By adding an automatic update feature to Firefox, its developers have made huge progress towards ensuring that security updates are pushed out quickly to all users of the browser. However, the automatic update feature is useful only for users who get the browser directly from Mozilla; users who get Firefox packaged with their Linux distribution have to rely on their vendor to push out a release, and these often trail the official Mozilla release by up to a week.
It's likely that there will always be some lag time between the official Firefox release and the update from Linux distributors, but Schroepfer says that the developers are doing what they can to narrow the gap.
In particular, Schroepfer says that they're now publishing source tarballs "in lockstep" with release candidates to provide wider access for testing, and to make it easier for vendors to apply the changes. In the past, the source tarballs would trail the release candidates, tying the hands of package maintainers for projects like Debian, Ubuntu, and Fedora.
That covers the most recent Firefox releases, but what about legacy Firefox releases, such as the now-defunct 1.0.x series that ended with the 1.0.8 release? While Firefox has officially put an end to support for the 1.0.x series, that series is still part of a number of Linux distributions that will be supported for years to come. As the codebases diverge, it will become more and more difficult for vendors to backport security fixes to the 1.0.x series.
Schroepfer says that the Mozilla project is "inclined to help in any way we can," but that the project doesn't have the resources "to support multiple branches and compete and innovate the way that people expect us to."
While Novell, Red Hat, and others may be looking at the enterprise desktop, Schroepfer says that "we're more of a consumer-focused organization," and that the "vast majority" of Firefox users have upgraded to the 1.5.x branch.
"We're a small organization, fighting the good fight, and there's only so many things we can do at once. We don't have enterprise contracts, we don't get paid for support, so we don't have the resources to do enterprise support."
However, he did say that Mozilla is trying to avoid unnecessary incompatibilities between branches, so that new releases don't break compatibility with sites or extensions for Firefox unless it's absolutely necessary. He also says that the 2.0 branch was developed on an API freeze from 1.5, so there should be very little breakage between releases.
Schroepfer also predicts that security will continue to be a problem "for anything written in native code," such as C and C++. For example, he notes that security problems caused by memory issues have evolved over the years; from stack-based exploits, to heap-based, to null pointer exploits.
Mike Schroepfer talks about Firefox 2 - click on picture to view video
A couple of things can help minimize these problems. First, Schroepfer notes that the Mozilla project has "hundreds and thousands of people around the world" viewing the code and looking for potential problems. In addition, analysis tools like those produced by Coverity have been used to analyze Firefox code for possible vulnerabilities and coding errors.
Schroepfer says that the specification has had "wide participation," and that he "fully expects" most of the browser vendors to implement the standard once it's finished. Microsoft, he says, has been having a go at being a good supporter of industry standards of late, and he's "highly encouraged" that they would adopt the standard. But, he admits, he's had no specific assurances from Microsoft.
The release timeline isn't written in stone just yet, but Schroepfer says that Firefox 2.0 will "definitely ship by the end of this year," with beta 2 out sometime in August.
At the same time, development is continuing on the 3.0 release as well, which should be out sometime in 2007. The feature set for 3.0 is still somewhat nebulous, but Schroepfer says that there will be some architectural changes in 3.0 to upgrade the graphics subsystem, and it's likely that 3.0 will include a revamped bookmark system that didn't make the cut for the 2.0 series.