Mozilla proposes 5X slower Firefox release tempo for enterprises

ESR channel would ship a new version every 30 weeks, support with interim security updates

Mozilla has proposed a significantly slower Firefox release pace for enterprises, the result of a corporate backlash earlier this year against an accelerated scheme that ships a new edition of the browser every six weeks.

If the proposal is adopted, Mozilla will deliver a new version of Firefox to enterprises every 30 weeks, five times slower than to consumers. During each 30-week stretch, Mozilla would issue only security updates for the browser. In addition, each enterprise edition would be supported for an additional 12 weeks after the release of its successor, assuring companies 42 weeks of support for each version.

Mozilla now discontinues security support for a specific version of Firefox as soon as the next in line appears.

"These proposed releases would provide organizations with additional time to certify and deploy new versions of Firefox while mitigating some of the security risks of staying on an older release," said Kev Needham, Mozilla's channel manager, in a post to discussion forum.

The interim security updates would be limited to patches for vulnerabilities rated "critical" or "high," the two most-serious rankings in Mozilla's threat scoring system. What Mozilla calls "chem spills" -- emergency fixes labeled "out-of-band" by other vendors such as Microsoft and Adobe -- would also be included in the updates between each 30-week release.

Mozilla is calling the new release concept "Extended Support Release," or ESR. If the proposal is approved, ESR would kick off with either Firefox 8, now slated for delivery Nov. 8, or Firefox 9, which is planned to ship Dec. 20.

If ESR begins with Firefox 8, adopters would not receive a new version of the browser until Mozilla ships Firefox 13 on June 5, 2012.

"I think the proposal addresses most of the concerns of enterprises," said Mike Kaply, a consultant who specializes in writing Firefox add-ons and in customizing the browser for corporate clients.

Kaply was one of the critics who last June blasted Mozilla's rapid release schedule, saying that the six-week scheme was unworkable for enterprises because it did not give them enough time to test each update. Kaply and others raised additional issues, including Mozilla's decision not to support older editions with security updates, forcing companies to choose between running an untested browser or one that had known vulnerabilities.

Mozilla took heat over the six-week schedule, in part because Asa Dotzler, a director of Firefox, said that enterprise "has never been (and I'll argue, shouldn't be) a focus of ours," and dismissed corporate users as "a drop in the bucket."

Rival browser maker Microsoft inserted itself into the controversy to pitch its Internet Explorer (IE) browser as better suited to enterprise needs.

Mozilla's reaction to the backlash was to form a working group to look at ways to keep enterprise users happy. The ESR proposal came out of that group.

Kaply, who monitored the enterprise working group mailing list -- which Mozilla declined to make accessible to the media -- said that the proposal was largely an internal production. He acknowledged that much of the feedback he provided was integrated into the proposal, however.

Kaply was cautiously optimistic about the ESR plan. "I think this will go a long way to show that Mozilla cares about enterprise," he said. "Forty-two weeks is a nice chunk of time to move from one version to another."

But he hesitated to claim victory for enterprises until Mozilla actually committed to ESR and showed it was serious about supporting corporate users. "They made it clear that this is a proposal, said Kaply. "I've seen proposals from them before. I'm excited about this, but I'll believe it the day they roll it out."

In the proposal, Mozilla spelled out several caveats and risks, including its prediction that ESR "will be less secure than the regular release of Firefox" because new functionality and lower-level patches will not be added to the enterprise channel as fast as the one for consumers.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is

See more articles by Gregg Keizer.

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon