Raise the minimum requirements for Gecko 1.9.2 (and any versions of
Firefox built on 1.9.2) for Windows builds to require Windows XP
Service Pack 3 or higher.
Background:
Supporting multiple OS versions is not zero cost, in terms of testing,
code complexity and developer sanity. We have previously raised the
minimum requirement to Windows 2000 for Firefox 3. We have also
raised the minimum requirements for Linux and Mac builds in that same
timeframe. While we have not formalized a policy by which we drop
support for OS versions, in general the main concerns have been how
recently the OS versions have been available and sold (in some cases)
as well as the ability and costs involved for users to upgrade.
Additionally, the continued availability of security updates for the
OS level is important, as users on unsupported of operating systems,
especially Windows, are highly vulnerable no matter what we do, so
there is a strong argument against giving those users a reason to stay
on that platform.
On July 13, 2010, Microsoft will end all support for Windows 2000 (all
service packs) and Windows XP Service Pack 2 (XP SP1 and the original
XP have already passed their end of support). This means that after
this date, these OS versions will not get any security updates and
will not receive any support from Microsoft. Service Pack 3 is a free
upgrade for all XP users. Windows 2000 has no free upgrade path, but
has not been available at retail since March 2004, and was last
legally sold as a preloaded OS in March 2005, which is over four years
ago, and will be more than five years from when we ship the last
supported version of Firefox. Users should be able to successfully
migrate to XP or Linux if they intend to keep using their old hardware.
Affected Users:
All users still running either Windows 2000 or Windows XP Service Pack
2 (or lower). As Service Pack 3 is a free upgrade for XP users, only
Windows 2000 users will be forced to change their OS to use the next
version of Firefox.
As we intend to ship the next version of Firefox in early 2010,
Firefox 3.5 will continue to be supported under our current support
policy (six months after the next version) until after those OS
versions are no longer supported, so users will continue to be
supported by Mozilla as least as long as their OS is supported.
Relevant Links:
General Microsoft Support Lifecycle Policy:
http://support.microsoft.com/lifecycle/
Windows Service Pack Support End Dates:
http://support.microsoft.com/gp/lifesupsps#Windows
Windows 2000 Support Lifecycle
http://support.microsoft.com/lifecycle/?p1=3071
Windows Life-Cycle Policy (licensing availability)
http://www.microsoft.com/windows/lifecycle/default.mspx
-R
> Proposal:
>
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of
> Firefox built on 1.9.2) for Windows builds to require Windows XP
> Service Pack 3 or higher.
Is there a reason for specifying SP3 here, in terms of development
demand to keep Gecko compatible? Put another way, have the Windows
libraries changed sufficiently between SP1 and SP3 that it's likely
that we'll produce a version of Gecko that would be compatible with
Windows XP SP3+ but not with SP2 or SP1?
Right now the majority of our Windows users are still on XP, but I'm
not sure it's clear how many of those users have upgraded, or intend
to upgrade (or in some cases are able to upgrade) and while I
understand that the platform itself isn't supported by Microsoft, I do
think that keeping those XP users from being able to use Firefox will
end up doing more harm (to them) than good, no matter what the intent.
cheers,
mike
> On 13-Apr-09, at 10:33 PM, Michael Connor wrote:
>
> Proposal:
>>
>> Raise the minimum requirements for Gecko 1.9.2 (and any versions of
>> Firefox built on 1.9.2) for Windows builds to require Windows XP Service
>> Pack 3 or higher.
>>
>
> Is there a reason for specifying SP3 here, in terms of development demand
> to keep Gecko compatible? Put another way, have the Windows libraries
> changed sufficiently between SP1 and SP3 that it's likely that we'll produce
> a version of Gecko that would be compatible with Windows XP SP3+ but not
> with SP2 or SP1?
There are new features in SP2 (mostly security related) such as the
IAttachmentExecute interface which the download scanner uses. We could
eliminate the old IOfficeAntiVirus code if we drop support for Win2k and XP
SP<2. The APIs are mostly the same however. We can also drop the theme
hackery that currently exists entirely due to supporting Windows 2000 (since
it lacks the uxtheme api).
> Right now the majority of our Windows users are still on XP, but I'm not
> sure it's clear how many of those users have upgraded, or intend to upgrade
> (or in some cases are able to upgrade) and while I understand that the
> platform itself isn't supported by Microsoft, I do think that keeping those
> XP users from being able to use Firefox will end up doing more harm (to
> them) than good, no matter what the intent.
We can justify dropping 2k/XP entirely better than setting the minimum to XP
SP3 because there are many more new features in Vista that we could take
advantage of (native condition variables, graphics changes, integrity
levels, etc...).
I think we should see how Windows 7 pans out. If the result is good and
users migrate from XP, then we should consider dropping XP. Of course, there
will always be people who cling to old systems like Win2k and XP and they
will be vocal.
It should be pretty safe to drop support for Win2k but I cannot think of any
reasons besides the theme APIs.
-Rob
> There are new features in SP2 (mostly security related) such as the
> IAttachmentExecute interface which the download scanner uses. We could
> eliminate the old IOfficeAntiVirus code if we drop support for Win2k
> and XP
> SP<2. The APIs are mostly the same however. We can also drop the theme
> hackery that currently exists entirely due to supporting Windows
> 2000 (since
> it lacks the uxtheme api).
Yes, I understand the case for dropping W2K support (though we should
get our approximate user counts there and do that with our eyes open)
and think it's virtuous. It was the SP1/2 bit that I didn't quite get.
Aside from the IOfficeAntiVirus API, any other wins that anyone knows
of?
> I think we should see how Windows 7 pans out. If the result is good
> and
> users migrate from XP, then we should consider dropping XP. Of
> course, there
> will always be people who cling to old systems like Win2k and XP and
> they
> will be vocal.
Indeed, I think it will be a function of schedule (when will Gecko
1.9.2 drop?) and market function. From what I hear in the latest
rumour mills, though, Windows 7 may not be as early as originally
expected, meaning that the XP market share is likely to stick around.
cheers,
mike
> Is there a reason for specifying SP3 here, in terms of development
> demand to keep Gecko compatible?
I suppose one minor point is that we don't have tinderboxes testing the
3 different SP flavors of XP. [AFAIK they're all the same SP, though I'm
not sure exactly which one.] It would be nice to raise requirements to
what we actually test (which should become SP3, if it's not already).
Justin
> On 13-Apr-09, at 11:25 PM, Rob Arnold wrote:
>
>> There are new features in SP2 (mostly security related) such as the
>> IAttachmentExecute interface which the download scanner uses. We
>> could
>> eliminate the old IOfficeAntiVirus code if we drop support for
>> Win2k and XP
>> SP<2. The APIs are mostly the same however. We can also drop the
>> theme
>> hackery that currently exists entirely due to supporting Windows
>> 2000 (since
>> it lacks the uxtheme api).
>
> Yes, I understand the case for dropping W2K support (though we
> should get our approximate user counts there and do that with our
> eyes open) and think it's virtuous. It was the SP1/2 bit that I
> didn't quite get. Aside from the IOfficeAntiVirus API, any other
> wins that anyone knows of?
There's a number of other places this occurs. There's also been bugs
that were SP1-only (i.e. bug 366643, which turned up from an mxr
search). There were significant architectural changes with Service
Pack 2 around security, which benefits users if it doesn't impact
compatibility. (Someone on IRC described it as the "Internet is
Scary" service pack.)
Put another way, XP (no SP) and XP SP1 have been unsupported and
unpatched for years now. Users on those OSes are almost certainly
vulnerable, if they're not already owned. Any effort expended in
supporting those users is the technical equivalent of throwing good
money after bad. I don't know of any software that would require
SP1. Other than slow-to-upgrade corporate environments (which will
_surely_ migrate by SP2 EOL), I am unaware of anyone choosing to
remain on lower service packs past the support date for any reason
other than being unaware of the very real risk involved. IE7/IE8/
Chrome already require XP SP2 or higher (I can't find data on whether
Safari has any Service Pack-level requirements) so I don't think we
lose anything by catching up.
