Does Red Hat support the Mozilla Firefox and Thunderbird Extended Support Releases?

Firefox is the default and only supported web browser in Red Hat Enterprise Linux.

The following overview also applies to Thunderbird.

Upstream releases

Mozilla ships Firefox and Thunderbird in two different streams with different use cases.

Standard Firefox

Newer versions are released every 4 weeks, constantly introducing new features, ideal for home users and progressive web applications developers. This is the release stream which is available within the Fedora Project.

Firefox Extended Support Release (ESR)

A new version is released once a year, during the year Mozilla provides security and bug fixing releases every 4 weeks. It provides a stable and predictable platform for enterprise web applications. This longer-lived release stream is available within the supported Red Hat Enterprise Linux releases.

Upstream Lifecycle

A new major version of Firefox ESR is released roughly once a year and gets security/bug fix releases every 4 weeks. Mozilla releases updates of the previous ESR for another 3 months to give organizations time to upgrade to the latest ESR. That's also a window for us to rebase Firefox in all versions of Red Hat Enterprise Linux.

Closely following upstream

There are two primary reasons for the Red Hat Enterprise Linux distribution using the upstream ESR release as opposed to the faster-moving Standard Firefox release:

• Security. A web browser is a very security-sensitive component and the volume of CVEs is really high (as many as 17 critical or important CVEs fixed in one update). Backporting security fixes to older versions within our SLA deadlines is impossible with the resources we have.
• Compatibility. Development of web technologies is dynamic, the ESR release balances the need to support next-generation as well as much older web applications.

The upstream Firefox ESR release schedule is publicly available on https://wiki.mozilla.org/Release_Management/Calendar.

RHEL API/ABI stability and supportability

Even though Mozilla does not provide development packages for Firefox or Thunderbird to link against, they do provide a variety of APIs that are used on the Web - https://developer.mozilla.org/en-US/docs/Web/API. Red Hat will guarantee that the Web API in a particular major ESR version will be stable and supported, but cannot guarantee that they will be stable across rebased major versions.

Dependencies

Firefox relies on other components that need to be taken into account while preparing a rebase plan.

Network Security Services (NSS)

New Firefox requires a new version of NSS ESR that is typically released upstream roughly 2 months before the Firefox release. Firefox is currently using the system NSS for security and certification reasons. So a rebase of Firefox always requires a rebase of NSS that needs to be done by the Platform Security team.

GCC

Typically on older RHELs the version of GCC required by Firefox is significantly newer than the base distribution. As a result, the version of GCC provided by the Developer Toolset program, also known as gcc-toolset within the AppStream repository, is used..

Rust

Similarly, the Rust toolchain from the Developer Toolset program, also available as a module within the AppStream repository, is updated to the latest version when a major ESR rebase is ongoing.

GTK 3

Firefox requires GTK 3, which is not available in Red Hat Enterprise Linux 6. It is currently bundled with Firefox, Thunderbird, and Chromium.

NodeJS

Firefox requires newer NodeJS as part of the build process. This is also bundled along with the Firefox ESR release for Red Hat Enterprise Linux.

Update Strategy

Minor Updates

ESR gets regular upstream security and bug fixing updates every 4 weeks with asynchronous releases for important CVEs. In general, upstream updates include critical and important CVE fixes. A 5-work-day deadline is imposed, according to internal SLA for critical CVEs.

Mozilla provides Red Hat Development Engineering with the source code and advisories just a few days before they are made public, Once this content is made available, the changes are evaluated, applied, tested, and shipped asynchronously as soon as possible.

Major Updates

Mozilla supports two ESR versions for a period of time when transitioning between major ESR versions. Red Hat's major ESR version will be released after the GA period of the first ESR release and before support from Mozilla for the prior release has ended.