Raise the minimum requirements for Gecko 1.9.2 (and any versions of Firefox built on 1.9.2) for Windows builds to require Windows XP Service Pack 3 or higher.
Background:
Supporting multiple OS versions is not zero cost, in terms of testing, code complexity and developer sanity. We have previously raised the minimum requirement to Windows 2000 for Firefox 3. We have also raised the minimum requirements for Linux and Mac builds in that same timeframe. While we have not formalized a policy by which we drop support for OS versions, in general the main concerns have been how recently the OS versions have been available and sold (in some cases) as well as the ability and costs involved for users to upgrade. Additionally, the continued availability of security updates for the OS level is important, as users on unsupported of operating systems, especially Windows, are highly vulnerable no matter what we do, so there is a strong argument against giving those users a reason to stay on that platform.
On July 13, 2010, Microsoft will end all support for Windows 2000 (all service packs) and Windows XP Service Pack 2 (XP SP1 and the original XP have already passed their end of support). This means that after this date, these OS versions will not get any security updates and will not receive any support from Microsoft. Service Pack 3 is a free upgrade for all XP users. Windows 2000 has no free upgrade path, but has not been available at retail since March 2004, and was last legally sold as a preloaded OS in March 2005, which is over four years ago, and will be more than five years from when we ship the last supported version of Firefox. Users should be able to successfully migrate to XP or Linux if they intend to keep using their old hardware.
Affected Users:
All users still running either Windows 2000 or Windows XP Service Pack 2 (or lower). As Service Pack 3 is a free upgrade for XP users, only Windows 2000 users will be forced to change their OS to use the next version of Firefox.
As we intend to ship the next version of Firefox in early 2010, Firefox 3.5 will continue to be supported under our current support policy (six months after the next version) until after those OS versions are no longer supported, so users will continue to be supported by Mozilla as least as long as their OS is supported.
I know Win2k is somewhat limited at this point but is there any data regarding what percentage of Windows XP users run something less than SP3? I presume most impact will be corporations that are slow to roll out upgrades as SP3 has been out for a while now.
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of > Firefox built on 1.9.2) for Windows builds to require Windows XP > Service Pack 3 or higher.
> Background:
> Supporting multiple OS versions is not zero cost, in terms of testing, > code complexity and developer sanity. We have previously raised the > minimum requirement to Windows 2000 for Firefox 3. We have also > raised the minimum requirements for Linux and Mac builds in that same > timeframe. While we have not formalized a policy by which we drop > support for OS versions, in general the main concerns have been how > recently the OS versions have been available and sold (in some cases) > as well as the ability and costs involved for users to upgrade. > Additionally, the continued availability of security updates for the > OS level is important, as users on unsupported of operating systems, > especially Windows, are highly vulnerable no matter what we do, so > there is a strong argument against giving those users a reason to stay > on that platform.
> On July 13, 2010, Microsoft will end all support for Windows 2000 (all > service packs) and Windows XP Service Pack 2 (XP SP1 and the original > XP have already passed their end of support). This means that after > this date, these OS versions will not get any security updates and > will not receive any support from Microsoft. Service Pack 3 is a free > upgrade for all XP users. Windows 2000 has no free upgrade path, but > has not been available at retail since March 2004, and was last > legally sold as a preloaded OS in March 2005, which is over four years > ago, and will be more than five years from when we ship the last > supported version of Firefox. Users should be able to successfully > migrate to XP or Linux if they intend to keep using their old hardware.
> Affected Users:
> All users still running either Windows 2000 or Windows XP Service Pack > 2 (or lower). As Service Pack 3 is a free upgrade for XP users, only > Windows 2000 users will be forced to change their OS to use the next > version of Firefox.
> As we intend to ship the next version of Firefox in early 2010, > Firefox 3.5 will continue to be supported under our current support > policy (six months after the next version) until after those OS > versions are no longer supported, so users will continue to be > supported by Mozilla as least as long as their OS is supported.
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of > Firefox built on 1.9.2) for Windows builds to require Windows XP > Service Pack 3 or higher.