>> I think we should see how Windows 7 pans out. If the result is good
>> and
>> users migrate from XP, then we should consider dropping XP. Of
>> course, there
>> will always be people who cling to old systems like Win2k and XP
>> and they
>> will be vocal.
>
> Indeed, I think it will be a function of schedule (when will Gecko
> 1.9.2 drop?) and market function. From what I hear in the latest
> rumour mills, though, Windows 7 may not be as early as originally
> expected, meaning that the XP market share is likely to stick around.
I don't think completely dropping XP is feasible for 1.9.2 unless it
ships in 2012, given that many machines (notably netbooks) are still
shipping with XP Home right now.
-- Mike
...
> On July 13, 2010, Microsoft will end all support for Windows 2000 (all
> service packs) and Windows XP Service Pack 2 (XP SP1 and the original XP
> have already passed their end of support). This means that after this
> date, these OS versions will not get any security updates and will not
> receive any support from Microsoft. Service Pack 3 is a free upgrade
> for all XP users.
I wonder if this is true. I would believe "free upgrade for all XP
licensees". Anyone with a corporate install Windows computer from a
former employer or other circumstance may not have access SP3. I wonder
how many of us there are? Betcha a lot more than you'd think. It's not
like SP3 is important (or Vista for that matter).
I could switch this machine to Linux, but I would be very reluctant to
break what works.
Seems like July 13, 2010 would make 1.9.3 more appropriate.
>
> Relevant Links:
>
Microsoft policy is not so important as what the installed base actually
contains. Is there info on that?
jjb
Sort of depends on what you mean by "test" - according to wikimo, the
Talos XP boxes are SP2, but afair unit tests have always been Server
2k3, and even back to Fx2 builds are 2k3 (though I think they might have
started out as 2k, and Thunderbird 2 is apparently still chugging along
on a 2k tinderbox).
If you break perf on SP3 but not on SP2, you won't know it, but if you
break something unit tested on XP-anything but not 2k3 (or Vista but not
2k3), you'll only know it if someone finally says "you know, I haven't
been able to get a test run on my XP VM to pass since..." or when
someone reports the real-world breakage.
>> On July 13, 2010, Microsoft will end all support for Windows 2000
>> (all service packs) and Windows XP Service Pack 2 (XP SP1 and the
>> original XP have already passed their end of support). This means
>> that after this date, these OS versions will not get any security
>> updates and will not receive any support from Microsoft. Service
>> Pack 3 is a free upgrade for all XP users.
>
> I wonder if this is true. I would believe "free upgrade for all XP
> licensees". Anyone with a corporate install Windows computer from a
> former employer or other circumstance may not have access SP3. I
> wonder how many of us there are? Betcha a lot more than you'd think.
> It's not like SP3 is important (or Vista for that matter).
If you don't have the license (i.e. if it was part of a corporate site
license, and you left the company with the machine) then technically
you aren't using the software legally. I suppose there's some number
of people using software without actually having a license to that
software. I don't believe we should make a decision based on users
who can't upgrade their OS because they aren't using it legally.
> > Relevant Links:
> >
> Microsoft policy is not so important as what the installed base
> actually contains. Is there info on that?
Microsoft policy is completely important, if that's when security
updates stop happening. I don't think we want to put time and
resources into operating systems which will rapidly be exploited. https://isc.sans.org/survivaltime.html
has a fun graph which shows average time to exploit an unpatched
system exposed to the Internet.
If the installed base wants to be zombies, that's fine, but that
doesn't mean we should invest in giving them one more reason to expose
themselves.
-- Mike
> software. I don't believe we should make a decision based on users who
> can't upgrade their OS because they aren't using it legally.
Ok, I guess we disagree. I think mozilla should make decisions based on
the needs of their users.
jjb
I don't want spend my time debugging or trying to reproduce an issue for an
operating system that isn't up to date when it could easily be. If users are
illegally using their OS and cannot upgrade due to that, I do not want to
have to bend over backwards to recreate their environment to reproduce the
bug and test a fix (in addition, there are moral issues with helping these
users). I would argue that supporting those systems doesn't help the needs
of the vast majority of users who are using their OS legally and properly
maintaining it.
