to note that Mozilla is now planning to end Firefox 2 support in the near future, perhaps before the end of the year. This change could leave a lot of users - and not just Firefox users - in a difficult position.

One obvious question to ask would be: have most Firefox users moved on to Firefox 3? Apparently, about two out of three users have made the change, but millions of users have yet to move away from the older browser. The Mozilla project would like to get as many of those users to switch before ending support; that, in turn, requires looking at why they haven't yet upgraded. There seem to be a few prominent reasons beyond sheer inertia:

  • Some users have systems which are not supported by Firefox 3. Many of these, it seems, are running old versions of Windows - 9x or NT4. In these cases, the operating system itself has long since ceased to receive support, so it's not entirely clear that continuing to support the browser does a whole lot of good.

  • Others are dependent on extensions which have not been ported to Firefox 3. While most actively-developed extensions were ported some time ago, it appears that there are quite a few extensions which, while still having significant numbers of users, have been abandoned by their developers. Zack Weinberg has suggested that the project could make an active effort to find new maintainers for those extensions, or even fix a few of them itself.

  • The Firefox 3 experience is not problem-free for all users; there have been some complaints about printing on some systems, for example. Finding - and fixing - the remaining blockers is clearly an important thing for the Firefox developers to do.

Somehow, ways will probably be found to coax most of these users into moving forward to a newer browser. Beyond doubt, though, some will be left behind, and some of those may learn the hard way what "unsupported" really means. But that will be true no matter how long Firefox 2 is supported; there's never a way to get all users to upgrade. Firefox is not different from any other application in this regard, with the sole exception that its user base is larger than most.

There is another important aspect to this story, though: this decision will affect users well beyond those who use Firefox. The end of Firefox 2 support will also bring an end to support for the Gecko 1.8.1 platform. And this version of Gecko is used by several applications beyond Firefox, including Camino, SeaMonkey, Sunbird, Miro, Instantbird, and Thunderbird. All of these platforms currently use Gecko - the soon-to-be-discontinued version of Gecko - for HTML rendering.

There is a fair amount of concern about Thunderbird in particular. This mail client was recently kicked out of the Mozilla nest to fend for itself. Thunderbird developers are working toward a Thunderbird 3 release (the third alpha release came out in mid-October) which will use a newer version of Gecko. But the 3.0 release is still several months away - some months after the end of Gecko 1.8.1 support. Naturally enough, the Thunderbird developers worry that their current users will be running in an unsupported mode; that does not strike them as the best start for their newly-independent project.

The word from the Mozilla Foundation seems to be that the Gecko platform will continue to be supported, in some minimal fashion, for a while yet. According to Samuel Sidler:

The triage and release team that currently works on Firefox and Thunderbird 2.0.0.x releases will continue to triage requests for Thunderbird 2.0.0.x and maintain its releases until six months after the release of Thunderbird 3.

Note that this will mean that browser-specific security and stability bugs will likely be ignored/minused. We'll only be considering bugs that affect Thunderbird 2.0.0.x.

So it seems that Thunderbird should be covered - as long as the people who decide whether bugs are "browser-specific" do their job properly. But experience has shown many times that it can be hard to understand the full implications of a given bug. It would not be all that surprising for one or more "browser-specific" bugs to turn out to be fully exploitable in Thunderbird.

Beyond that, though, applications like SeaMonkey and Camino are browsers. Developers from those projects are, needless to say, concerned that their needs are not being taken into account. They are not attracted by the idea of shipping a browser based on a platform where browser-specific bugs are being ignored. Mozilla developers have tried to reassure these groups that the situation is not as bad as it seems, but how things will work for them is far from clear. The real answer was, perhaps, suggested by Samuel:

The community can take over this branch, just as has been done for Gecko 1.8.0 (currently managed by Linux vendors)

In other words, Mozilla would like to outsource the maintenance of this code to the community, and to distributors in particular. The good news is that this is free software, so this kind of extended maintenance is possible as long as the interest is there to do it. Gecko is a non-trivial body of software to maintain, but it should be possible for the various interested projects, along with distributors still shipping this code, to pool their effort and get the job done. In their spare time, perhaps, they can give some thought to how they might avoid getting caught in the same situation when Firefox 3 reaches the end of its supported life.

(Log in to post comments)

The end of the road for Firefox 2

Posted Nov 6, 2008 2:53 UTC (Thu) by walken (subscriber, #7089) [Link]

I have not upgraded yet, because I'm still using debian etch and it's got iceweasel version 2. My upgrade to firefox 3 will probably be whenever debian lenny ships. I suspect there must be other people in my situation, who just don't care enough about the upgrade to do it before their distro does.

The end of the road for Firefox 2

Posted Nov 6, 2008 4:42 UTC (Thu) by afalko (subscriber, #37028) [Link]

I too have not upgraded for this reason. In my case, I'm a Gentoo user who is only updating his systems for security updates only. Firefox2 is so perfect for me I have no motivation to risk breaking the stability of my system and browsing experience for feature I'm happy without.

The end of the road for Firefox 2

Posted Nov 6, 2008 8:48 UTC (Thu) by Los__D (guest, #15263) [Link]

Well, if security updates is a feature you are happy without, by all means, stay with FF2

The end of the road for Firefox 2

Posted Nov 6, 2008 9:03 UTC (Thu) by walken (subscriber, #7089) [Link]

No, I expect that debian will release lenny before security updates are dropped on ff2. And if lenny gets delayed, I expect debian will make a decision and either upgrade firefox in an etch dot-release, or decide to handle security updates themselves somehow.

Yeah, I'm a true debian believer :)

The end of the road for Firefox 2

Posted Nov 6, 2008 9:15 UTC (Thu) by Los__D (guest, #15263) [Link]

Hehe, they'll probably be ready.

My response was mostly to afalko, whose situation doesn't really strike me as similar to yours, but more to good old "it ain't broken...".

The end of the road for Firefox 2

Posted Nov 6, 2008 10:01 UTC (Thu) by NAR (subscriber, #1313) [Link]

Given that upgrades in general (and Linux upgrades in particular) have a tendency to break working systems, I think it's a perfectly reasonable stance...

The end of the road for Firefox 2

Posted Nov 6, 2008 10:13 UTC (Thu) by Los__D (guest, #15263) [Link]

Of course it is.

- If you don't find security updates to your browser important (which there certainly is valid reasons not to).

The end of the road for Firefox 2

Posted Nov 6, 2008 17:47 UTC (Thu) by afalko (subscriber, #37028) [Link]

I did not mean that security updates were not important. FF2 is still supported atm. If it happens to become unsupported, no problem, I'll upgrade to FF3 and adapt to the changes, good or bad.

I used live by the motto, "If its broken fix it, if it works breaks it." But that was when I didn't have real work to do --- at least not that important or computer dependent work. Now I live by "if its working, don't break it, if its broken (I consider something with a security hole to be broken), try to fix it without turning the entire system upside down".

The end of the road for Firefox 2

Posted Nov 7, 2008 11:55 UTC (Fri) by Los__D (guest, #15263) [Link]

Ah, then we are in complete agreement :)

"If it ain't broke" --- test it?

Posted Nov 6, 2008 21:01 UTC (Thu) by AnswerGuy (guest, #1256) [Link]

The old sysadmin adage: "if it ain't broke, don't fix it!" hinges on the assumption that we would know if it's "broke"[sic].

Security issues are the obvious and dangerous counter example to this assumption. If there's a vulnerability then a subtle attacker may be exploiting it for arbitrary lengths of time without exposing the breakage to their victims.

Frequently the sysadmin is also extending this philosophy to the next logical adage ... "better the devil you know ..."

To mitigate the risks posed by upgrading (the upgrade will break stuff) perhaps we'd be better off asking how we can effectively adopt some analog to the "test driven development" model which is the heart of agile programming methodologies.

How could we automate a test suite of the functionality of our systems so that we could deploy a set of changes (upgrades, new package installations, configuration changes, etc) with confidence that nothing (that we tested for) was broken in the process.

First we have to have a way to rollback from our changes.

The old brute force method is to swap out whole (spare) machines or hard drives ... restore the existing system (or replicate it) ... then deploy the changes. There the rollback is to switch back to the primary (non-spare) system or hard drives. (This is a simplification since we also must be aware of the changes that may have occurred to "live" (production) data during the testing --- that can be arbitrarily complicated for specific applications).

It may be possible to use LVM snapshotting as a more elegant and far more lightweight alternative to wholesale drive/system replacement. I would love to see a good HOWTO covering that process.

Next we need a framework for running our tests.

For servers the functionality tests can start with the same tools we use for monitoring our services. So if we have reasonable coverage through things like Nagios then we should be able to add the test system to the monitoring system fairly easily ---- and see alerts for any service that's obviously broken.

However this only tests for obvious breakage. Monitoring systems are designed to and tune to minimize load, for example. So if our system under test has capacity handling issue --- if the upgrades would make our new copy of BIND fall over when all our systems are hammering on it for DNS requests ... or (more likely) our LDAP server upgrades kill the LDAP performance under high load (or truncate bulk queries, or whatever) ... these or things that have to be tested for separately.