Is there a reason for specifying SP3 here, in terms of development demand to keep Gecko compatible? Put another way, have the Windows libraries changed sufficiently between SP1 and SP3 that it's likely that we'll produce a version of Gecko that would be compatible with Windows XP SP3+ but not with SP2 or SP1?
Right now the majority of our Windows users are still on XP, but I'm not sure it's clear how many of those users have upgraded, or intend to upgrade (or in some cases are able to upgrade) and while I understand that the platform itself isn't supported by Microsoft, I do think that keeping those XP users from being able to use Firefox will end up doing more harm (to them) than good, no matter what the intent.
On Mon, Apr 13, 2009 at 11:13 PM, Mike Beltzner <beltz...@mozilla.com>wrote:
> On 13-Apr-09, at 10:33 PM, Michael Connor wrote:
> Proposal:
>> Raise the minimum requirements for Gecko 1.9.2 (and any versions of >> Firefox built on 1.9.2) for Windows builds to require Windows XP Service >> Pack 3 or higher.
> Is there a reason for specifying SP3 here, in terms of development demand > to keep Gecko compatible? Put another way, have the Windows libraries > changed sufficiently between SP1 and SP3 that it's likely that we'll produce > a version of Gecko that would be compatible with Windows XP SP3+ but not > with SP2 or SP1?
There are new features in SP2 (mostly security related) such as the IAttachmentExecute interface which the download scanner uses. We could eliminate the old IOfficeAntiVirus code if we drop support for Win2k and XP SP<2. The APIs are mostly the same however. We can also drop the theme hackery that currently exists entirely due to supporting Windows 2000 (since it lacks the uxtheme api).
> Right now the majority of our Windows users are still on XP, but I'm not > sure it's clear how many of those users have upgraded, or intend to upgrade > (or in some cases are able to upgrade) and while I understand that the > platform itself isn't supported by Microsoft, I do think that keeping those > XP users from being able to use Firefox will end up doing more harm (to > them) than good, no matter what the intent.
We can justify dropping 2k/XP entirely better than setting the minimum to XP SP3 because there are many more new features in Vista that we could take advantage of (native condition variables, graphics changes, integrity levels, etc...).
I think we should see how Windows 7 pans out. If the result is good and users migrate from XP, then we should consider dropping XP. Of course, there will always be people who cling to old systems like Win2k and XP and they will be vocal.
It should be pretty safe to drop support for Win2k but I cannot think of any reasons besides the theme APIs.
> There are new features in SP2 (mostly security related) such as the > IAttachmentExecute interface which the download scanner uses. We could > eliminate the old IOfficeAntiVirus code if we drop support for Win2k > and XP > SP<2. The APIs are mostly the same however. We can also drop the theme > hackery that currently exists entirely due to supporting Windows > 2000 (since > it lacks the uxtheme api).
Yes, I understand the case for dropping W2K support (though we should get our approximate user counts there and do that with our eyes open) and think it's virtuous. It was the SP1/2 bit that I didn't quite get. Aside from the IOfficeAntiVirus API, any other wins that anyone knows of?
> I think we should see how Windows 7 pans out. If the result is good > and > users migrate from XP, then we should consider dropping XP. Of > course, there > will always be people who cling to old systems like Win2k and XP and > they > will be vocal.
Indeed, I think it will be a function of schedule (when will Gecko 1.9.2 drop?) and market function. From what I hear in the latest rumour mills, though, Windows 7 may not be as early as originally expected, meaning that the XP market share is likely to stick around.
> Is there a reason for specifying SP3 here, in terms of development > demand to keep Gecko compatible?
I suppose one minor point is that we don't have tinderboxes testing the 3 different SP flavors of XP. [AFAIK they're all the same SP, though I'm not sure exactly which one.] It would be nice to raise requirements to what we actually test (which should become SP3, if it's not already).
>> There are new features in SP2 (mostly security related) such as the >> IAttachmentExecute interface which the download scanner uses. We >> could >> eliminate the old IOfficeAntiVirus code if we drop support for >> Win2k and XP >> SP<2. The APIs are mostly the same however. We can also drop the >> theme >> hackery that currently exists entirely due to supporting Windows >> 2000 (since >> it lacks the uxtheme api).