We have users who use the server editions of Windows and Firefox works
mostly correctly there, but it is technically unsupported and I have had to
deal with bugs resulting from the subtle differences. The fewer platforms we
have to support, the more productive my time can be spent working on bug
that address issues for a much larger set of people.
-Rob
I would ask for some kind of '--disable-xp-requirements' if that's possible.
If it's not (= probaly unwanted), then too bad for me...
Those are excellent reasons for dropping support for XP/noSP and XP/SP1.
But why drop support for XP/SP2?
Rob
> Proposal:
>
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of
> Firefox built on 1.9.2) for Windows builds to require Windows XP
> Service Pack 3 or higher.
I am a little bit concerned about dropping Windows 2000 given that
Gecko 1.9.2 will be released when W2K will still be supported by
Microsoft for a few months.
On the other hand, its global market share is steadily declining and
already very low according to the market share reports from Gemius,
StatCounter and Net Applications.
Do we have any reliable numbers from our own download and AMO
statistics on the percentage of users, which are still using W2K?
I think this discussion would benefit from those numbers.
Simon
--
Thunderbird/Calendar Localisation (L10n) Coordinator
Thunderbird l10n blog: http://thunderbird-l10n.blogspot.com
Calendar website maintainer: http://www.mozilla.org/projects/calendar
Calendar developer blog: http://weblogs.mozillazine.org/calendar
Yes, all of our Fx 3.5 builds and unit tests are done in windows 2003.
Talos testing is done under XP and Vista.
We're really trying as hard as possible to piss off as many users as we
can, right?
Robert Kaiser
Wait, you seriously believe one single user would upgrade their OS just
because there's no new Firefox available for them? Int he contrary, they
will either switch to a different browser or continue to use an old,
more insecure Firefox. That's already the case with a good number of
people on Win9x and Firefox 2 (still millions of people, last I heard)
and I haven't yet heard of anyone who thrashed Win9x because Firefox 2
was EOLed and Firefox 3 is not available for them.
It sounds like some people here have a strange view of how people decide
to use what system. Firefox is not the driving force for people to buy
new computers (which is bad for nature anyways) or buy and install new
operating systems.
And dropping Win2k support will be a very good argument for business not
using Firefox ;-)
Robert Kaiser
Yes, that is our goal. It has nothing to do with trying to apply our
limited resources to where they can affect the most people.
On the bright side, SeaMonkey will be able to continue to support XP
SP1 and Win 2k, and thereby gain all those users, since per your other
message they'll just switch to another browser -- sounds like a real
opportunity for you.
Mike
I don't see that position stated in the quote -- why do you think that
Mike believes that they would upgrade only to get Firefox? (Though "a
single user" is a pretty low bar, so I'd probably be willing to make a
wager.)
> And dropping Win2k support will be a very good argument for business not
> using Firefox ;-)
They'll have to stick with IE6 if they want to keep Win2K on desktops,
I think, since IE7 isn't supported there AFAIK. That's not really an
addressable market for us regardless, I'm pretty sure, so we should
again focus on getting the most result for our investment.
Mike
> Do we have any reliable numbers from our own download and AMO
> statistics on the percentage of users, which are still using W2K?
> I think this discussion would benefit from those numbers.
I, too, would like to see some actual numbers from our user-base
(downloads, hits on mozilla.com, ADUs, etc) before making a
determination on what we should do about Windows 2000.
-Sam
Wrong. We can't go with different requirements than the Geck we base
upon - well, unless, of course, we go and switch to WebKit and rewrite
our UI on some sucky native UI library. Though, before the latter
happens, I'd move to either be a Firefox or KDE dev. ;-)
Robert Kaiser
> Microsoft policy is completely important, if that's when security
> updates stop happening. I don't think we want to put time and
> resources into operating systems which will rapidly be exploited. https://isc.sans.org/survivaltime.html
> has a fun graph which shows average time to exploit an unpatched
> system exposed to the Internet.
