FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 11-05-2010, 07:38 AM
Camaleón
 
Default Mozilla products in Debian (was: A question for the list:)

On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote:

(...)

> There is a third choice, I guess: Ship firefox / thunderbird in
> non-free. Support for non-free is best-effort, which basically means
> that if upstream is willing to fix it then the security team /
> maintainers will package it. This basically results in Debian stable's
> non-free containing software with known security vulnerabilities that
> Mozilla is unwilling to fix.

How about "volatile"? :-?

ClamAV packages are there for that precisely reason (they need to be
updated -security fixes- very often).

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.11.05.08.38.21@gmail.com">http://lists.debian.org/pan.2010.11.05.08.38.21@gmail.com
 
Old 11-05-2010, 08:04 AM
"Chris"
 
Default Mozilla products in Debian (was: A question for the list:)

Why not simply grab the package from mozilla and install under /opt
Sent from my BlackBerry®

-----Original Message-----
From: Camaleón <noelamac@gmail.com>
Date: Fri, 5 Nov 2010 08:38:21
To: <debian-user@lists.debian.org>
Subject: Mozilla products in Debian (was: A question for the list

On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote:

(...)

> There is a third choice, I guess: Ship firefox / thunderbird in
> non-free. Support for non-free is best-effort, which basically means
> that if upstream is willing to fix it then the security team /
> maintainers will package it. This basically results in Debian stable's
> non-free containing software with known security vulnerabilities that
> Mozilla is unwilling to fix.

How about "volatile"? :-?

ClamAV packages are there for that precisely reason (they need to be
updated -security fixes- very often).

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/pan.2010.11.05.08.38.21@gmail.com
 
Old 11-05-2010, 08:10 AM
Camaleón
 
Default Mozilla products in Debian (was: A question for the list:)

On Fri, 05 Nov 2010 09:04:46 +0000, Chris wrote:

>> How about "volatile"? :-?
>>
>> ClamAV packages are there for that precisely reason (they need to be
>> updated -security fixes- very often).
>>
> Why not simply grab the package from mozilla and install under /opt Sent

It lacks system integration (plugins et al).

Besides, Mozilla does not provide 64-bits builds for stable branch
(AFAIK, only "nightly builds" are available and not for Thunderbird, just
Firefox).

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.11.05.09.10.52@gmail.com">http://lists.debian.org/pan.2010.11.05.09.10.52@gmail.com
 
Old 11-05-2010, 11:54 AM
"Boyd Stephen Smith Jr."
 
Default Mozilla products in Debian (was: A question for the list:)

In <pan.2010.11.05.08.38.21@gmail.com>, Camaleón wrote:
>On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote:
>> There is a third choice, I guess: Ship firefox / thunderbird in
>> non-free. Support for non-free is best-effort, which basically means
>> that if upstream is willing to fix it then the security team /
>> maintainers will package it. This basically results in Debian stable's
>> non-free containing software with known security vulnerabilities that
>> Mozilla is unwilling to fix.
>
>How about "volatile"? :-?
>
>ClamAV packages are there for that precisely reason (they need to be
>updated -security fixes- very often).

Firstly, only packages that are already in the official repository are
included in volatile. Second, volatile is for packages that need frequent,
non-security updates to maintain functionality (at least in the eyes of some
users). (Updating the virus signature database is not considered a security
update.) Thirdly, the policy of no new upstream versions after release isn't
changed for volatile. (It is changed for volatile-sloppy.) Finally, updating
the Debian package *more often* is the opposite of coming into trademark
compliance.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 11-05-2010, 12:13 PM
Camaleón
 
Default Mozilla products in Debian (was: A question for the list:)

On Fri, 05 Nov 2010 07:54:29 -0500, Boyd Stephen Smith Jr. wrote:

> In <pan.2010.11.05.08.38.21@gmail.com>, Camaleón wrote:
>>On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote:
>>> There is a third choice, I guess: Ship firefox / thunderbird in
>>> non-free. Support for non-free is best-effort, which basically means
>>> that if upstream is willing to fix it then the security team /
>>> maintainers will package it. This basically results in Debian
>>> stable's non-free containing software with known security
>>> vulnerabilities that Mozilla is unwilling to fix.
>>
>>How about "volatile"? :-?
>>
>>ClamAV packages are there for that precisely reason (they need to be
>>updated -security fixes- very often).
>
> Firstly, only packages that are already in the official repository are
> included in volatile.

