FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 11-05-2010, 03:00 PM
Sven Joachim
 
Default Mozilla products in Debian

On 2010-11-05 15:38 +0100, Camaleón wrote:

> On Fri, 05 Nov 2010 09:10:44 -0500, Boyd Stephen Smith Jr. wrote:
>
>> On Friday 05 November 2010 08:13:41 Camaleón wrote:
>
>>> > Thirdly, the policy of no new upstream versions after release isn't
>>> > changed for volatile. (It is changed for volatile-sloppy.)
>>>
>>> And that is what people wants to be improved :-)
>>
>> No. That's NOT what those who know and love Debian stable want. The
>> lack of upstream changes is one of the main reasons I use stable on
>> servers.
>
> What happens with Mozilla packages (more exactly with Firefox/Iceweasel)
> is that upstream version correct security flaws, meaning that right now,
> Debian's lenny stock version of Iceweasel is vulnerable to lots of holes
> because Mozilla does not provide support nor pacthes for 3.0.x branch.

That is true, but the Debian iceweasel/xulrunner maintainer and the
security team backport security fixes. Note that most of the problems
are not specific to iceweasel and affect all browsers based on
xulrunner, so they are fixed in the xulrunner-1.9 package which is
updated rather frequently.

> Leaving your users base with a vulnerable browser is not very sane.

Yes, but does iceweasel in lenny actually have big security problems?
The Debian security tracker¹ lists only one unfixed problem that is
hardly critical².

> I see only one reason to force the upgrade of a stock package with a
> newer version and is precisely the lack of support (nor patches) from
> upstream packager.

But for Mozilla based packages the patches are available, it's just that
they are in a different branch and have to be backported. This may not
be ideal, but the situation is hardly worse than with the Linux kernel.

> Hopefully there is "backports" holding these packages, but for Mozilla
> products (which are included in the regular repo) should not be needed -
> to be backported- at all: lenny users should have received 3.5 release by
> means of the security repo.

So that half of their installed extensions are broken after the upgrade?
Does not seem to be a very good idea to me.

Sven


¹ http://security-tracker.debian.org/tracker/source-package/iceweasel
² http://security-tracker.debian.org/tracker/CVE-2009-0777


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87pquj7oc2.fsf@turtle.gmx.de">http://lists.debian.org/87pquj7oc2.fsf@turtle.gmx.de
 

Thread Tools




All times are GMT. The time now is 12:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org