This is slightly off-topic, but do we know if those exploits are from
just attaching the Windows network stack to a port or if they're from
browsing with IE? If it's mostly the latter, then by preserving
Firefox support for those users we're actually helping to protect them.
cheers,
mike
I believe those stats are based on the default set of
applications/services that can be remotely tickled for the various
operating systems, based on the list of ports they provide. They
would likely respond promptly to an inquiry on the topic, if asked.
Mike
Sure, but the SeaMonkey team could maintain the alternate code paths
and compensations required for XP SP1 and Win2K, and drive the testing
on those platforms, right?
Or is that not a good use of your limited resources either? :)
Mike
Erm, to be serious, we have good reasons to reduce the amount of code we
maintain and use toolkit instead of xpfe - I guess that should answer
your question ;-)
And yes, I know, that's all tough calls, but I wonder why we support
MacOS or Linux at all when it looks so easy to probably abandon more
users than we have on both of those together (has anyone stats that
would back or disprove that assumption?)
Robert Kaiser
We would lose a lot of our developers, and valuable tools (shark,
valgrind), if we didn't support those operating systems, to say
nothing of Linux being one of our major mobile platforms. Are you
just trolling, or do you really not know that?
Mike
But as I pointed out, updating is not always easy. Many, many users
avoid Windows updates if at all possible because historically they know
updates break things and rarely offer significant improvements.
> illegally using their OS and cannot upgrade due to that, I do not want to
> have to bend over backwards to recreate their environment to reproduce the
> bug and test a fix (in addition, there are moral issues with helping these
I think there is a large gap between "continue to support XP SP3 on
1.9.2" and "bend over backwards". Of course maybe I should try yoga.
> users). I would argue that supporting those systems doesn't help the needs
> of the vast majority of users who are using their OS legally and properly
> maintaining it.
But do you really want to base decisions on morality? Shall we ask users
to certify that their machine is being used legally and has been dusted
regularly? They never surf to sites on a mozilla-do-not-visit list?
Always properly shutdown at night?
I don't think any of this is mozilla's business. The only issue is the
number of users of XP SP2.
jjb
Actually, I wanted to point out (somewhat in a somewhat tongue-in-cheek
way) that the number of users we're dropping with this decision might
outweigh the number of users we have on those other platforms which we
apparently value significantly. Of course, there's a lot of guessing
involved, as I'm not someone who has access to that shrine that keeps
all the actual number to back or counter that assumption.
There are a quite significant number of business users out there who are
still on Win2k (I don't care so much about XP < SP2) and it's not even
unheard that Microsoft itself prolongs support times for versions
heavily used in businesses (they even did so for Win98).
We once had that plan that our releases after 1.9.0 would be smaller in
scale and happen more often - I think 6 months was the target then, and
yes, 1.9.1 missed that by far. I for one moment assume that this is
still the plan - we don't have dates yet but you might know more than
me, even this open community shows that early-stage information is still
closed to smaller groups often enough. With all that in mind, the
6-month post-1.9.2.0 maintenance period of 1.9.1 would suggest that the
last version that supports Win2k might even be out before the current
official EOL of Microsoft support for Win2k, even if they don't prolong
this due to significant business usage.
Unsupporting a Windows version before even Microsoft drops it would be
very much unprecedented, and given that the primary argument seems to be
limited manpower and our manpower has nothing else than significantly
increased over the last years, sound like something not that easy to buy
in for someone watching this.
Of course, we are becoming more and more like big companies regarding
the decisions made, and while that might be good from some points of
view, it's not so easy to sell to those parts of our community that
expect us to think differently.
Robert Kaiser
> And yes, I know, that's all tough calls, but I wonder why we support
> MacOS or Linux at all when it looks so easy to probably abandon more
> users than we have on both of those together (has anyone stats that
> would back or disprove that assumption?)
According to Net Applications, both OS X 10.5 and 10.4 are more popular
than Windows 2000 (6.00% and 2.66% vs. 1.24%).