Icedove and Iceweasel are.

> Second, volatile is for packages that need
> frequent, non-security updates to maintain functionality (at least in
> the eyes of some users). (Updating the virus signature database is not
> considered a security update.)

AFAIK, ClamAV packages are fully upgraded (not only for fetching new
signatures but the whole program).

> Thirdly, the policy of no new upstream
> versions after release isn't changed for volatile. (It is changed for
> volatile-sloppy.)

And that is what people wants to be improved :-)

> Finally, updating the Debian package *more often* is
> the opposite of coming into trademark compliance.

You know what other "non-rolling" distros do in this case: stock
versions of the programs remain unchanged and maintained for the time the
distribution is supported but in pararel there are satellite repositories/
forges where users can get upgraded versions of the most used programs
(OOo suite, Mozilla products, etc...). These are not backported apps but
newly builds matching each version.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.11.05.13.13.40@gmail.com">http://lists.debian.org/pan.2010.11.05.13.13.40@gmail.com
 
Old 11-05-2010, 01:10 PM
"Boyd Stephen Smith Jr."
 
Default Mozilla products in Debian (was: A question for the list:)

On Friday 05 November 2010 08:13:41 Camaleón wrote:
> On Fri, 05 Nov 2010 07:54:29 -0500, Boyd Stephen Smith Jr. wrote:
> > In <pan.2010.11.05.08.38.21@gmail.com>, Camaleón wrote:
> >>On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote:
> >>> There is a third choice, I guess: Ship firefox / thunderbird in
> >>> non-free. Support for non-free is best-effort, which basically means
> >>> that if upstream is willing to fix it then the security team /
> >>> maintainers will package it. This basically results in Debian
> >>> stable's non-free containing software with known security
> >>> vulnerabilities that Mozilla is unwilling to fix.
> >>
> >>How about "volatile"? :-?
> >>
> >>ClamAV packages are there for that precisely reason (they need to be
> >>updated -security fixes- very often).
> >>
> > Firstly, only packages that are already in the official repository are
> > included in volatile.
>
> Icedove and Iceweasel are.

Yes, but the original request was for Firefox and Thunderbird.

> > Second, volatile is for packages that need
> > frequent, non-security updates to maintain functionality (at least in
> > the eyes of some users). (Updating the virus signature database is not
> > considered a security update.)
>
> AFAIK, ClamAV packages are fully upgraded (not only for fetching new
> signatures but the whole program).

In any case, they are not "security upgrades" in the Debian sense. They do
not fix vulnerabilities in the ClamAV package.

FWIW, even ClamAV in volatile avoids new upstream versions unless old versions
are unable to function.

> > Thirdly, the policy of no new upstream
> > versions after release isn't changed for volatile. (It is changed for
> > volatile-sloppy.)
>
> And that is what people wants to be improved :-)

No. That's NOT what those who know and love Debian stable want. The lack of
upstream changes is one of the main reasons I use stable on servers.

> > Finally, updating the Debian package *more often* is
> > the opposite of coming into trademark compliance.
>
> You know what other "non-rolling" distros do in this case: stock
> versions of the programs remain unchanged and maintained for the time the
> distribution is supported but in pararel there are satellite repositories/
> forges.

1. Backports contains new upstream versions compiled in a released Debian
environment. When Squeeze is released we should have an official backports
service.

