Proposal: Raise minimum requirements for 1.9.2 on Windows to WinXP SP3

38 views
Skip to first unread message

Michael Connor

unread,
Apr 13, 2009, 10:33:59 PM4/13/09
to dev-pl...@lists.mozilla.org
Proposal:

Raise the minimum requirements for Gecko 1.9.2 (and any versions of
Firefox built on 1.9.2) for Windows builds to require Windows XP
Service Pack 3 or higher.


Background:

Supporting multiple OS versions is not zero cost, in terms of testing,
code complexity and developer sanity. We have previously raised the
minimum requirement to Windows 2000 for Firefox 3. We have also
raised the minimum requirements for Linux and Mac builds in that same
timeframe. While we have not formalized a policy by which we drop
support for OS versions, in general the main concerns have been how
recently the OS versions have been available and sold (in some cases)
as well as the ability and costs involved for users to upgrade.
Additionally, the continued availability of security updates for the
OS level is important, as users on unsupported of operating systems,
especially Windows, are highly vulnerable no matter what we do, so
there is a strong argument against giving those users a reason to stay
on that platform.

On July 13, 2010, Microsoft will end all support for Windows 2000 (all
service packs) and Windows XP Service Pack 2 (XP SP1 and the original
XP have already passed their end of support). This means that after
this date, these OS versions will not get any security updates and
will not receive any support from Microsoft. Service Pack 3 is a free
upgrade for all XP users. Windows 2000 has no free upgrade path, but
has not been available at retail since March 2004, and was last
legally sold as a preloaded OS in March 2005, which is over four years
ago, and will be more than five years from when we ship the last
supported version of Firefox. Users should be able to successfully
migrate to XP or Linux if they intend to keep using their old hardware.


Affected Users:

All users still running either Windows 2000 or Windows XP Service Pack
2 (or lower). As Service Pack 3 is a free upgrade for XP users, only
Windows 2000 users will be forced to change their OS to use the next
version of Firefox.

As we intend to ship the next version of Firefox in early 2010,
Firefox 3.5 will continue to be supported under our current support
policy (six months after the next version) until after those OS
versions are no longer supported, so users will continue to be
supported by Mozilla as least as long as their OS is supported.


Relevant Links:

General Microsoft Support Lifecycle Policy:
http://support.microsoft.com/lifecycle/

Windows Service Pack Support End Dates:
http://support.microsoft.com/gp/lifesupsps#Windows

Windows 2000 Support Lifecycle
http://support.microsoft.com/lifecycle/?p1=3071

Windows Life-Cycle Policy (licensing availability)
http://www.microsoft.com/windows/lifecycle/default.mspx

Robert Accettura

unread,
Apr 13, 2009, 10:40:33 PM4/13/09
to Michael Connor, dev-pl...@lists.mozilla.org
I know Win2k is somewhat limited at this point but is there any data
regarding what percentage of Windows XP users run something less than
SP3? I presume most impact will be corporations that are slow to roll
out upgrades as SP3 has been out for a while now.

-R

Mike Beltzner

unread,
Apr 13, 2009, 11:13:05 PM4/13/09
to Michael Connor, dev-pl...@lists.mozilla.org
On 13-Apr-09, at 10:33 PM, Michael Connor wrote:

> Proposal:
>
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of
> Firefox built on 1.9.2) for Windows builds to require Windows XP
> Service Pack 3 or higher.

Is there a reason for specifying SP3 here, in terms of development
demand to keep Gecko compatible? Put another way, have the Windows
libraries changed sufficiently between SP1 and SP3 that it's likely
that we'll produce a version of Gecko that would be compatible with
Windows XP SP3+ but not with SP2 or SP1?

Right now the majority of our Windows users are still on XP, but I'm
not sure it's clear how many of those users have upgraded, or intend
to upgrade (or in some cases are able to upgrade) and while I
understand that the platform itself isn't supported by Microsoft, I do
think that keeping those XP users from being able to use Firefox will
end up doing more harm (to them) than good, no matter what the intent.

cheers,
mike

Rob Arnold

unread,
Apr 13, 2009, 11:25:21 PM4/13/09
to dev-pl...@lists.mozilla.org
On Mon, Apr 13, 2009 at 11:13 PM, Mike Beltzner <belt...@mozilla.com>wrote:

> On 13-Apr-09, at 10:33 PM, Michael Connor wrote:
>
> Proposal:
>>
>> Raise the minimum requirements for Gecko 1.9.2 (and any versions of
>> Firefox built on 1.9.2) for Windows builds to require Windows XP Service
>> Pack 3 or higher.
>>
>
> Is there a reason for specifying SP3 here, in terms of development demand
> to keep Gecko compatible? Put another way, have the Windows libraries
> changed sufficiently between SP1 and SP3 that it's likely that we'll produce
> a version of Gecko that would be compatible with Windows XP SP3+ but not
> with SP2 or SP1?


There are new features in SP2 (mostly security related) such as the
IAttachmentExecute interface which the download scanner uses. We could
eliminate the old IOfficeAntiVirus code if we drop support for Win2k and XP
SP<2. The APIs are mostly the same however. We can also drop the theme
hackery that currently exists entirely due to supporting Windows 2000 (since
it lacks the uxtheme api).


> Right now the majority of our Windows users are still on XP, but I'm not
> sure it's clear how many of those users have upgraded, or intend to upgrade
> (or in some cases are able to upgrade) and while I understand that the
> platform itself isn't supported by Microsoft, I do think that keeping those
> XP users from being able to use Firefox will end up doing more harm (to
> them) than good, no matter what the intent.


We can justify dropping 2k/XP entirely better than setting the minimum to XP
SP3 because there are many more new features in Vista that we could take
advantage of (native condition variables, graphics changes, integrity
levels, etc...).

I think we should see how Windows 7 pans out. If the result is good and
users migrate from XP, then we should consider dropping XP. Of course, there
will always be people who cling to old systems like Win2k and XP and they
will be vocal.

It should be pretty safe to drop support for Win2k but I cannot think of any
reasons besides the theme APIs.

-Rob

Mike Beltzner

unread,
Apr 13, 2009, 11:33:15 PM4/13/09
to Rob Arnold, dev-pl...@lists.mozilla.org
On 13-Apr-09, at 11:25 PM, Rob Arnold wrote:

> There are new features in SP2 (mostly security related) such as the
> IAttachmentExecute interface which the download scanner uses. We could
> eliminate the old IOfficeAntiVirus code if we drop support for Win2k
> and XP
> SP<2. The APIs are mostly the same however. We can also drop the theme
> hackery that currently exists entirely due to supporting Windows
> 2000 (since
> it lacks the uxtheme api).

Yes, I understand the case for dropping W2K support (though we should
get our approximate user counts there and do that with our eyes open)
and think it's virtuous. It was the SP1/2 bit that I didn't quite get.
Aside from the IOfficeAntiVirus API, any other wins that anyone knows
of?

> I think we should see how Windows 7 pans out. If the result is good
> and
> users migrate from XP, then we should consider dropping XP. Of
> course, there
> will always be people who cling to old systems like Win2k and XP and
> they
> will be vocal.

Indeed, I think it will be a function of schedule (when will Gecko
1.9.2 drop?) and market function. From what I hear in the latest
rumour mills, though, Windows 7 may not be as early as originally
expected, meaning that the XP market share is likely to stick around.

cheers,
mike

Justin Dolske

unread,
Apr 14, 2009, 12:35:54 AM4/14/09
to
On 4/13/09 8:13 PM, Mike Beltzner wrote:

> Is there a reason for specifying SP3 here, in terms of development
> demand to keep Gecko compatible?

I suppose one minor point is that we don't have tinderboxes testing the
3 different SP flavors of XP. [AFAIK they're all the same SP, though I'm
not sure exactly which one.] It would be nice to raise requirements to
what we actually test (which should become SP3, if it's not already).