Windows 2000 is more popular than Linux (0.90%) and all major mobile
platforms that we currently support or intend to support (Symbian 0,06%
and Windows CE 0.05%) combined.
Mike makes a good point however on the importance of Linux as a dev
platform (although based on my experience at the summit, pretty much
every techie in the US now runs a Mac).
But based solely on marketshare, we should not abandon W2K yet.
I couldn't find any data on Windows XP service pack allocation.
My "guess" would be that many people have at least updated to SP2,
since it was really a major update with many security and feature
enhancements that were widely discussed in tech *and* general media.
But I don't have any hard numbers on that. My "guess" for the update
to SP3 however is that not nearly as many people have made that step,
since it was mostly just a bundling of past security patches.
For example my company (Big4 professional services/auditing company
with roughly 120.000 Windows installations worldwide) is still
running Windows XP SP2, but Microsoft security updates are regularly
installed.
Cya
> Wait, you seriously believe one single user would upgrade their OS just
> because there's no new Firefox available for them?
(One not-typical user story:)
Not just because of Gecko, and only after a long time with v1.8.1,
but I did eventually replace my W98SE with W2Ksp4.
That was after Microsoft and everyone else stopped providing
softwares/updates for W98.
The only interesting point was I could run W98 without a need for
firewall nor antivirus.
Now, while WXP has some improvements I miss somewhat in W2K,
I'm certainly not interested in some other new features of WXP and beyond.
...
My goal would be to move to Linux, but that looks like a "big" task, and
I know beforehand some of the softwares I use are still available on
Windows only :-/
(Anyway.)
Thanks,
Aakash
-Sam
_______________________________________________
dev-planning mailing list
dev-pl...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-planning
> According to Net Applications, both OS X 10.5 and 10.4 are more
> popular
> than Windows 2000 (6.00% and 2.66% vs. 1.24%).
>
> Windows 2000 is more popular than Linux (0.90%) and all major mobile
> platforms that we currently support or intend to support (Symbian
> 0,06%
> and Windows CE 0.05%) combined.
cheers,
mike
-- Aakash
Because SP2 will reach end of life before 3.5 reaches end of life.
Supporting SP2 for 1.9.2 would mean supporting a "dead man walking" OS
for at least a year, if not longer.
-- Mike
And? If our users are there, I don't think we should simply drop
support because Microsoft has.
I already know the answer, but, uh, have you read through the dropping
10.4 discussion? And the dropping 10.3 discussion before it? I know
you have, yet a lot of your statements here are basically what Josh
was saying before.
Frankly, without actual data to back the discussion, I don't know why
we're even having it now. I saw a couple of things that we'd like to
do in SP2 and later. That's fine. Where's the list of things we want
to do that are only available in SP3 and later? Where's the data
saying 90% of users have upgraded from SP2 to SP3? I'm not sure why
we're talking about dropping support for XP SP2 at all yet, especially
without strong reasons why.
-Sam
My parents were on rural dial-up for years. 56K modems running at
about 5K because of the old phone lines. Auto-updating their OS to SP2
or SP3 was practically impossible, and ordering an upgrade CD... well
they didn't even know such a thing existed. They had Firefox installed
because I put it on a flash drive one weekend and installed it for
them. The cost of upgrading in terms of time/effort was fairly high
for them, and I'm guessing there's 2 or 3 million like them in the US
alone. But I think they would have taken offense to someone refusing
to fix bugs purely as an argument against their OS. It comes off as a
"We know better than you" sorta situation. If the cost in Mozilla's
time in terms of bug fixes/implementing features is high though (how
high is it again?), that doesn't seem nearly as harsh.
Taking the problem with a different angle, most of the third world and
emerging countries use pirated software, all numbers I have seen about
China were saying that +90% software used was pirated and I suspect that
XP SP1 is the easiest one to pirate since it didn't include the "genuine
advantage" software in it.
Given that security on the net seems to be a low priority concern for
users in Asia and the fact that most people use a pirated version of
Windows, I think we should evaluate if stopping support for older
versions of Windows is not going to hinder our growth in emerging
markets and specifically China (basically asking Mozilla China if they
have some insight on the matter).