> Yes, I understand the case for dropping W2K support (though we > should get our approximate user counts there and do that with our > eyes open) and think it's virtuous. It was the SP1/2 bit that I > didn't quite get. Aside from the IOfficeAntiVirus API, any other > wins that anyone knows of?
There's a number of other places this occurs. There's also been bugs that were SP1-only (i.e. bug 366643, which turned up from an mxr search). There were significant architectural changes with Service Pack 2 around security, which benefits users if it doesn't impact compatibility. (Someone on IRC described it as the "Internet is Scary" service pack.)
Put another way, XP (no SP) and XP SP1 have been unsupported and unpatched for years now. Users on those OSes are almost certainly vulnerable, if they're not already owned. Any effort expended in supporting those users is the technical equivalent of throwing good money after bad. I don't know of any software that would require SP1. Other than slow-to-upgrade corporate environments (which will _surely_ migrate by SP2 EOL), I am unaware of anyone choosing to remain on lower service packs past the support date for any reason other than being unaware of the very real risk involved. IE7/IE8/ Chrome already require XP SP2 or higher (I can't find data on whether Safari has any Service Pack-level requirements) so I don't think we lose anything by catching up.
>> I think we should see how Windows 7 pans out. If the result is good >> and >> users migrate from XP, then we should consider dropping XP. Of >> course, there >> will always be people who cling to old systems like Win2k and XP >> and they >> will be vocal.
> Indeed, I think it will be a function of schedule (when will Gecko > 1.9.2 drop?) and market function. From what I hear in the latest > rumour mills, though, Windows 7 may not be as early as originally > expected, meaning that the XP market share is likely to stick around.
I don't think completely dropping XP is feasible for 1.9.2 unless it ships in 2012, given that many machines (notably netbooks) are still shipping with XP Home right now.
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of > Firefox built on 1.9.2) for Windows builds to require Windows XP Service > Pack 3 or higher.
...
> On July 13, 2010, Microsoft will end all support for Windows 2000 (all > service packs) and Windows XP Service Pack 2 (XP SP1 and the original XP > have already passed their end of support). This means that after this > date, these OS versions will not get any security updates and will not > receive any support from Microsoft. Service Pack 3 is a free upgrade > for all XP users.
I wonder if this is true. I would believe "free upgrade for all XP licensees". Anyone with a corporate install Windows computer from a former employer or other circumstance may not have access SP3. I wonder how many of us there are? Betcha a lot more than you'd think. It's not like SP3 is important (or Vista for that matter).
I could switch this machine to Linux, but I would be very reluctant to break what works.
Seems like July 13, 2010 would make 1.9.3 more appropriate.
> > Relevant Links: >
Microsoft policy is not so important as what the installed base actually contains. Is there info on that?
> I suppose one minor point is that we don't have tinderboxes testing the > 3 different SP flavors of XP. [AFAIK they're all the same SP, though I'm > not sure exactly which one.] It would be nice to raise requirements to > what we actually test (which should become SP3, if it's not already).
Sort of depends on what you mean by "test" - according to wikimo, the Talos XP boxes are SP2, but afair unit tests have always been Server 2k3, and even back to Fx2 builds are 2k3 (though I think they might have started out as 2k, and Thunderbird 2 is apparently still chugging along on a 2k tinderbox).
If you break perf on SP3 but not on SP2, you won't know it, but if you break something unit tested on XP-anything but not 2k3 (or Vista but not 2k3), you'll only know it if someone finally says "you know, I haven't been able to get a test run on my XP VM to pass since..." or when someone reports the real-world breakage.
>> On July 13, 2010, Microsoft will end all support for Windows 2000 >> (all service packs) and Windows XP Service Pack 2 (XP SP1 and the >> original XP have already passed their end of support). This means >> that after this date, these OS versions will not get any security >> updates and will not receive any support from Microsoft. Service >> Pack 3 is a free upgrade for all XP users.
> I wonder if this is true. I would believe "free upgrade for all XP > licensees". Anyone with a corporate install Windows computer from a > former employer or other circumstance may not have access SP3. I > wonder how many of us there are? Betcha a lot more than you'd think. > It's not like SP3 is important (or Vista for that matter).
