FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 11-05-2010, 03:48 PM
Camaleón
 
Default Mozilla products in Debian

On Fri, 05 Nov 2010 17:00:13 +0100, Sven Joachim wrote:

> On 2010-11-05 15:38 +0100, Camaleón wrote:
>
>> What happens with Mozilla packages (more exactly with
>> Firefox/Iceweasel) is that upstream version correct security flaws,
>> meaning that right now, Debian's lenny stock version of Iceweasel is
>> vulnerable to lots of holes because Mozilla does not provide support
>> nor pacthes for 3.0.x branch.
>
> That is true, but the Debian iceweasel/xulrunner maintainer and the
> security team backport security fixes.

How is that possible? :-?

As soon as Mozilla stopped offering security patches and left tracking
3.0.x branch there can be "hidden" bugs nor Mozilla nor Debian can be
aware of.

> Note that most of the problems
> are not specific to iceweasel and affect all browsers based on
> xulrunner, so they are fixed in the xulrunner-1.9 package which is
> updated rather frequently.

Mmm, current xulrunner upstream release is 1.9.2 that matches Firefox
3.6. Now I've got installed 1.9.0.19-6 (matching my icedove version).

>> Leaving your users base with a vulnerable browser is not very sane.
>
> Yes, but does iceweasel in lenny actually have big security problems?
> The Debian security tracker¹ lists only one unfixed problem that is
> hardly critical².

Do you think Debian packages include all these bug fixes?

http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

>> I see only one reason to force the upgrade of a stock package with a
>> newer version and is precisely the lack of support (nor patches) from
>> upstream packager.
>
> But for Mozilla based packages the patches are available, it's just that
> they are in a different branch and have to be backported. This may not
> be ideal, but the situation is hardly worse than with the Linux kernel.

Yes, a backported package is better than nothing, I agree.

>> Hopefully there is "backports" holding these packages, but for Mozilla
>> products (which are included in the regular repo) should not be needed
>> - to be backported- at all: lenny users should have received 3.5
>> release by means of the security repo.
>
> So that half of their installed extensions are broken after the upgrade?
> Does not seem to be a very good idea to me.

I prefer having no extensions at all than browsing the web with an
unsupported browser :-). Anyway, you could choose not updating Iceweasel
and keep the old branch...

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.11.05.16.48.30@gmail.com">http://lists.debian.org/pan.2010.11.05.16.48.30@gmail.com
 
Old 11-05-2010, 05:48 PM
Sven Joachim
 
Default Mozilla products in Debian

On 2010-11-05 17:48 +0100, Camaleón wrote:

> On Fri, 05 Nov 2010 17:00:13 +0100, Sven Joachim wrote:
>
>> That is true, but the Debian iceweasel/xulrunner maintainer and the
>> security team backport security fixes.
>
> How is that possible? :-?
>
> As soon as Mozilla stopped offering security patches and left tracking
> 3.0.x branch there can be "hidden" bugs nor Mozilla nor Debian can be
> aware of.

There also can be^W^W are hidden bugs in the 3.6 branch which Mozilla
and Debian are not aware of. Of course there is the possibility that in
the meantime Mozilla had inadvertently fixed some security bug in the
3.5/3.6 branches without knowing it, so that only 3.0 is vulnerable.

>> Note that most of the problems
>> are not specific to iceweasel and affect all browsers based on
>> xulrunner, so they are fixed in the xulrunner-1.9 package which is
>> updated rather frequently.
>
> Mmm, current xulrunner upstream release is 1.9.2 that matches Firefox
> 3.6. Now I've got installed 1.9.0.19-6 (matching my icedove version).

Reading the Debian changelog for that should give you a good idea what
security bugs got fixed.

> Do you think Debian packages include all these bug fixes?
>
> http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

No, MFSA 2009-11 is not fixed (that is a Firefox-only bug). The others
should be fixed, but I did not check everything myself.

>>> Hopefully there is "backports" holding these packages, but for Mozilla
>>> products (which are included in the regular repo) should not be needed
>>> - to be backported- at all: lenny users should have received 3.5
>>> release by means of the security repo.
>>
>> So that half of their installed extensions are broken after the upgrade?
>> Does not seem to be a very good idea to me.
>
> I prefer having no extensions at all than browsing the web with an
> unsupported browser :-). Anyway, you could choose not updating Iceweasel
> and keep the old branch...

Which is what quite a few people would do, I fear. The current
situation where the old version still gets security updates from Debian
while newer versions are available from lenny-backports is IMO better.