Regards,
Pascal
> On Apr 14, 2009, at 5:19 AM, Simon Paquet wrote:
>
>> Do we have any reliable numbers from our own download and AMO
>> statistics on the percentage of users, which are still using W2K?
>> I think this discussion would benefit from those numbers.
>
> I, too, would like to see some actual numbers from our user-base
> (downloads, hits on mozilla.com, ADUs, etc) before making a
> determination on what we should do about Windows 2000.
What you really want is the trend data, I would think, since what
we're making a decision on is based on how many users will still be
using that OS version when 3.5 hits EOL. If we ship .next sometime
next spring, we're talking late 2010 before those users lack a
supported browser version. Right now, we're at similar numbers to the
Net Applications numbers. Between now and then we'll see Windows 7
ship, which always spurs a new round of hardware upgrades and trickle-
down, plus a year or more of the natural trend for hardware to die and
be replaced (again, remember that we're dealing with 2004-era hardware
at best, so a lot of computers are reaching end of natural life). I
don't doubt that some people will be left behind, but we gave up 4% of
our users who were on Win98 when we dropped Win9x support for 3.0, so
Win2k is already way under that threshold.
-- Mike
> On Apr 14, 2009, at 9:54 AM, Michael Connor wrote:
>> On 14-Apr-09, at 5:39 AM, Robert O'Callahan wrote:
>>> On 14/4/09 4:37 PM, Michael Connor wrote:
>>>> Put another way, XP (no SP) and XP SP1 have been unsupported and
>>>> unpatched for years now.
>>>
>>> Those are excellent reasons for dropping support for XP/noSP and
>>> XP/SP1. But why drop support for XP/SP2?
>>
>> Because SP2 will reach end of life before 3.5 reaches end of life.
>> Supporting SP2 for 1.9.2 would mean supporting a "dead man walking"
>> OS for at least a year, if not longer.
>
> And? If our users are there, I don't think we should simply drop
> support because Microsoft has.
If our users are happy running an insecure OS with no updates, they
can run the last version of 3.5 as well. If we do have users there,
it is in their best interests to upgrade to SP3 and continue to
receive security updates for their systems. Unless they really really
like spyware and being used as a spam gateway.
> I already know the answer, but, uh, have you read through the
> dropping 10.4 discussion? And the dropping 10.3 discussion before
> it? I know you have, yet a lot of your statements here are basically
> what Josh was saying before.
I was the one who made the final call on 10.3, of course. For 10.4,
of course, there's some significant differences. Win2k is a lot fewer
users than 10.4 (10.4 has 3x the number of users as Win2k), the
timeframe is a lot longer (10 year old OS, replaced 8.5 years before
EOL, last widely sold on PCs around 2002, though some could be as new
as five years old), and Microsoft provides a finite date for the end
of actual patch support, instead of requiring guessing on our part.
We know that after that date, users will be vulnerable and
unprotected, and we know that even a current OS without patches is
vulnerable when connected to the internet. All of these things are
real data points.
> Frankly, without actual data to back the discussion, I don't know
> why we're even having it now. I saw a couple of things that we'd
> like to do in SP2 and later. That's fine. Where's the list of things
> we want to do that are only available in SP3 and later? Where's the
> data saying 90% of users have upgraded from SP2 to SP3? I'm not sure
> why we're talking about dropping support for XP SP2 at all yet,
> especially without strong reasons why.
There's plenty of data. Predicting the state of OS versions for when
3.5 reaches EOL is going to be fairly imprecise, but win2k's share
after July 2010 is likely to be tiny, declining, and heavily zombified.
SP2 vs. SP3 isn't especially interesting, but I would rather have a
policy around ensuring that we support OS versions through their EOL,
but not beyond. That's the best tradeoff between resources and users
I can think of.
-- Mike
I think what people are missing -- including myself -- is what the
resource cost _is_ for supporting SP3. I don't think we gain anything
by being doctrinaire about OS support, though I'm fully in favour of
making economic choices to ensure that we don't bear costs out of
proportion with their returns.
