[notatoad]

No, security updates are still being made. Here's the release notes for recent security fixes in thunderbird:

https://www.mozilla.org/en-US/security/known-vulnerabilities...

[shock]

Are the security updates done by Mozilla itself or by the volunteers that continue Thunderbird development?

[kbrosnan]

The security patches are largely from Mozilla's Gecko/SpiderMonkey/Toolkit work. The people who create the patches tend to be Mozilla employees. Looking over the 45.x Thunderbird releases I don't see a single Thunderbird specific security fix. [1]

The team that qualifies and does the release work for Thunderbird are volunteers. I believe that the builds are done on Mozilla hosted hardware.

[1] https://www.mozilla.org/en-US/security/advisories/

[chii]

why do you care where the patches come from?

[kobayashi]

One might care where the patches come from as a volunteer community could be less reliable over time than the paid Mozilla staff. I know I certainly feel that way.

[raesene9]

But if you prefer security updates from paid employees of an organization rather than volunteers, surely a commercial product rather than a free one would be more suitable for your needs?

[kobayashi]

Not necessarily. I appreciate the values for which Mozilla stands, and those values are entrenched in their products.

[raesene6]

So you're looking for an organisation who will use non-free employees to give you a product for free?

[Endy]

It doesn't feel that way anymore.

[chimeracoder]

> One might care where the patches come from as a volunteer community could be less reliable over time than the paid Mozilla staff. I know I certainly feel that way.

The people who are making these complaints are disproportionately those who have no problem using Debian or Arch, so I don't think that's the crux of the issue for them.