On Thu, Jan 7, 2016 at 2:57 PM, Michael Catanzaro mcatanzaro@gnome.org wrote:
On Thu, 2016-01-07 at 13:48 -0700, Chris Murphy wrote:
OK well at this point it looks like the short term Fedora 24 time frame choices are:
- Firefox <current> which likely won't provide a code signing check
disable knob. But users still have the choice to download Firefox ESR, or nightly, or developer versions which do have a know. Or install Epiphany or Icecat.
- Firefox ESR 45, which by default enforces signed extensions, but
has a knob to disable this. The download it is suggests ESR 45 for the life of Fedora 24 at least by default; the user would have to manually install a different Firefox package to be on the current rolling release.
Ephiphany.
Icecat
I have no real strong preference between 1 and 2. Both protect users by default. Both provide an option for users to opt out of enforced code signing checks.
There is also 5. Debian's Iceweasel, which is more similar to upstream Firefox than Icecat. Icecat has some nice privacy features that we probably want, but it also comes with LibreJS. I strongly recommend against shipping LibreJS in our default web browser.
I think 2. Firefox ESR seems like the best option for F22 and F23. I don't think that's a good option for F24; we should be shipping the latest version of Firefox/Iceanimal going forward.
I agree.
However, while Firefox ESR for Fedora 22 seems reasonable in any case, I'm unconvinced it should apply to Fedora 23 in the context of "we should ship the latest Firefox" going forward. Fedora 23 is the current release until May. So if Fedora 23 switches to ESR, then Fedora isn't shipping the latest Firefox until Fedora 24 ships in May.