Sven


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87zktn61zv.fsf@turtle.gmx.de">http://lists.debian.org/87zktn61zv.fsf@turtle.gmx.de
 
Old 11-05-2010, 07:07 PM
Camaleón
 
Default Mozilla products in Debian

On Fri, 05 Nov 2010 19:48:04 +0100, Sven Joachim wrote:

> On 2010-11-05 17:48 +0100, Camaleón wrote:
>
>> Do you think Debian packages include all these bug fixes?
>>
>> http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
>
> No, MFSA 2009-11 is not fixed (that is a Firefox-only bug). The others
> should be fixed, but I did not check everything myself.

I've just remembered the Lenny Release Notes:

http://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#mozilla-security

So, I wonder what is the current/real security status for Iceweasel.

I do not know why Mozilla products have to follow a different path than
other products. For instance, would Debian security policy allow leaving
an old package that is not maintained anymore upstream?

<dreaming mode on>

Let's imagine for a moment that SpamAssassin drops support (=no more
security patches) for its 3.2.x branch... Lenny users will be highly
exposed to any security flaw that can affect the old/unmaintaned branch.
Shouldn't they be updated to the latest/maintained upstream package via
stantard security updates?

Let's face the situation:

1/ No udpating means several servers running lenny are at risk of being
exploited.

2/ Updating to the new branch can break current setups but a notice about
the branch change and detailed steps on how to perform the change could
prevent users from breaking their current setup.

I, for my self, prefer to get the updated package, perform the upgrade,
carefully read the docs to get a soft transition to the new branch and
keep my e-mail server secure (remember that lenny has still a long full
year of support).

</dreaming mode off>

That was an hypothetical situation but is what has happened with Mozilla
products. I mean, knowing that Mozilla has a very quick development
strategy, wouldn't be preferable to care about that instead of just warning
the users in Release Notes and leaving them in a kind of limbo?

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.11.05.20.07.11@gmail.com">http://lists.debian.org/pan.2010.11.05.20.07.11@gmail.com
 
Old 11-05-2010, 10:11 PM
Doug
 
Default Mozilla products in Debian

On 11/5/2010 12:00 PM, Sven Joachim wrote:

On 2010-11-05 15:38 +0100, Camaleón wrote:


On Fri, 05 Nov 2010 09:10:44 -0500, Boyd Stephen Smith Jr. wrote:

/snip/



I see only one reason to force the upgrade of a stock package with a
newer version and is precisely the lack of support (nor patches) from
upstream packager.



/snip/

I see _no_ reason to force the upgrade of any package, whether it is
"maintained" or not, so long as it works. Right now I have a broken
system since PCLOS forced me to "upgrade" synaptiks. It was working
perfectly the way it was, and so was the OS. Now the OS is shot all
to hell, and I'm not sure what to do about it. Two previous attempts
to upgrade the OS from 2010 to 2010.07 went down in flames, and now I
suppose I will have to try .10 and see what happens. What may very well
happen is that I run the XP that I got with the laptop. It's not as
smart or as interesting as PCLOS, but it seems to be less likely to crash.

--doug

Blessed are the peacemakers...for they shall be shot at from both sides.
--A.M. Greeley



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4CD48F37.1030200@optonline.net">http://lists.debian.org/4CD48F37.1030200@optonline.net
 
Old 11-05-2010, 10:47 PM
Rob Owens
 
Default Mozilla products in Debian

On Fri, Nov 05, 2010 at 08:07:13PM +0000, Camaleón wrote:
> On Fri, 05 Nov 2010 19:48:04 +0100, Sven Joachim wrote:
>
> > On 2010-11-05 17:48 +0100, Camaleón wrote:
> >
> >> Do you think Debian packages include all these bug fixes?
> >>
> >> http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
> >
> > No, MFSA 2009-11 is not fixed (that is a Firefox-only bug). The others
> > should be fixed, but I did not check everything myself.
>
> I've just remembered the Lenny Release Notes:
>
> http://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#mozilla-security
>
> So, I wonder what is the current/real security status for Iceweasel.
>
> I do not know why Mozilla products have to follow a different path than
> other products. For instance, would Debian security policy allow leaving
> an old package that is not maintained anymore upstream?
>
> <dreaming mode on>
>
> Let's imagine for a moment that SpamAssassin drops support (=no more
> security patches) for its 3.2.x branch... Lenny users will be highly
> exposed to any security flaw that can affect the old/unmaintaned branch.
> Shouldn't they be updated to the latest/maintained upstream package via
> stantard security updates?
>
> Let's face the situation:
>
> 1/ No udpating means several servers running lenny are at risk of being
> exploited.
>
> 2/ Updating to the new branch can break current setups but a notice about
> the branch change and detailed steps on how to perform the change could
> prevent users from breaking their current setup.
>
> I, for my self, prefer to get the updated package, perform the upgrade,
> carefully read the docs to get a soft transition to the new branch and
> keep my e-mail server secure (remember that lenny has still a long full
> year of support).
>
> </dreaming mode off>
>
What I would like (and think they should have done in the case of
Iceweasel) is issue a security update that is simply a message to the
admin that stable's version of Iceweasel is now unsupported. The
security update should not automatically upgrade Iceweasel to the
backports version, but it should suggest this to the admin as a wise
course of action.

