Jonathan Kamens wrote on 09.12.17 22:27:

You can axe everything that is before the currently supported releases.
Right now, only TB 52 is supported with security fixes. All earlier TB
version have many critical security bugs and should not be used anymore.
When trying to support these old versions, you actually do these users a
disservice, because they think all is fine. They MUST update. Breaking
extensions is the least of their problems. Random script kiddies and
worms taking over their computer with all data is what they should worry
about.

Same is true for Firefox and most other browsers.

On 12/9/17 5:10 PM, Ben Bucksch wrote:

According to the data on AMO, as of December 7, 8,866 out of 86,791
users of the current version of my add-on, i.e., more than 10%, are
using Thunderbird versions 20 (the earliest version my code is
compatible with) through <52. Many of them are probably using older
versions because the OS distribution they're using hasn't released a
newer package. Furthermore, in some cases the distribution maintainers
have backported patches to older versions of Thunderbird, so it's
entirely possible that a user is running a version of Thunderbird
earlier than 52 without the vulnerabilities you're worried about.

I suspect you'll see similar statistics for other add-ons.

I am not going to tell those users they have to update their OS to keep
being able to use my add-on. That's not my prerogative. I imagine other
add-on maintainers feel the same way.

I keep my software up-to-date because I do software for a living and
it's easy for me. It's not easy for everyone, and therefore not everyone
does it, and I don't think it's reasonable to expect them to.

I am highly dubious of claims that I am doing a "disservice" to my users
by supporting older Thunderbird versions. That sounds a lot to me like
trying to rationalize forcing users to upgrade Thunderbird or their OS
every year or two rather so that we don't have to do the work of
backporting patches to old Thunderbird releases.

You asked me what I need to be able to keep supporting my add-ons and
their users. I told you. Don't turn around and tell me that what I said
I need isn't what I really need.

  jik

----- Pôvodná správa -----
Predmet: Re: [Maildev] Supporting old TB versions
Od: Jonathan Kamens jik@kamens.us
Pre: Ben Bucksch ben.bucksch@beonex.com, Thunderbird email developers
maildev@lists.thunderbird.net
Dátum: Sat, 9 Dec 2017 17:56:12 -0500

You (and nobody) requires them to upgrade to anything. You just do not
need to keep your addons compatible with the old TB versions. If they
can work on old OS and old TB they surely can live with an old version
of the addon. So leave an old version of the addon available for
download (if you really want to offer it to NEW users with OLD TB) and
have the current version specify a minversion of 52 or similar where you
drop some of the old code. Some of the Javascript engine changes may not
even allow you to have new and old syntax in a single codebase.

Jonathan Kamens wrote on 09.12.17 23:56:

That's a myth. Nobody has managed to do that. Many have backported
patches, but nobody has managed to keep it secure. I think such claims
are false and highly dangerous for end users.

You may of course do what you want with your code, but please do not
expect support from TB project for supporting unsupported TB versions.

Ben

On 10-12-2017 14:53, Ben Bucksch wrote:

Agreed.

Users running a distribution where current Thunderbird isn't a supported
version probably are probably running an EOL:d distribution altogether
(so that's even worse). Linux distributions, even LTS, do update to
major Thunderbird versions.

 -Magnus