2. No one is preventing anyone from creating such repositories. Debian is a
volunteer project. Existing DDs seem to like the status quo at least to some
degree (existing policy can be changed if there is sufficent support for a
change). New volunteers can work on whatever they like and the process of
becoming a DD is well-documented and always open.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 11-05-2010, 01:38 PM
Camaleón
 
Default Mozilla products in Debian (was: A question for the list:)

On Fri, 05 Nov 2010 09:10:44 -0500, Boyd Stephen Smith Jr. wrote:

> On Friday 05 November 2010 08:13:41 Camaleón wrote:

>> > Thirdly, the policy of no new upstream versions after release isn't
>> > changed for volatile. (It is changed for volatile-sloppy.)
>>
>> And that is what people wants to be improved :-)
>
> No. That's NOT what those who know and love Debian stable want. The
> lack of upstream changes is one of the main reasons I use stable on
> servers.

What happens with Mozilla packages (more exactly with Firefox/Iceweasel)
is that upstream version correct security flaws, meaning that right now,
Debian's lenny stock version of Iceweasel is vulnerable to lots of holes
because Mozilla does not provide support nor pacthes for 3.0.x branch.

Leaving your users base with a vulnerable browser is not very sane.

I see only one reason to force the upgrade of a stock package with a
newer version and is precisely the lack of support (nor patches) from
upstream packager.

Hopefully there is "backports" holding these packages, but for Mozilla
products (which are included in the regular repo) should not be needed -
to be backported- at all: lenny users should have received 3.5 release by
means of the security repo.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.11.05.14.38.32@gmail.com">http://lists.debian.org/pan.2010.11.05.14.38.32@gmail.com
 
Old 11-05-2010, 01:42 PM
Klistvud
 
Default Mozilla products in Debian (was: A question for the list:)

Dne, 05. 11. 2010 15:10:44 je Boyd Stephen Smith Jr. napisal(a):

No. That's NOT what those who know and love Debian stable want. The
lack of

upstream changes is one of the main reasons I use stable on servers.


+1
You can say that again.

--
Cheerio,

Klistvud
http://bufferoverflow.tiddlyspot.com
Certifiable Loonix User #481801 Please reply to the list, not to
me.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1288968132.6711.7@compax">http://lists.debian.org/1288968132.6711.7@compax
 
Old 11-05-2010, 09:30 PM
Kamaraju S Kusumanchi
 
Default Mozilla products in Debian (was: A question for the list:)

Klistvud wrote:

> Dne, 05. 11. 2010 15:10:44 je Boyd Stephen Smith Jr. napisal(a):
>
>> No. That's NOT what those who know and love Debian stable want. The
>> lack of
>> upstream changes is one of the main reasons I use stable on servers.
>
> +1
> You can say that again.
>

+2

Seriously! I do not understand people's itch to install the latest version.
Just because it has a high version number does not mean it is more secure.

regards
--
Kamaraju S Kusumanchi
http://malayamaarutham.blogspot.com/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: ib20ge$t99$2@dough.gmane.org">http://lists.debian.org/ib20ge$t99$2@dough.gmane.org
 
Old 11-06-2010, 09:31 AM
Klistvud
 
Default Mozilla products in Debian (was: A question for the list:)

Dne, 05. 11. 2010 23:30:19 je Kamaraju S Kusumanchi napisal(a):

Klistvud wrote:

> Dne, 05. 11. 2010 15:10:44 je Boyd Stephen Smith Jr. napisal(a):
>
>> No. That's NOT what those who know and love Debian stable want.
The

>> lack of
>> upstream changes is one of the main reasons I use stable on
servers.

>
> +1
> You can say that again.
>

+2

Seriously! I do not understand people's itch to install the latest
version.


Oh, it's not that I do not understand them, I do. I just wish they
would stop trying to win us over: just agree to disagree and leave it
at that.


--
Cheerio,

Klistvud
http://bufferoverflow.tiddlyspot.com
Certifiable Loonix User #481801 Please reply to the list, not to
me.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1289039514.6711.8@compax">http://lists.debian.org/1289039514.6711.8@compax
 

Thread Tools




All times are GMT. The time now is 03:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org