Justin

Michael Connor

unread,
Apr 14, 2009, 12:37:58 AM4/14/09
to dev-pl...@lists.mozilla.org

On 13-Apr-09, at 11:33 PM, Mike Beltzner wrote:

> On 13-Apr-09, at 11:25 PM, Rob Arnold wrote:
>
>> There are new features in SP2 (mostly security related) such as the
>> IAttachmentExecute interface which the download scanner uses. We
>> could
>> eliminate the old IOfficeAntiVirus code if we drop support for
>> Win2k and XP
>> SP<2. The APIs are mostly the same however. We can also drop the
>> theme
>> hackery that currently exists entirely due to supporting Windows
>> 2000 (since
>> it lacks the uxtheme api).
>
> Yes, I understand the case for dropping W2K support (though we
> should get our approximate user counts there and do that with our
> eyes open) and think it's virtuous. It was the SP1/2 bit that I
> didn't quite get. Aside from the IOfficeAntiVirus API, any other
> wins that anyone knows of?

There's a number of other places this occurs. There's also been bugs
that were SP1-only (i.e. bug 366643, which turned up from an mxr
search). There were significant architectural changes with Service
Pack 2 around security, which benefits users if it doesn't impact
compatibility. (Someone on IRC described it as the "Internet is
Scary" service pack.)

Put another way, XP (no SP) and XP SP1 have been unsupported and
unpatched for years now. Users on those OSes are almost certainly
vulnerable, if they're not already owned. Any effort expended in
supporting those users is the technical equivalent of throwing good
money after bad. I don't know of any software that would require
SP1. Other than slow-to-upgrade corporate environments (which will
_surely_ migrate by SP2 EOL), I am unaware of anyone choosing to
remain on lower service packs past the support date for any reason
other than being unaware of the very real risk involved. IE7/IE8/
Chrome already require XP SP2 or higher (I can't find data on whether
Safari has any Service Pack-level requirements) so I don't think we
lose anything by catching up.

>> I think we should see how Windows 7 pans out. If the result is good
>> and
>> users migrate from XP, then we should consider dropping XP. Of
>> course, there
>> will always be people who cling to old systems like Win2k and XP
>> and they
>> will be vocal.
>
> Indeed, I think it will be a function of schedule (when will Gecko
> 1.9.2 drop?) and market function. From what I hear in the latest
> rumour mills, though, Windows 7 may not be as early as originally
> expected, meaning that the XP market share is likely to stick around.

I don't think completely dropping XP is feasible for 1.9.2 unless it
ships in 2012, given that many machines (notably netbooks) are still
shipping with XP Home right now.

-- Mike

John J. Barton

unread,
Apr 14, 2009, 1:11:18 AM4/14/09
to
Michael Connor wrote:
> Proposal:
>
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of
> Firefox built on 1.9.2) for Windows builds to require Windows XP Service
> Pack 3 or higher.

...


> On July 13, 2010, Microsoft will end all support for Windows 2000 (all
> service packs) and Windows XP Service Pack 2 (XP SP1 and the original XP
> have already passed their end of support). This means that after this
> date, these OS versions will not get any security updates and will not
> receive any support from Microsoft. Service Pack 3 is a free upgrade
> for all XP users.

I wonder if this is true. I would believe "free upgrade for all XP
licensees". Anyone with a corporate install Windows computer from a
former employer or other circumstance may not have access SP3. I wonder
how many of us there are? Betcha a lot more than you'd think. It's not
like SP3 is important (or Vista for that matter).

I could switch this machine to Linux, but I would be very reluctant to
break what works.

Seems like July 13, 2010 would make 1.9.3 more appropriate.

>
> Relevant Links:
>

Microsoft policy is not so important as what the installed base actually
contains. Is there info on that?

jjb

Phil Ringnalda

unread,
Apr 14, 2009, 1:43:46 AM4/14/09
to
On 4/13/09 9:35 PM, Justin Dolske wrote:
> I suppose one minor point is that we don't have tinderboxes testing the
> 3 different SP flavors of XP. [AFAIK they're all the same SP, though I'm
> not sure exactly which one.] It would be nice to raise requirements to
> what we actually test (which should become SP3, if it's not already).

Sort of depends on what you mean by "test" - according to wikimo, the
Talos XP boxes are SP2, but afair unit tests have always been Server
2k3, and even back to Fx2 builds are 2k3 (though I think they might have
started out as 2k, and Thunderbird 2 is apparently still chugging along
on a 2k tinderbox).

If you break perf on SP3 but not on SP2, you won't know it, but if you
break something unit tested on XP-anything but not 2k3 (or Vista but not
2k3), you'll only know it if someone finally says "you know, I haven't
been able to get a test run on my XP VM to pass since..." or when
someone reports the real-world breakage.

Michael Connor

unread,
Apr 14, 2009, 2:10:02 AM4/14/09
to John J. Barton, dev-pl...@lists.mozilla.org

On 14-Apr-09, at 1:11 AM, John J. Barton wrote:

>> On July 13, 2010, Microsoft will end all support for Windows 2000
>> (all service packs) and Windows XP Service Pack 2 (XP SP1 and the
>> original XP have already passed their end of support). This means
>> that after this date, these OS versions will not get any security
>> updates and will not receive any support from Microsoft. Service
>> Pack 3 is a free upgrade for all XP users.
>
> I wonder if this is true. I would believe "free upgrade for all XP
> licensees". Anyone with a corporate install Windows computer from a
> former employer or other circumstance may not have access SP3. I
> wonder how many of us there are? Betcha a lot more than you'd think.
> It's not like SP3 is important (or Vista for that matter).

If you don't have the license (i.e. if it was part of a corporate site
license, and you left the company with the machine) then technically
you aren't using the software legally. I suppose there's some number
of people using software without actually having a license to that
software. I don't believe we should make a decision based on users
who can't upgrade their OS because they aren't using it legally.

> > Relevant Links:
> >
> Microsoft policy is not so important as what the installed base
> actually contains. Is there info on that?

Microsoft policy is completely important, if that's when security
updates stop happening. I don't think we want to put time and
resources into operating systems which will rapidly be exploited. https://isc.sans.org/survivaltime.html
has a fun graph which shows average time to exploit an unpatched
system exposed to the Internet.

If the installed base wants to be zombies, that's fine, but that
doesn't mean we should invest in giving them one more reason to expose
themselves.

-- Mike

John J. Barton

unread,
Apr 14, 2009, 2:31:59 AM4/14/09
to
Michael Connor wrote:

> software. I don't believe we should make a decision based on users who
> can't upgrade their OS because they aren't using it legally.

Ok, I guess we disagree. I think mozilla should make decisions based on
the needs of their users.

jjb

Rob Arnold

unread,
Apr 14, 2009, 2:38:01 AM4/14/09
to John J. Barton, dev-pl...@lists.mozilla.org


I don't want spend my time debugging or trying to reproduce an issue for an
operating system that isn't up to date when it could easily be. If users are
illegally using their OS and cannot upgrade due to that, I do not want to
have to bend over backwards to recreate their environment to reproduce the
bug and test a fix (in addition, there are moral issues with helping these
users). I would argue that supporting those systems doesn't help the needs
of the vast majority of users who are using their OS legally and properly
maintaining it.

We have users who use the server editions of Windows and Firefox works
mostly correctly there, but it is technically unsupported and I have had to
deal with bugs resulting from the subtle differences. The fewer platforms we
have to support, the more productive my time can be spent working on bug
that address issues for a much larger set of people.

-Rob

Serge Gautherie

unread,
Apr 14, 2009, 5:20:24 AM4/14/09
to

Count me in as a W2K user :->
(And, unrelated, I build with '--disable-vista-sdk-requirements'.)