-Rob


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101105234757.GA12261@aurora.owens.net">http://lists.debian.org/20101105234757.GA12261@aurora.owens.net
 
Old 11-06-2010, 05:05 AM
"Boyd Stephen Smith Jr."
 
Default Mozilla products in Debian

In <pan.2010.11.05.16.48.30@gmail.com>, Camaleón wrote:
>I prefer having no extensions at all than browsing the web with an
>unsupported browser :-).

Iceweasel 3.0.x isn't unsupported; Firefox 3.0.x is.[1] Security groups don't
stop disclosing vulnerabilities when Mozilla decides to stop supplying patches
and the security team (time permitting) and iceweasel maintainers can develop
and apply patches to iceweasel.

The ideal is that improvement of all Debian programs is done in collaboration
with upstream. That not always the case, then DDs have to fill that role or
drop the package. (Disregarding all the packages where Debian or a specific
DD *is* upstream.)
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/

[1] I could be wrong, I think iceweasel in Lenny was still getting security
support.
 
Old 11-06-2010, 10:24 AM
Camaleón
 
Default Mozilla products in Debian

On Fri, 05 Nov 2010 19:11:51 -0400, Doug wrote:

>> On 2010-11-05 15:38 +0100, Camaleón wrote:
>>
> /snip/
>>
>>> I see only one reason to force the upgrade of a stock package with a
>>> newer version and is precisely the lack of support (nor patches) from
>>> upstream packager.
>>
> /snip/

You are quoting in the wrong way, I guess. The above paragraph is mine...

> I see _no_ reason to force the upgrade of any package, whether it is
> "maintained" or not, so long as it works.

(...)

So you prefer a working system but vulnerable to threats and exploits? I
cannot leave a server in that state. Not attached to Internet.

"Stable" should not be (by any means) a synonym of "vulnerable" :-/

I'm fine with _old packages_ provided they are still maintained and
tracked upstream for security flaws. I'm fine with kernel 2.6.26 (don't
need a newer release, don't need adding new features). But we all know
what "unmaintained/unsupported" means: no more eyes catching security
issues.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.11.06.11.24.18@gmail.com">http://lists.debian.org/pan.2010.11.06.11.24.18@gmail.com
 
Old 11-06-2010, 10:42 AM
Rob Owens
 
Default Mozilla products in Debian

On Sat, Nov 06, 2010 at 01:05:44AM -0500, Boyd Stephen Smith Jr. wrote:
> The ideal is that improvement of all Debian programs is done in collaboration
> with upstream. That not always the case, then DDs have to fill that role or
> drop the package. (Disregarding all the packages where Debian or a specific
> DD *is* upstream.)

Is there a procedure in place for dropping a package from stable? Do
the rules allow it?

-Rob


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101106114238.GA15155@aurora.owens.net">http://lists.debian.org/20101106114238.GA15155@aurora.owens.net
 
Old 11-06-2010, 11:12 AM
Sven Joachim
 
Default Mozilla products in Debian

On 2010-11-06 12:42 +0100, Rob Owens wrote:

> Is there a procedure in place for dropping a package from stable?

Yes, this actually happens from time to time.

> Do the rules allow it?

Yes, but currently only at point releases.

Sven


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 878w16wsze.fsf@turtle.gmx.de">http://lists.debian.org/878w16wsze.fsf@turtle.gmx.de
 
Old 11-07-2010, 05:40 PM
Andrei Popescu
 
Default Mozilla products in Debian

On Vi, 05 nov 10, 19:47:58, Rob Owens wrote:
> >
> What I would like (and think they should have done in the case of
> Iceweasel) is issue a security update that is simply a message to the
> admin that stable's version of Iceweasel is now unsupported. The
> security update should not automatically upgrade Iceweasel to the
> backports version, but it should suggest this to the admin as a wise
> course of action.

And this has happened in the past (for Etch as far as I recall, but you
can search the archives). AFAICT iceweasel in lenny is still supported.

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 

Thread Tools




All times are GMT. The time now is 06:41 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org