It seems like moving to SP3 is just for the sake of moving to SP3, and
not because it actually gains us anything on the development or
support side. The < SP2 and Win2K cases are much clearer, so it may
well be that there's just something about supporting SP3 that I'm
missing.
Mike
I think it's entirely possible that it will hinder our growth in those
areas. I am not at all convinced that we want to target pirated
software to succeed in our mission. I think it's a bad position to
take for mozilla.org, and I have moral and ethical issues around
effectively supporting piracy by making decisions to ensure that users
of illegal software can use our product.
-- Mike
It's actually pretty likely that supporting SP2 is not much different
from SP3. That's the current baseline for IE7/8 and Chrome, so I'm
fine with that, at least for now, and we can watch to see whether they
change their baselines once SP2 reaches end of life. Of course,
getting a working SP2 install after next July will be more
complicated, but that's why we have MSDN subscriptions, I guess!
-- Mike
That's a fine discussion to have, but we should have it before we
decide how to use or not use such data in deciding operating system
support. Especially when the vendor of the operating system itself
has taken varying stances on how or whether to support unlicensed
copies with security updates. The security of those users running
pirated software is not just an issue for them, but has pretty
wide-ranging effects on the security of other internet users as well.
Mike
>
> illegally using their OS and cannot upgrade due to that, I do not want to
>> have to bend over backwards to recreate their environment to reproduce the
>> bug and test a fix (in addition, there are moral issues with helping these
>>
>
> I think there is a large gap between "continue to support XP SP3 on 1.9.2"
> and "bend over backwards". Of course maybe I should try yoga.
I wasn't suggesting that we drop XP entirely for 1.9.2 (in more than a few
years, we probably will). Supporting XP < SP2 (or worse, systems where
people "remove IE") is bending over backwards because it is almost like a
different OS (APIs and behaviors are different).
> of the vast majority of users who are using their OS legally and properly
>> maintaining it.
>>
> users). I would argue that supporting those systems doesn't help the needs
>
> But do you really want to base decisions on morality? Shall we ask users to
> certify that their machine is being used legally and has been dusted
> regularly? They never surf to sites on a mozilla-do-not-visit list? Always
> properly shutdown at night?
Morality is not the only factor in making a decision and I never said it was
the base for all of mine or should be for everyone. In fact, I never said or
implied any of those things you listed there.
I don't think any of this is mozilla's business. The only issue is the
> number of users of XP SP2.
It is if they have put their machine in a state that is unsupported or
unstable due to these activities. We don't fix the bugs in the download
scanner that resulted from people "uninstalling IE" and I don't think you
will find many people who disagree with that policy.
-Rob
SP3 is two things, a chunk of updates that you probably already got from
Windows Update, but could have declined:
* MMC 3.0, nothing to do with us
* MSXML 6, nothing to do with us (I hope)
* Windows Installer 3.1, nothing to do with us the way things seem to be
going
* BITS 2.5, I'd be surprised if we decided to use it instead of rolling
our own
* IPSec Simple Policy Update, nothing to do with us
* Digital Identity Management Service, nothing to do with us
* Peer Name Resolution Protocol, nothing to do with us
* RDP 6.1, nothing to do with us
* WPA2, a stretch to claim it's to do with us
and a chunk of new things:
* better black hole router detection, nothing to do with us
* Network Access Protection, nothing to do with us
* CredSSP, nothing to do with us
So unless I'm misunderstanding one of the things which sound like they
are only about interactions with Windows servers on your Window LAN,
requiring SP3 would be an entirely non-technical choice unless we plan
on doing an .msi *and* using a feature that was in the 3.1 update, or
using BITS for background downloads.
I think it would be helpful if someone can enumerate the reasons why XP
SP2 is unsupportable or unstable for 1.9.2. Mike Connor's proposal cited
Microsoft's EOL policy at the reason. I don't think this is enough of a
reason, because Microsoft updates beyond SP2 are not easy nor valuable.
But perhaps there are other reasons?
jjb