I would ask for some kind of '--disable-xp-requirements' if that's possible.
If it's not (= probaly unwanted), then too bad for me...


Robert O'Callahan

unread,
Apr 14, 2009, 5:39:11 AM4/14/09
to
On 14/4/09 4:37 PM, Michael Connor wrote:
> Put another way, XP (no SP) and XP SP1 have been unsupported and
> unpatched for years now.

Those are excellent reasons for dropping support for XP/noSP and XP/SP1.
But why drop support for XP/SP2?

Rob

Simon Paquet

unread,
Apr 14, 2009, 8:19:52 AM4/14/09
to
Michael Connor wrote on 14. Apr 2009:

> Proposal:
>
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of
> Firefox built on 1.9.2) for Windows builds to require Windows XP
> Service Pack 3 or higher.

I am a little bit concerned about dropping Windows 2000 given that
Gecko 1.9.2 will be released when W2K will still be supported by
Microsoft for a few months.

On the other hand, its global market share is steadily declining and
already very low according to the market share reports from Gemius,
StatCounter and Net Applications.

Do we have any reliable numbers from our own download and AMO
statistics on the percentage of users, which are still using W2K?
I think this discussion would benefit from those numbers.

Simon

--
Thunderbird/Calendar Localisation (L10n) Coordinator
Thunderbird l10n blog: http://thunderbird-l10n.blogspot.com
Calendar website maintainer: http://www.mozilla.org/projects/calendar
Calendar developer blog: http://weblogs.mozillazine.org/calendar

Chris AtLee

unread,
Apr 14, 2009, 9:12:59 AM4/14/09
to
On 14/04/09 01:43 AM, Phil Ringnalda wrote:
> On 4/13/09 9:35 PM, Justin Dolske wrote:
>> I suppose one minor point is that we don't have tinderboxes testing the
>> 3 different SP flavors of XP. [AFAIK they're all the same SP, though I'm
>> not sure exactly which one.] It would be nice to raise requirements to
>> what we actually test (which should become SP3, if it's not already).
>
> Sort of depends on what you mean by "test" - according to wikimo, the
> Talos XP boxes are SP2, but afair unit tests have always been Server
> 2k3, and even back to Fx2 builds are 2k3 (though I think they might have
> started out as 2k, and Thunderbird 2 is apparently still chugging along
> on a 2k tinderbox).

Yes, all of our Fx 3.5 builds and unit tests are done in windows 2003.
Talos testing is done under XP and Vista.

Robert Kaiser

unread,
Apr 14, 2009, 9:42:57 AM4/14/09
to
Michael Connor wrote:
> Proposal:
>
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of
> Firefox built on 1.9.2) for Windows builds to require Windows XP Service
> Pack 3 or higher.

We're really trying as hard as possible to piss off as many users as we
can, right?

Robert Kaiser

Robert Kaiser

unread,
Apr 14, 2009, 9:51:35 AM4/14/09
to
Michael Connor wrote:
> Put another way, XP (no SP) and XP SP1 have been unsupported and
> unpatched for years now. Users on those OSes are almost certainly
> vulnerable, if they're not already owned.

Wait, you seriously believe one single user would upgrade their OS just
because there's no new Firefox available for them? Int he contrary, they
will either switch to a different browser or continue to use an old,
more insecure Firefox. That's already the case with a good number of
people on Win9x and Firefox 2 (still millions of people, last I heard)
and I haven't yet heard of anyone who thrashed Win9x because Firefox 2
was EOLed and Firefox 3 is not available for them.

It sounds like some people here have a strange view of how people decide
to use what system. Firefox is not the driving force for people to buy
new computers (which is bad for nature anyways) or buy and install new
operating systems.

And dropping Win2k support will be a very good argument for business not
using Firefox ;-)

Robert Kaiser

Mike Shaver

unread,
Apr 14, 2009, 9:57:13 AM4/14/09
to Robert Kaiser, dev-pl...@lists.mozilla.org

Yes, that is our goal. It has nothing to do with trying to apply our
limited resources to where they can affect the most people.

On the bright side, SeaMonkey will be able to continue to support XP
SP1 and Win 2k, and thereby gain all those users, since per your other
message they'll just switch to another browser -- sounds like a real
opportunity for you.

Mike

Mike Shaver

unread,
Apr 14, 2009, 10:03:07 AM4/14/09
to Robert Kaiser, dev-pl...@lists.mozilla.org
On Tue, Apr 14, 2009 at 9:51 AM, Robert Kaiser <ka...@kairo.at> wrote:
> Michael Connor wrote:
>>
>> Put another way, XP (no SP) and XP SP1 have been unsupported and
>> unpatched for years now. Users on those OSes are almost certainly
>> vulnerable, if they're not already owned.
>
> Wait, you seriously believe one single user would upgrade their OS just
> because there's no new Firefox available for them?

I don't see that position stated in the quote -- why do you think that
Mike believes that they would upgrade only to get Firefox? (Though "a
single user" is a pretty low bar, so I'd probably be willing to make a
wager.)

> And dropping Win2k support will be a very good argument for business not
> using Firefox ;-)

They'll have to stick with IE6 if they want to keep Win2K on desktops,
I think, since IE7 isn't supported there AFAIK. That's not really an
addressable market for us regardless, I'm pretty sure, so we should
again focus on getting the most result for our investment.

Mike

Samuel Sidler

unread,
Apr 14, 2009, 10:10:58 AM4/14/09
to dev. planning
On Apr 14, 2009, at 5:19 AM, Simon Paquet wrote:

> Do we have any reliable numbers from our own download and AMO
> statistics on the percentage of users, which are still using W2K?
> I think this discussion would benefit from those numbers.

I, too, would like to see some actual numbers from our user-base
(downloads, hits on mozilla.com, ADUs, etc) before making a
determination on what we should do about Windows 2000.

-Sam

Robert Kaiser

unread,
Apr 14, 2009, 10:23:27 AM4/14/09
to
Mike Shaver wrote:
> On the bright side, SeaMonkey will be able to continue to support XP
> SP1 and Win 2k, and thereby gain all those users, since per your other
> message they'll just switch to another browser -- sounds like a real
> opportunity for you.

Wrong. We can't go with different requirements than the Geck we base
upon - well, unless, of course, we go and switch to WebKit and rewrite
our UI on some sucky native UI library. Though, before the latter
happens, I'd move to either be a Firefox or KDE dev. ;-)

Robert Kaiser

Mike Beltzner

unread,
Apr 14, 2009, 10:35:43 AM4/14/09
to mozilla.dev.planning group
On 14-Apr-09, at 2:10 AM, Michael Connor wrote:

> Microsoft policy is completely important, if that's when security
> updates stop happening. I don't think we want to put time and
> resources into operating systems which will rapidly be exploited. https://isc.sans.org/survivaltime.html
> has a fun graph which shows average time to exploit an unpatched
> system exposed to the Internet.

This is slightly off-topic, but do we know if those exploits are from
just attaching the Windows network stack to a port or if they're from
browsing with IE? If it's mostly the latter, then by preserving
Firefox support for those users we're actually helping to protect them.

cheers,
mike

Mike Shaver

unread,
Apr 14, 2009, 10:50:18 AM4/14/09
to Mike Beltzner, mozilla.dev.planning group
On Tue, Apr 14, 2009 at 10:35 AM, Mike Beltzner <belt...@mozilla.com> wrote:
> This is slightly off-topic, but do we know if those exploits are from just
> attaching the Windows network stack to a port or if they're from browsing
> with IE? If it's mostly the latter, then by preserving Firefox support for
> those users we're actually helping to protect them.

I believe those stats are based on the default set of
applications/services that can be remotely tickled for the various
operating systems, based on the list of ports they provide. They
would likely respond promptly to an inquiry on the topic, if asked.

Mike

Mike Shaver

unread,
Apr 14, 2009, 10:50:51 AM4/14/09
to Robert Kaiser, dev-pl...@lists.mozilla.org
On Tue, Apr 14, 2009 at 10:23 AM, Robert Kaiser <ka...@kairo.at> wrote:
> Mike Shaver wrote:
>>
>> On the bright side, SeaMonkey will be able to continue to support XP
>> SP1 and Win 2k, and thereby gain all those users, since per your other
>> message they'll just switch to another browser -- sounds like a real
>> opportunity for you.
>
> Wrong. We can't go with different requirements than the Geck we base upon -

Sure, but the SeaMonkey team could maintain the alternate code paths
and compensations required for XP SP1 and Win2K, and drive the testing
on those platforms, right?

Or is that not a good use of your limited resources either? :)

Mike

Robert Kaiser

unread,
Apr 14, 2009, 11:00:58 AM4/14/09
to

Erm, to be serious, we have good reasons to reduce the amount of code we
maintain and use toolkit instead of xpfe - I guess that should answer
your question ;-)

And yes, I know, that's all tough calls, but I wonder why we support
MacOS or Linux at all when it looks so easy to probably abandon more
users than we have on both of those together (has anyone stats that
would back or disprove that assumption?)

Robert Kaiser

Mike Shaver

unread,
Apr 14, 2009, 11:07:20 AM4/14/09
to Robert Kaiser, dev-pl...@lists.mozilla.org
On Tue, Apr 14, 2009 at 11:00 AM, Robert Kaiser <ka...@kairo.at> wrote:
> And yes, I know, that's all tough calls, but I wonder why we support MacOS
> or Linux at all when it looks so easy to probably abandon more users than we
> have on both of those together (has anyone stats that would back or disprove
> that assumption?)

We would lose a lot of our developers, and valuable tools (shark,
valgrind), if we didn't support those operating systems, to say
nothing of Linux being one of our major mobile platforms. Are you
just trolling, or do you really not know that?

Mike

John J. Barton

unread,
Apr 14, 2009, 11:39:49 AM4/14/09
to
Rob Arnold wrote:
> On Tue, Apr 14, 2009 at 2:31 AM, John J. Barton <johnj...@johnjbarton.com
>> wrote:
>
>> Michael Connor wrote:
>>
>> software. I don't believe we should make a decision based on users who
>>> can't upgrade their OS because they aren't using it legally.
>>>
>> Ok, I guess we disagree. I think mozilla should make decisions based on the
>> needs of their users.
>
>
> I don't want spend my time debugging or trying to reproduce an issue for an
> operating system that isn't up to date when it could easily be. If users are

But as I pointed out, updating is not always easy. Many, many users
avoid Windows updates if at all possible because historically they know
updates break things and rarely offer significant improvements.

> illegally using their OS and cannot upgrade due to that, I do not want to
> have to bend over backwards to recreate their environment to reproduce the
> bug and test a fix (in addition, there are moral issues with helping these

I think there is a large gap between "continue to support XP SP3 on
1.9.2" and "bend over backwards". Of course maybe I should try yoga.

> users). I would argue that supporting those systems doesn't help the needs
> of the vast majority of users who are using their OS legally and properly
> maintaining it.

But do you really want to base decisions on morality? Shall we ask users
to certify that their machine is being used legally and has been dusted
regularly? They never surf to sites on a mozilla-do-not-visit list?
Always properly shutdown at night?

I don't think any of this is mozilla's business. The only issue is the
number of users of XP SP2.

jjb

Robert Kaiser

unread,
Apr 14, 2009, 11:55:37 AM4/14/09
to

Actually, I wanted to point out (somewhat in a somewhat tongue-in-cheek
way) that the number of users we're dropping with this decision might
outweigh the number of users we have on those other platforms which we
apparently value significantly. Of course, there's a lot of guessing
involved, as I'm not someone who has access to that shrine that keeps
all the actual number to back or counter that assumption.

There are a quite significant number of business users out there who are
still on Win2k (I don't care so much about XP < SP2) and it's not even
unheard that Microsoft itself prolongs support times for versions
heavily used in businesses (they even did so for Win98).
We once had that plan that our releases after 1.9.0 would be smaller in
scale and happen more often - I think 6 months was the target then, and
yes, 1.9.1 missed that by far. I for one moment assume that this is
still the plan - we don't have dates yet but you might know more than
me, even this open community shows that early-stage information is still
closed to smaller groups often enough. With all that in mind, the
6-month post-1.9.2.0 maintenance period of 1.9.1 would suggest that the
last version that supports Win2k might even be out before the current
official EOL of Microsoft support for Win2k, even if they don't prolong
this due to significant business usage.

Unsupporting a Windows version before even Microsoft drops it would be
very much unprecedented, and given that the primary argument seems to be
limited manpower and our manpower has nothing else than significantly
increased over the last years, sound like something not that easy to buy
in for someone watching this.

Of course, we are becoming more and more like big companies regarding
the decisions made, and while that might be good from some points of
view, it's not so easy to sell to those parts of our community that
expect us to think differently.

Robert Kaiser

RyanVM

unread,
Apr 14, 2009, 12:06:49 PM4/14/09
to
SP3 was much more incremental in nature over SP2 compared to SP2 over
SP0/SP1. I'm personally sending this message from a company-controlled
computer running SP2 still. Given that SP3 doesn't seem to be offering
anything special over SP2 API-wise, why not set the cutoff at SP2 like
IE7/IE8?

Simon Paquet

unread,
Apr 14, 2009, 12:11:30 PM4/14/09
to
Robert Kaiser wrote on 14. Apr 2009:

> And yes, I know, that's all tough calls, but I wonder why we support
> MacOS or Linux at all when it looks so easy to probably abandon more
> users than we have on both of those together (has anyone stats that
> would back or disprove that assumption?)

According to Net Applications, both OS X 10.5 and 10.4 are more popular
than Windows 2000 (6.00% and 2.66% vs. 1.24%).

Windows 2000 is more popular than Linux (0.90%) and all major mobile
platforms that we currently support or intend to support (Symbian 0,06%
and Windows CE 0.05%) combined.

Mike makes a good point however on the importance of Linux as a dev
platform (although based on my experience at the summit, pretty much
every techie in the US now runs a Mac).

But based solely on marketshare, we should not abandon W2K yet.

I couldn't find any data on Windows XP service pack allocation.

My "guess" would be that many people have at least updated to SP2,
since it was really a major update with many security and feature
enhancements that were widely discussed in tech *and* general media.

But I don't have any hard numbers on that. My "guess" for the update
to SP3 however is that not nearly as many people have made that step,
since it was mostly just a bundling of past security patches.

For example my company (Big4 professional services/auditing company
with roughly 120.000 Windows installations worldwide) is still
running Windows XP SP2, but Microsoft security updates are regularly
installed.

Cya

Serge Gautherie

unread,
Apr 14, 2009, 12:22:45 PM4/14/09
to
Robert Kaiser wrote:

> Wait, you seriously believe one single user would upgrade their OS just
> because there's no new Firefox available for them?

(One not-typical user story:)

Not just because of Gecko, and only after a long time with v1.8.1,
but I did eventually replace my W98SE with W2Ksp4.
That was after Microsoft and everyone else stopped providing
softwares/updates for W98.

The only interesting point was I could run W98 without a need for
firewall nor antivirus.

Now, while WXP has some improvements I miss somewhat in W2K,
I'm certainly not interested in some other new features of WXP and beyond.

...
My goal would be to move to Linux, but that looks like a "big" task, and
I know beforehand some of the softwares I use are still available on
Windows only :-/

(Anyway.)