So we need a suite of capacity/load tests.

Testing for workstations for user/interactive issues is far trickier.

Ideally we should work with the upstream maintainers to help develop test suites ... those can be used during development, after packaging, and by distribution maintainers to test for integration issues (things that only show up when combining the packages with others in the same distribution) ... and finally these could be packaged up so that savvy sysadmins could re-use them to test for deployment issues.

What I'm proposing is that we build "soup to nuts" testing to catch issues at any stage from development to deployment.

And I know it's not gonna happen overnight.

The end of the road for Firefox 2

Posted Nov 6, 2008 4:40 UTC (Thu) by jamesh (guest, #1159) [Link]

I guess the other message is "port to the new Gecko when we do if you want to benefit from our maintainership". It looks like Seamonkey has an alpha release using a newer Gecko, so the real issue for them is finishing the release and supporting old users.

It seems that the end of support wasn't a surprise, but is still a bit inconvenient for external projects.

The end of the road for Firefox 2

Posted Nov 6, 2008 8:11 UTC (Thu) by i3839 (guest, #31386) [Link]

So to sum up, all devs moved on to the new code and don't work on the old versions anymore, and no new 2.x(FF)/1.8.x(Gecko) releases will be made. This seems like a normal thing that happens all the time, so what's all the fuzz about?

And it's open source, so it should be easy to fork off a "stable" branch of the old code, like what happened with the kernel. Or is there something about the mozilla foundation that makes things like that difficult? (E.g. not providing hostage, not mentioning it on their site etc.)

*shrug*

The end of the road for Firefox 2

Posted Nov 6, 2008 10:26 UTC (Thu) by rghetta (subscriber, #39444) [Link]

I think offering an upgrade to FF3 using the automatic update feature will go a long way toward getting more users to switch.
Right now one has to go to mozilla site, download the new ff and install it. IMHO many just don't know about the newer release.

The end of the road for Firefox 2

Posted Nov 6, 2008 13:36 UTC (Thu) by rmn30 (guest, #36960) [Link]

It's not just ancient MS Windows systems which can't use Firefox 3. At work we are using Red Hat Enterprise Linux 4 (we just upgraded from RHEL3) and I haven't yet managed to get FireFox 3 to work, even using the statically linked build, because it has a shared library dependency on libpangocairo. Mozilla's definition of 'static' obviously differs from the usual one I'm familiar with...

Now I could track down and compile all the dependencies myself but honestly who has the time? Also it's much more fun to whine about it on LWN.

The end of the road for Firefox 2

Posted Nov 6, 2008 13:42 UTC (Thu) by droundy (subscriber, #4559) [Link]

Firefox 3 also has dropped support for older MacOS versions like 10.3 that still get security updates from Apple. To be fair, Apple hasn't backported their latest Safari version to work on 10.3 either...

The end of the road for Firefox 2

Posted Nov 6, 2008 16:53 UTC (Thu) by jzbiciak (✭ supporter ✭, #5246) [Link]

Wow. I have this exact same problem. Now I wonder if we work at the same place. :-)

Google Browser Sync

Posted Nov 6, 2008 15:16 UTC (Thu) by kfiles (subscriber, #11628) [Link]

I'm still using FF2 because Google Browser Sync has been abandoned, and will not work on FF3. Weave is thus far an inadequate replacement for me.

It's sad that such a useful extension (I particularly like being able to migrate my open tabs from one computer to another after I leave work) is no longer supported.

Google Browser Sync

Posted Nov 7, 2008 2:58 UTC (Fri) by nlucas (subscriber, #33793) [Link]

Had the same same problem, but then just got used to Foxmarks, which does the same thing (more or less).

It has one additional feature I find useful: you can have more than one profile, so you can put those bookmarks that are only for work (like access to internal network servers) or only for home (those "entertaining" channels you don't see at work) and it's less clutter on the bookmarks tool bar.

Another additional advantage is that you can manage your bookmarks by web access.

In the end, I believe I am better now.

The end of the road for Firefox 2

Posted Nov 6, 2008 16:57 UTC (Thu) by ibukanov (subscriber, #3942) [Link]

A community or distribution-based support has been working IMO successfully for Firefox 1.5 after the official support for that version has ended. In particular, people outside Mozilla Corporation backported the security bug fixes with occasional help/guidance of Mozilla's developers. I do not see why this would not work for FF 2.0 and beyond.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds