Even as Firefox developers were mulling over the idea of speeding up the browser's rapid, six-week release cycle even further recently, a separate Mozilla working group was putting together a proposal to slow down that upgrade pace for enterprise users.
Mozilla re-established its Enterprise User Working Group back in July specifically to help address business users' concerns about the browser's newly increased upgrade pace, and this new proposal, revealed on Wednesday, was the first fruit of that effort. Specifically, the group has drafted a proposal calling for Mozilla to offer Extended Support Release (ESR) versions of desktop Firefox based on every five official releases of the browser.
So, such ESRs would arrive every 30 weeks, or every five release cycles of the browser; they'd also be maintained for seven release cycles, or 42 weeks. The first ESR would likely be based on Firefox 8 or 9, the group said. The mobile version of Firefox would not be included in this ESR program.
“To permit organizations sufficient time for testing and certification, the ESR will have a two cycle (12 week) overlap between the time of a new release and the end-of-life of the previous release,” the proposal explains. “This will allow organizations to qualify and test against Aurora and Beta builds for twelve weeks leading up to the ESR, and an additional 12 weeks to certify and transition to a new ESR.”
The Mozilla Enterprise User Working Group now seeks additional feedback from organizations of all sizes over the coming weeks to help it turn this proposal into a concrete plan. Those with any feedback or ideas to share are encouraged to send the group an email.
'Over Time, an ESR Will Be Less Secure'
Chief among business users' concerns over Firefox's six-week release schedule were that it doesn't allow enough time for the organizations and their vendors to certify new releases, and that the associated end-of-life policy exposes such users to a significant security risk if they remain on an older version past Firefox 3.6.
This new proposal will certainly address both of those concerns, but it's important to note that maintenance of each ESR release would be limited to high-risk and high-impact security vulnerabilities. Functional enhancements and stability fixes would not get backported, and neither would patches for lesser security issues.
“Over time, an ESR will be less secure than the regular release of Firefox, as new functionality will not be added at the same pace as Firefox, and only high-risk/impact security patches will be backported,” the proposal explains.
'That Risk Needs to Be Understood'
The extended-support software also will not benefit from the same large-scale testing by nightly and beta groups that the standard Firefox does. “As a result, the potential for the introduction of bugs which affect ESR users will be greater, and that risk needs to be understood and accepted by groups that deploy it,” the proposal notes.
To help mitigate such risks, Mozilla will ask organizations that deploy the ESR to help test early builds of the software. Such companies will also be strongly encouraged to participate in the Enterprise User Working Group to ensure they are kept up to date on the latest developments.
The backlash Mozilla has faced over the frequency of Firefox releases clearly took it by surprise, but if there was any doubt about the sincerity of its subsequent pledge to serve business users better in the future, this move should pretty much take care of that. A slower schedule with extended support is a big step in the right direction.