Aakash Desai

unread,
Apr 14, 2009, 12:27:46 PM4/14/09
to Samuel Sidler, dev. planning

Going from there, I'd also like to see the number of computer users in the world (or just North America if that isn't possible) that don't have Firefox and what OS they run. It's a tall task, but the decision that's being discussed here is pertinent enough to ask for that IMO.

Thanks,
Aakash

-Sam
_______________________________________________
dev-planning mailing list
dev-pl...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-planning

Mike Beltzner

unread,
Apr 14, 2009, 12:42:00 PM4/14/09
to Aakash Desai, dev. planning, Samuel Sidler
Isn't that what sipaq provided?

> According to Net Applications, both OS X 10.5 and 10.4 are more
> popular
> than Windows 2000 (6.00% and 2.66% vs. 1.24%).
>
> Windows 2000 is more popular than Linux (0.90%) and all major mobile
> platforms that we currently support or intend to support (Symbian
> 0,06%
> and Windows CE 0.05%) combined.

cheers,
mike

Aakash Desai

unread,
Apr 14, 2009, 12:49:07 PM4/14/09
to Mike Beltzner, dev. planning, Samuel Sidler
Actually, those are percentages of users, in the world, running a specific OS. They're not the percentages for those running OS' and that don't have Firefox which I was hoping to see. :)

-- Aakash

Michael Connor

unread,
Apr 14, 2009, 12:54:24 PM4/14/09
to Robert O'Callahan, dev-pl...@lists.mozilla.org

Because SP2 will reach end of life before 3.5 reaches end of life.
Supporting SP2 for 1.9.2 would mean supporting a "dead man walking" OS
for at least a year, if not longer.

-- Mike

Samuel Sidler

unread,
Apr 14, 2009, 1:00:10 PM4/14/09
to Michael Connor, dev-pl...@lists.mozilla.org, Robert O'Callahan
On Apr 14, 2009, at 9:54 AM, Michael Connor wrote:
> On 14-Apr-09, at 5:39 AM, Robert O'Callahan wrote:
> Because SP2 will reach end of life before 3.5 reaches end of life.
> Supporting SP2 for 1.9.2 would mean supporting a "dead man walking"
> OS for at least a year, if not longer.

And? If our users are there, I don't think we should simply drop
support because Microsoft has.

I already know the answer, but, uh, have you read through the dropping
10.4 discussion? And the dropping 10.3 discussion before it? I know
you have, yet a lot of your statements here are basically what Josh
was saying before.

Frankly, without actual data to back the discussion, I don't know why
we're even having it now. I saw a couple of things that we'd like to
do in SP2 and later. That's fine. Where's the list of things we want
to do that are only available in SP3 and later? Where's the data
saying 90% of users have upgraded from SP2 to SP3? I'm not sure why
we're talking about dropping support for XP SP2 at all yet, especially
without strong reasons why.

-Sam

DigDug

unread,
Apr 14, 2009, 1:05:15 PM4/14/09
to
Are there any estimates out there of the cost of supporting these
platforms (in terms of time mostly I guess, maybe code complexity)?
What are the metrics from the downloads page on the number of users
running Win2K? Just running a quick search through the mozilla-central
changelog for Win2K, most things seem related to Win2k3, but I'm no
expert. If this is an hour a year of time, I don't see why you
wouldn't support it, at least for one more release cycle. Maybe you
give them one release cycle of with a warning about "Firefox.next will
no longer support your OS" and a quick support page to aid in how to
upgrade/information explaining if they even care.

My parents were on rural dial-up for years. 56K modems running at
about 5K because of the old phone lines. Auto-updating their OS to SP2
or SP3 was practically impossible, and ordering an upgrade CD... well
they didn't even know such a thing existed. They had Firefox installed
because I put it on a flash drive one weekend and installed it for
them. The cost of upgrading in terms of time/effort was fairly high
for them, and I'm guessing there's 2 or 3 million like them in the US
alone. But I think they would have taken offense to someone refusing
to fix bugs purely as an argument against their OS. It comes off as a
"We know better than you" sorta situation. If the cost in Mozilla's
time in terms of bug fixes/implementing features is high though (how
high is it again?), that doesn't seem nearly as harsh.

Pascal Chevrel

unread,
Apr 14, 2009, 1:07:35 PM4/14/09
to Michael Connor, John J. Barton, dev-pl...@lists.mozilla.org
Le 14.04.2009 08:10, Michael Connor a écrit :
> If you don't have the license (i.e. if it was part of a corporate site
> license, and you left the company with the machine) then technically you
> aren't using the software legally. I suppose there's some number of
> people using software without actually having a license to that

> software. I don't believe we should make a decision based on users who
> can't upgrade their OS because they aren't using it legally.
>

Taking the problem with a different angle, most of the third world and
emerging countries use pirated software, all numbers I have seen about
China were saying that +90% software used was pirated and I suspect that
XP SP1 is the easiest one to pirate since it didn't include the "genuine
advantage" software in it.

Given that security on the net seems to be a low priority concern for
users in Asia and the fact that most people use a pirated version of
Windows, I think we should evaluate if stopping support for older
versions of Windows is not going to hinder our growth in emerging
markets and specifically China (basically asking Mozilla China if they
have some insight on the matter).

Regards,

Pascal

Michael Connor

unread,
Apr 14, 2009, 1:11:45 PM4/14/09
to Samuel Sidler, dev. planning

On 14-Apr-09, at 10:10 AM, Samuel Sidler wrote:

> On Apr 14, 2009, at 5:19 AM, Simon Paquet wrote:
>

>> Do we have any reliable numbers from our own download and AMO
>> statistics on the percentage of users, which are still using W2K?
>> I think this discussion would benefit from those numbers.
>

> I, too, would like to see some actual numbers from our user-base
> (downloads, hits on mozilla.com, ADUs, etc) before making a
> determination on what we should do about Windows 2000.

What you really want is the trend data, I would think, since what
we're making a decision on is based on how many users will still be
using that OS version when 3.5 hits EOL. If we ship .next sometime
next spring, we're talking late 2010 before those users lack a
supported browser version. Right now, we're at similar numbers to the
Net Applications numbers. Between now and then we'll see Windows 7
ship, which always spurs a new round of hardware upgrades and trickle-
down, plus a year or more of the natural trend for hardware to die and
be replaced (again, remember that we're dealing with 2004-era hardware
at best, so a lot of computers are reaching end of natural life). I
don't doubt that some people will be left behind, but we gave up 4% of
our users who were on Win98 when we dropped Win9x support for 3.0, so
Win2k is already way under that threshold.

-- Mike

Michael Connor

unread,
Apr 14, 2009, 1:29:42 PM4/14/09
to Samuel Sidler, dev-pl...@lists.mozilla.org, Robert O'Callahan

On 14-Apr-09, at 1:00 PM, Samuel Sidler wrote:

> On Apr 14, 2009, at 9:54 AM, Michael Connor wrote:
>> On 14-Apr-09, at 5:39 AM, Robert O'Callahan wrote:
>>> On 14/4/09 4:37 PM, Michael Connor wrote:
>>>> Put another way, XP (no SP) and XP SP1 have been unsupported and
>>>> unpatched for years now.
>>>
>>> Those are excellent reasons for dropping support for XP/noSP and

>>> XP/SP1. But why drop support for XP/SP2?


>>
>> Because SP2 will reach end of life before 3.5 reaches end of life.
>> Supporting SP2 for 1.9.2 would mean supporting a "dead man walking"
>> OS for at least a year, if not longer.
>
> And? If our users are there, I don't think we should simply drop
> support because Microsoft has.

If our users are happy running an insecure OS with no updates, they
can run the last version of 3.5 as well. If we do have users there,
it is in their best interests to upgrade to SP3 and continue to
receive security updates for their systems. Unless they really really
like spyware and being used as a spam gateway.

> I already know the answer, but, uh, have you read through the
> dropping 10.4 discussion? And the dropping 10.3 discussion before
> it? I know you have, yet a lot of your statements here are basically
> what Josh was saying before.

I was the one who made the final call on 10.3, of course. For 10.4,
of course, there's some significant differences. Win2k is a lot fewer
users than 10.4 (10.4 has 3x the number of users as Win2k), the
timeframe is a lot longer (10 year old OS, replaced 8.5 years before
EOL, last widely sold on PCs around 2002, though some could be as new
as five years old), and Microsoft provides a finite date for the end
of actual patch support, instead of requiring guessing on our part.
We know that after that date, users will be vulnerable and
unprotected, and we know that even a current OS without patches is
vulnerable when connected to the internet. All of these things are
real data points.

> Frankly, without actual data to back the discussion, I don't know
> why we're even having it now. I saw a couple of things that we'd
> like to do in SP2 and later. That's fine. Where's the list of things
> we want to do that are only available in SP3 and later? Where's the
> data saying 90% of users have upgraded from SP2 to SP3? I'm not sure
> why we're talking about dropping support for XP SP2 at all yet,
> especially without strong reasons why.


There's plenty of data. Predicting the state of OS versions for when
3.5 reaches EOL is going to be fairly imprecise, but win2k's share
after July 2010 is likely to be tiny, declining, and heavily zombified.

SP2 vs. SP3 isn't especially interesting, but I would rather have a
policy around ensuring that we support OS versions through their EOL,
but not beyond. That's the best tradeoff between resources and users
I can think of.

-- Mike

Mike Shaver

unread,
Apr 14, 2009, 1:34:01 PM4/14/09
to Michael Connor, dev-pl...@lists.mozilla.org, Samuel Sidler, Robert O'Callahan
On Tue, Apr 14, 2009 at 1:29 PM, Michael Connor <mco...@mozilla.com> wrote:
> That's the best tradeoff between resources and users I can think of.

I think what people are missing -- including myself -- is what the
resource cost _is_ for supporting SP3. I don't think we gain anything
by being doctrinaire about OS support, though I'm fully in favour of
making economic choices to ensure that we don't bear costs out of
proportion with their returns.

It seems like moving to SP3 is just for the sake of moving to SP3, and
not because it actually gains us anything on the development or
support side. The < SP2 and Win2K cases are much clearer, so it may
well be that there's just something about supporting SP3 that I'm
missing.

Mike

Michael Connor

unread,
Apr 14, 2009, 1:36:00 PM4/14/09
to Pascal Chevrel, dev. planning

I think it's entirely possible that it will hinder our growth in those
areas. I am not at all convinced that we want to target pirated
software to succeed in our mission. I think it's a bad position to
take for mozilla.org, and I have moral and ethical issues around
effectively supporting piracy by making decisions to ensure that users
of illegal software can use our product.

-- Mike

Michael Connor

unread,
Apr 14, 2009, 1:39:31 PM4/14/09
to Mike Shaver, dev-pl...@lists.mozilla.org, Samuel Sidler, Robert O'Callahan

It's actually pretty likely that supporting SP2 is not much different
from SP3. That's the current baseline for IE7/8 and Chrome, so I'm
fine with that, at least for now, and we can watch to see whether they
change their baselines once SP2 reaches end of life. Of course,
getting a working SP2 install after next July will be more
complicated, but that's why we have MSDN subscriptions, I guess!

-- Mike

Mike Shaver

unread,
Apr 14, 2009, 1:41:48 PM4/14/09
to Michael Connor, dev. planning, Pascal Chevrel
On Tue, Apr 14, 2009 at 1:36 PM, Michael Connor <mco...@mozilla.com> wrote:
> I think it's entirely possible that it will hinder our growth in those
> areas.  I am not at all convinced that we want to target pirated software to
> succeed in our mission.  I think it's a bad position to take for
> mozilla.org, and I have moral and ethical issues around effectively
> supporting piracy by making decisions to ensure that users of illegal
> software can use our product.

That's a fine discussion to have, but we should have it before we
decide how to use or not use such data in deciding operating system
support. Especially when the vendor of the operating system itself
has taken varying stances on how or whether to support unlicensed
copies with security updates. The security of those users running
pirated software is not just an issue for them, but has pretty
wide-ranging effects on the security of other internet users as well.

Mike

Rob Arnold

unread,
Apr 14, 2009, 1:52:48 PM4/14/09
to John J. Barton, dev-pl...@lists.mozilla.org
On Tue, Apr 14, 2009 at 11:39 AM, John J. Barton <
johnj...@johnjbarton.com> wrote:

>
> illegally using their OS and cannot upgrade due to that, I do not want to
>> have to bend over backwards to recreate their environment to reproduce the
>> bug and test a fix (in addition, there are moral issues with helping these
>>
>
> I think there is a large gap between "continue to support XP SP3 on 1.9.2"
> and "bend over backwards". Of course maybe I should try yoga.


I wasn't suggesting that we drop XP entirely for 1.9.2 (in more than a few
years, we probably will). Supporting XP < SP2 (or worse, systems where
people "remove IE") is bending over backwards because it is almost like a
different OS (APIs and behaviors are different).


> of the vast majority of users who are using their OS legally and properly
>> maintaining it.
>>
> users). I would argue that supporting those systems doesn't help the needs
>
> But do you really want to base decisions on morality? Shall we ask users to
> certify that their machine is being used legally and has been dusted
> regularly? They never surf to sites on a mozilla-do-not-visit list? Always
> properly shutdown at night?


Morality is not the only factor in making a decision and I never said it was
the base for all of mine or should be for everyone. In fact, I never said or
implied any of those things you listed there.

I don't think any of this is mozilla's business. The only issue is the
> number of users of XP SP2.


It is if they have put their machine in a state that is unsupported or
unstable due to these activities. We don't fix the bugs in the download
scanner that resulted from people "uninstalling IE" and I don't think you
will find many people who disagree with that policy.

-Rob

Phil Ringnalda

unread,
Apr 14, 2009, 2:11:53 PM4/14/09
to
On 4/14/2009 10:34 AM, Mike Shaver wrote:
> It seems like moving to SP3 is just for the sake of moving to SP3, and
> not because it actually gains us anything on the development or
> support side.

SP3 is two things, a chunk of updates that you probably already got from
Windows Update, but could have declined:

* MMC 3.0, nothing to do with us
* MSXML 6, nothing to do with us (I hope)
* Windows Installer 3.1, nothing to do with us the way things seem to be
going
* BITS 2.5, I'd be surprised if we decided to use it instead of rolling
our own
* IPSec Simple Policy Update, nothing to do with us
* Digital Identity Management Service, nothing to do with us
* Peer Name Resolution Protocol, nothing to do with us
* RDP 6.1, nothing to do with us
* WPA2, a stretch to claim it's to do with us

and a chunk of new things:

* better black hole router detection, nothing to do with us
* Network Access Protection, nothing to do with us
* CredSSP, nothing to do with us

So unless I'm misunderstanding one of the things which sound like they
are only about interactions with Windows servers on your Window LAN,
requiring SP3 would be an entirely non-technical choice unless we plan
on doing an .msi *and* using a feature that was in the 3.1 update, or
using BITS for background downloads.

John J Barton

unread,
Apr 14, 2009, 2:39:17 PM4/14/09
to
Rob Arnold wrote:
>
> I don't think any of this is mozilla's business. The only issue is the
>> number of users of XP SP2.
>
>
> It is if they have put their machine in a state that is unsupported or
> unstable due to these activities.