If you don't have the license (i.e. if it was part of a corporate site license, and you left the company with the machine) then technically you aren't using the software legally. I suppose there's some number of people using software without actually having a license to that software. I don't believe we should make a decision based on users who can't upgrade their OS because they aren't using it legally.
> > Relevant Links:
> Microsoft policy is not so important as what the installed base > actually contains. Is there info on that?
Microsoft policy is completely important, if that's when security updates stop happening. I don't think we want to put time and resources into operating systems which will rapidly be exploited. https://isc.sans.org/survivaltime.html has a fun graph which shows average time to exploit an unpatched system exposed to the Internet.
If the installed base wants to be zombies, that's fine, but that doesn't mean we should invest in giving them one more reason to expose themselves.
Michael Connor wrote: > software. I don't believe we should make a decision based on users who > can't upgrade their OS because they aren't using it legally.
Ok, I guess we disagree. I think mozilla should make decisions based on the needs of their users.
On Tue, Apr 14, 2009 at 2:31 AM, John J. Barton <johnjbar...@johnjbarton.com
> wrote: > Michael Connor wrote:
> software. I don't believe we should make a decision based on users who >> can't upgrade their OS because they aren't using it legally.
> Ok, I guess we disagree. I think mozilla should make decisions based on the > needs of their users.
I don't want spend my time debugging or trying to reproduce an issue for an operating system that isn't up to date when it could easily be. If users are illegally using their OS and cannot upgrade due to that, I do not want to have to bend over backwards to recreate their environment to reproduce the bug and test a fix (in addition, there are moral issues with helping these users). I would argue that supporting those systems doesn't help the needs of the vast majority of users who are using their OS legally and properly maintaining it.
We have users who use the server editions of Windows and Firefox works mostly correctly there, but it is technically unsupported and I have had to deal with bugs resulting from the subtle differences. The fewer platforms we have to support, the more productive my time can be spent working on bug that address issues for a much larger set of people.
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of > Firefox built on 1.9.2) for Windows builds to require Windows XP > Service Pack 3 or higher.
I am a little bit concerned about dropping Windows 2000 given that Gecko 1.9.2 will be released when W2K will still be supported by Microsoft for a few months.
On the other hand, its global market share is steadily declining and already very low according to the market share reports from Gemius, StatCounter and Net Applications.
Do we have any reliable numbers from our own download and AMO statistics on the percentage of users, which are still using W2K? I think this discussion would benefit from those numbers.
> On 4/13/09 9:35 PM, Justin Dolske wrote: >> I suppose one minor point is that we don't have tinderboxes testing the >> 3 different SP flavors of XP. [AFAIK they're all the same SP, though I'm >> not sure exactly which one.] It would be nice to raise requirements to >> what we actually test (which should become SP3, if it's not already).
> Sort of depends on what you mean by "test" - according to wikimo, the > Talos XP boxes are SP2, but afair unit tests have always been Server > 2k3, and even back to Fx2 builds are 2k3 (though I think they might have > started out as 2k, and Thunderbird 2 is apparently still chugging along > on a 2k tinderbox).
Yes, all of our Fx 3.5 builds and unit tests are done in windows 2003. Talos testing is done under XP and Vista.
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of > Firefox built on 1.9.2) for Windows builds to require Windows XP Service > Pack 3 or higher.
We're really trying as hard as possible to piss off as many users as we can, right?
Michael Connor wrote: > Put another way, XP (no SP) and XP SP1 have been unsupported and > unpatched for years now. Users on those OSes are almost certainly > vulnerable, if they're not already owned.
Wait, you seriously believe one single user would upgrade their OS just because there's no new Firefox available for them? Int he contrary, they will either switch to a different browser or continue to use an old, more insecure Firefox. That's already the case with a good number of people on Win9x and Firefox 2 (still millions of people, last I heard) and I haven't yet heard of anyone who thrashed Win9x because Firefox 2 was EOLed and Firefox 3 is not available for them.
It sounds like some people here have a strange view of how people decide to use what system. Firefox is not the driving force for people to buy new computers (which is bad for nature anyways) or buy and install new operating systems.
And dropping Win2k support will be a very good argument for business not using Firefox ;-)
On Tue, Apr 14, 2009 at 9:42 AM, Robert Kaiser <ka...@kairo.at> wrote: > Michael Connor wrote:
>> Proposal:
>> Raise the minimum requirements for Gecko 1.9.2 (and any versions of >> Firefox built on 1.9.2) for Windows builds to require Windows XP Service >> Pack 3 or higher.
> We're really trying as hard as possible to piss off as many users as we can, > right?
Yes, that is our goal. It has nothing to do with trying to apply our limited resources to where they can affect the most people.
On the bright side, SeaMonkey will be able to continue to support XP SP1 and Win 2k, and thereby gain all those users, since per your other message they'll just switch to another browser -- sounds like a real opportunity for you.
On Tue, Apr 14, 2009 at 9:51 AM, Robert Kaiser <ka...@kairo.at> wrote: > Michael Connor wrote:
>> Put another way, XP (no SP) and XP SP1 have been unsupported and >> unpatched for years now. Users on those OSes are almost certainly >> vulnerable, if they're not already owned.
> Wait, you seriously believe one single user would upgrade their OS just > because there's no new Firefox available for them?
I don't see that position stated in the quote -- why do you think that Mike believes that they would upgrade only to get Firefox? (Though "a single user" is a pretty low bar, so I'd probably be willing to make a wager.)
> And dropping Win2k support will be a very good argument for business not > using Firefox ;-)
They'll have to stick with IE6 if they want to keep Win2K on desktops, I think, since IE7 isn't supported there AFAIK. That's not really an addressable market for us regardless, I'm pretty sure, so we should again focus on getting the most result for our investment.
> Do we have any reliable numbers from our own download and AMO > statistics on the percentage of users, which are still using W2K? > I think this discussion would benefit from those numbers.
I, too, would like to see some actual numbers from our user-base (downloads, hits on mozilla.com, ADUs, etc) before making a determination on what we should do about Windows 2000.
Mike Shaver wrote: > On the bright side, SeaMonkey will be able to continue to support XP > SP1 and Win 2k, and thereby gain all those users, since per your other > message they'll just switch to another browser -- sounds like a real > opportunity for you.
Wrong. We can't go with different requirements than the Geck we base upon - well, unless, of course, we go and switch to WebKit and rewrite our UI on some sucky native UI library. Though, before the latter happens, I'd move to either be a Firefox or KDE dev. ;-)
> Microsoft policy is completely important, if that's when security > updates stop happening. I don't think we want to put time and > resources into operating systems which will rapidly be exploited. https://isc.sans.org/survivaltime.html > has a fun graph which shows average time to exploit an unpatched > system exposed to the Internet.
This is slightly off-topic, but do we know if those exploits are from just attaching the Windows network stack to a port or if they're from browsing with IE? If it's mostly the latter, then by preserving Firefox support for those users we're actually helping to protect them.
On Tue, Apr 14, 2009 at 10:35 AM, Mike Beltzner <beltz...@mozilla.com> wrote: > This is slightly off-topic, but do we know if those exploits are from just > attaching the Windows network stack to a port or if they're from browsing > with IE? If it's mostly the latter, then by preserving Firefox support for > those users we're actually helping to protect them.
I believe those stats are based on the default set of applications/services that can be remotely tickled for the various operating systems, based on the list of ports they provide. They would likely respond promptly to an inquiry on the topic, if asked.
On Tue, Apr 14, 2009 at 10:23 AM, Robert Kaiser <ka...@kairo.at> wrote: > Mike Shaver wrote:
>> On the bright side, SeaMonkey will be able to continue to support XP >> SP1 and Win 2k, and thereby gain all those users, since per your other >> message they'll just switch to another browser -- sounds like a real >> opportunity for you.
> Wrong. We can't go with different requirements than the Geck we base upon -
Sure, but the SeaMonkey team could maintain the alternate code paths and compensations required for XP SP1 and Win2K, and drive the testing on those platforms, right?
Or is that not a good use of your limited resources either? :)
|