I think it would be helpful if someone can enumerate the reasons why XP
SP2 is unsupportable or unstable for 1.9.2. Mike Connor's proposal cited
Microsoft's EOL policy at the reason. I don't think this is enough of a
reason, because Microsoft updates beyond SP2 are not easy nor valuable.
But perhaps there are other reasons?

jjb

Mike Shaver

unread,
Apr 14, 2009, 2:47:59 PM4/14/09
to John J Barton, dev-pl...@lists.mozilla.org
On Tue, Apr 14, 2009 at 2:39 PM, John J Barton
<johnj...@johnjbarton.com> wrote:
> I think it would be helpful if someone can enumerate the reasons why XP SP2
> is unsupportable or unstable for 1.9.2. Mike Connor's proposal cited
> Microsoft's EOL policy at the reason. I don't think this is enough of a
> reason, because Microsoft updates beyond SP2 are not easy nor valuable. But
> perhaps there are other reasons?

Did you see Mike's reply to my later in this thread, agreeing that SP2
was an OK baseline?

Mike

Mike Connor

unread,
Apr 14, 2009, 2:54:56 PM4/14/09
to John J Barton, dev-pl...@lists.mozilla.org
It's not about being "unsupportable" so much as "a platform which will
rapidly be exploited" given that it won't get security updates.

-- Mike

John J Barton

unread,
Apr 14, 2009, 3:02:16 PM4/14/09
to
Michael Connor wrote:
>
> On 14-Apr-09, at 10:10 AM, Samuel Sidler wrote:
>
>> On Apr 14, 2009, at 5:19 AM, Simon Paquet wrote:
>>
>>> Do we have any reliable numbers from our own download and AMO
>>> statistics on the percentage of users, which are still using W2K?
>>> I think this discussion would benefit from those numbers.
>>
>> I, too, would like to see some actual numbers from our user-base
>> (downloads, hits on mozilla.com, ADUs, etc) before making a
>> determination on what we should do about Windows 2000.
>
> What you really want is the trend data,

Yes! And if the trend data shows that XP SP2 is not significant its a
reasonable thing to ditch supporting it.

jjb

sarah

unread,
Apr 14, 2009, 3:28:09 PM4/14/09
to

i personally thin dropping support for windows 2000 and all pre xp sp2
os would be a good idea

i dont think dropping support for xp sp2 is good idea because
maintaing support for it would not be much harder then maintaining
support for sp3

John J Barton

unread,
Apr 14, 2009, 3:45:56 PM4/14/09
to

My XP SP2 system has not been exploited in the almost 5 years since SP2.
How rapid are we talking ;-)

I think we might have a different view of the value of Windows security
updates for individuals.

From what I understand, the probability of a machine being exploited is
primarily determined by the type of Internet connection and the
frequency of dubious software installs. Since, as you have pointed out,
the number of attackers is very high, and since the OS is not fully
protected, any machine be exploited sooner or later. In this reality,
security updates and anti-virus software delay attacks but don't prevent
them. Would you be willing to run a fully updated Windows box on the
open Internet? If so my information is just out of date.

I agree with the general principle of encouraging better security. I
just don't think that it should be the primary issue for support
decisions because it has higher cost and lower benefit than one would hope.

jjb

Michael Connor

unread,
Apr 14, 2009, 5:29:30 PM4/14/09
to John J Barton, dev-pl...@lists.mozilla.org

On 14-Apr-09, at 3:45 PM, John J Barton wrote:

> Mike Connor wrote:
>> On 4/14/2009 2:39 PM, John J Barton wrote:
>>> Rob Arnold wrote:
>>>>
>>>> I don't think any of this is mozilla's business. The only issue
>>>> is the
>>>>> number of users of XP SP2.
>>>>
>>>>
>>>> It is if they have put their machine in a state that is
>>>> unsupported or
>>>> unstable due to these activities.
>>>
>>> I think it would be helpful if someone can enumerate the reasons
>>> why XP SP2 is unsupportable or unstable for 1.9.2. Mike Connor's
>>> proposal cited Microsoft's EOL policy at the reason. I don't think
>>> this is enough of a reason, because Microsoft updates beyond SP2
>>> are not easy nor valuable. But perhaps there are other reasons?
>> It's not about being "unsupportable" so much as "a platform which
>> will rapidly be exploited" given that it won't get security updates.
>
> My XP SP2 system has not been exploited in the almost 5 years since
> SP2. How rapid are we talking ;-)
>
> I think we might have a different view of the value of Windows
> security updates for individuals.

Your SP2 system is still getting security updates though. After July
2010, it won't, so it's largely a factor of how soon a new exploit is
discovered that is left unpatched by Microsoft, and of course whatever
other mitigations you have in place.

Firewalls/security software do help as well, but I'd be curious how
many people will ensure they use those but not upgrade to SP3 to keep
getting updates and be as protected as possible. It's basically like
choosing to stop locking your doors and letting your alarm system be
your protection, it's not the best thing you can do, and your odds of
your stuff getting stolen go up. By how much isn't really my domain,
but from the research on the subject, it's pretty much critical.

-- Mike

Robert O'Callahan

unread,
Apr 14, 2009, 6:06:31 PM4/14/09
to
On 15/4/09 9:29 AM, Michael Connor wrote:
> Your SP2 system is still getting security updates though. After July
> 2010, it won't, so it's largely a factor of how soon a new exploit is
> discovered that is left unpatched by Microsoft, and of course whatever
> other mitigations you have in place.

One thing we have to keep in mind is the possibility that Microsoft will
extend the support cycle for products in response to customer demand,
especially enterprise demand. They've done it before.

I think it makes sense to drop support for a platform when the vendor
does, but not before. As long as there's a possibility 1.9.2 will ship
while XP SP2 is supported by Microsoft, we should support it too.

Rob

Neil

unread,
Apr 14, 2009, 6:44:46 PM4/14/09
to
Michael Connor wrote:
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of
> Firefox built on 1.9.2) for Windows builds to require Windows XP
> Service Pack 3 or higher.
Firefox has only just dropped support for Windows 98/NT4 (i.e. no more
Gecko 1.8 branch releases), while Thunderbird and SeaMonkey's official
(as of time of writing) current releases still run on Windows 95 (and
MinGW SeaMonkey seems to run fine on my Windows NT 3.51 tinderbox,
although someone complained that release builds crash on startup). So
dropping Windows 2000 would seem to be a little premature.

Or is this minimum requirements as in "Developers are not required to
ensure that code compiles with VC7.1 and runs on Windows 2000 but we
accept contributed patches"?

Bobby Holley

unread,
Apr 14, 2009, 7:00:33 PM4/14/09
to Neil, dev-pl...@lists.mozilla.org

Felix

unread,
Apr 14, 2009, 7:26:08 PM4/14/09
to
Boy, this will certainly help switch people to Firefox. "There's this
great secure web browser that you really should be using! Oh, but
you'll have to upgrade to SP3". That'll be met with enthusiasm. I'd
love to see some numbers showing that SP3 has anywhere close to the
numbers of SP2. And really, WGA is the least of many people's concerns
when upgrading to SP3. But I guess if Firefox wants to overtake
Internet Explorer in terms of marketshare, emulating the poor choices
made for IE will somehow help (or are those choices the very reason
people switch to Firefox in the first place?).

Stuart Parmenter

unread,
Apr 14, 2009, 7:33:57 PM4/14/09
to
On Apr 13, 7:33 pm, Michael Connor <mcon...@mozilla.com> wrote:
> Proposal:

>
> Raise the minimum requirements for Gecko 1.9.2 (and any versions of  
> Firefox built on 1.9.2) for Windows builds to require Windows XP  
> Service Pack 3 or higher.
>

What is the cost on our side to actually supporting these? Being one
of the few people who has done a lot of Windows development over the
last few cycles, I can tell you that keeping things working on 2K
isn't really very hard.

stuart

Michael Kohler

unread,
Apr 14, 2009, 7:31:39 PM4/14/09
to
Felix wrote:
> Boy, this will certainly help switch people to Firefox. "There's this
> great secure web browser that you really should be using! Oh, but
> you'll have to upgrade to SP3". That'll be met with enthusiasm.

If somebody cares about security, he has upgraded to SP3. (or at least
he has installed the patches manually)

Mike Connor

unread,
Apr 14, 2009, 7:37:57 PM4/14/09
to Neil, dev-pl...@lists.mozilla.org

On 14-Apr-09, at 6:44 PM, Neil wrote:

> Michael Connor wrote:
>> Raise the minimum requirements for Gecko 1.9.2 (and any versions of
>> Firefox built on 1.9.2) for Windows builds to require Windows XP
>> Service Pack 3 or higher.
> Firefox has only just dropped support for Windows 98/NT4 (i.e. no
> more Gecko 1.8 branch releases), while Thunderbird and SeaMonkey's
> official (as of time of writing) current releases still run on
> Windows 95 (and MinGW SeaMonkey seems to run fine on my Windows NT
> 3.51 tinderbox, although someone complained that release builds
> crash on startup). So dropping Windows 2000 would seem to be a
> little premature.

3.5 (Gecko 1.9.1) will continue to run on Windows 2000. That means
that we'll be running on a ten year old OS, which is five years better
than Linux or Mac versions we support. The real issue is that when
Gecko 1.9.1 reaches EOL in fall 2010 (likely at the earliest) then we
won't have support for Windows 2000. I think that's acceptable,
overall.

> Or is this minimum requirements as in "Developers are not required
> to ensure that code compiles with VC7.1 and runs on Windows 2000 but
> we accept contributed patches"?

I don't think that we want to continue to maintain code for 10 year
old operating systems, unless it's build-time defines (i.e. OS/2) that
we explicitly don't care about at all. It's still a drain on
reviewers, it's still more code surface to maintain, and it's likely
pulling resources away from more critical tasks. The point is to
focus effort where it is best leveraged, and code writing is just one
facet of that cost.

-- Mike

zer...@gmail.com

unread,
Apr 14, 2009, 8:53:50 PM4/14/09
to
If it's helpful data:

* I haven't heard of any plans to raise the Chromium support baseline
from XP SP2 to XP SP3 once SP2 is EOLed. Most of our discussions are
based around cost/benefit, and the SP2->SP3 change doesn't really
affect either of those much for Chromium.
* Dropping W2K support does not eliminate the need to support non-
uxtheme codepaths, as those same paths are used in Classic Mode on the
later OSes (you don't get uxtheme there either).
* Even without theme gains, I can image a lot of other gains from
dropping 2K support, such as greater ability to sandbox processes if
you guys decide to go that route, tons of UI bugs fixed, etc. Plus,
Firefox [>3.5] usage on 2K is presumably likely to be low since at
this point the majority of 2K users are corporations for whom
installing new software is somewhere between "not a priority" and "not
an option". Thus the actual number of users affected would be
noticeably lower than the global fraction of W2K users.

Best wishes,
PK

Rob Arnold

unread,
Apr 14, 2009, 9:14:10 PM4/14/09
to Stuart Parmenter, dev-pl...@lists.mozilla.org


I agree. As far as the APIs that we use, there is nothing besides the themes
that 2K "hinders" (just some slightly awkward dynamic loading of uxtheme;
every Windows OS supports Classic so there is no large code removal). Even
with XP pre SP2 there is not much there that we have had to work around (The
IOfficeAntiVirus implementation came before the newer IAttachmentExecute
IIRC). I would like to see an argument made on the basis of API or UI
features that we would like to take advantage of where support for 2k and XP
would hinder a clean implementation for the Windows platform. It may very
well be that future work with process/plugin isolation (sandboxing) will
motivate this but until that work is committed to a release, I am hesitant
to support dropping our support for these operating systems.

That said, I still think that support XP with SP1 or no service pack is
harder due to the changes in SP2. If you think about the number of Windows
machines that developers have to test on, supporting those two editions is
still too much. At current count, we have 5 supported editions of windows:
2000, XP SP2+, Windows Server 2003 (there are tinderboxes for this), Windows
Vista, and Windows 7 (if not now, then when it releases this year) versus 3
for OSX and 2(?) for Linux.

What about bumping XP < SP2 down a tier? It would be nice if we had a policy
on free major OS updates (this applies only to systems that cost money such
as Windows and OSX). Does mozilla-central run on a clean install of the
original Windows 2000 release? I suspect there is a hidden requirement for a
service pack level for it but no one has complained about it yet.

-Rob

Mike Connor

unread,
Apr 14, 2009, 9:44:14 PM4/14/09
to Rob Arnold, dev-pl...@lists.mozilla.org, Stuart Parmenter

On 14-Apr-09, at 9:14 PM, Rob Arnold wrote:

> On Tue, Apr 14, 2009 at 7:33 PM, Stuart Parmenter
> <stu...@gmail.com> wrote:
>

> I agree. As far as the APIs that we use, there is nothing besides
> the themes
> that 2K "hinders" (just some slightly awkward dynamic loading of
> uxtheme;
> every Windows OS supports Classic so there is no large code
> removal). Even
> with XP pre SP2 there is not much there that we have had to work
> around (The
> IOfficeAntiVirus implementation came before the newer
> IAttachmentExecute
> IIRC). I would like to see an argument made on the basis of API or UI
> features that we would like to take advantage of where support for
> 2k and XP
> would hinder a clean implementation for the Windows platform. It may
> very
> well be that future work with process/plugin isolation (sandboxing)
> will
> motivate this but until that work is committed to a release, I am
> hesitant
> to support dropping our support for these operating systems.

Again, I think this is developer-centric, when the burden of "support"
comes in a bunch of situations. Are we okay with not having unit
tests/performance tests/etc on operating systems we count as
supported? Are we okay with not actually having QA test these
operating systems before releases? If not, the cost is considerable.
If we are, then we should really call out the idea that those OS
versions are really at a lower-tier "might work, but no promises"
level. Whether they continue to work or not is probably dependent on
some things (i.e. process separation) that we're exploring, but
there's no good reason to argue that Windows 2000 and Windows Vista
should be equally supported..

(I'm surprised we haven't had more bugs that target older systems
without the security protections added in SP2, but I suppose those
targets aren't especially interesting to security researchers.)

> That said, I still think that support XP with SP1 or no service pack
> is
> harder due to the changes in SP2. If you think about the number of
> Windows
> machines that developers have to test on, supporting those two
> editions is
> still too much. At current count, we have 5 supported editions of
> windows:
> 2000, XP SP2+, Windows Server 2003 (there are tinderboxes for this),
> Windows
> Vista, and Windows 7 (if not now, then when it releases this year)
> versus 3
> for OSX and 2(?) for Linux.

Except we do support XP SP1 now, technically, and we've had to dig up
machines to test (tricky without MSDN).

> What about bumping XP < SP2 down a tier? It would be nice if we had
> a policy
> on free major OS updates (this applies only to systems that cost
> money such
> as Windows and OSX). Does mozilla-central run on a clean install of
> the
> original Windows 2000 release? I suspect there is a hidden
> requirement for a
> service pack level for it but no one has complained about it yet.

I think it might be okay to have it be similar to Windows 95, which
wasn't actually supported, but until Firefox 3 would run fine. What I
don't want to see is us spending dev/releng/QA cycles on OS versions
that aren't widely used, and will continue to decline over time.
Similar to tier-2, we won't actively break it, unless we have to. But
I don't think anyone can argue that win2k would be more important than
process separation.

-- Mike

Boris Zbarsky

unread,
Apr 14, 2009, 10:09:01 PM4/14/09