Re: Security updates realized by new releases, case for backports?

To: debian-security@lists.debian.org
Subject: Re: Security updates realized by new releases, case for backports?
From: Paul van der Vlis <paul@vandervlis.nl>
Date: Thu, 03 Oct 2013 21:08:28 +0200
Message-id: <[🔎] l2kfb4$sp7$1@ger.gmane.org>
In-reply-to: <[🔎] 20131003164457.46dfc0e9@eunet.rs>
References: <[🔎] l2jodp$1sr$1@ger.gmane.org> <[🔎] 20131003164457.46dfc0e9@eunet.rs>

Op 03-10-13 16:44, Marko Randjelovic schreef:
> On Thu, 03 Oct 2013 14:37:22 +0200 Paul van der Vlis
> <paul@vandervlis.nl> wrote:
> 
>> Hello,
>> 
>> In some cases security updates for packages in main are realized
>> by new releases, e.g. Iceweasel and Wordpress. Such packages can
>> give problems, e.g. in Wordpress there are missing themes.
>> 
>> In my opinion such packages should be added to backports and then 
>> declared "end of live" in main. I think it's common to take extra
>> care with backports.
>> 
>> Backports could be enabled by default in a new release, e.g. to
>> have Iceweasel in a fresh install.
>> 
>> What's your opinion?
>> 
>> With regards, Paul van der Vlis.
>> 
> Obviously, web browser and web applications are critical for security
> because they are exposed to eventual attacks. Hence, I agree they
> should not be updated to new upstream version but instead only
> backported with security patches. 

It would be nice when it's possible for the security-team to make
backported security patches.

But I must say I am glad with the new versions of the browser.

My point is that I don't like that those new versions are coming from
stable-security. I would like to have them in the backports-repository.
In my opinion main should have no new versions, only security patches.

> But with web browser situation is
> even more complicated because web sites are constantly using newer
> features, support for old browsers is dropped and old browser
> gradually become less and less usable. It is not the problem with
> Debian, but with relevant web sites, i.e their way of development,
> but we must provide people who need it new web browsers and I agree
> it should be via backports. 

Nice to hear you agree.

> But probably we could also provide some
> intermediary solution, e.g Konqueror backport that will not be
> newest, but newer than in stable?

I would like it when there where many backports, but I don't use
KDE/Konqueror myself.

So far I know browsers like Konqueror, Epiphany and Midory do not have
real security support in Debian. See:
http://www.debian.org/releases/wheezy/amd64/release-notes/ch-information.en.html#browser-security

With regards,
Paul van der Vlis.

-- 
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl/

Reply to:

Follow-Ups:
- Re: Security updates realized by new releases, case for backports?
  - From: Marko Randjelovic <markoran@eunet.rs>

References:
- Security updates realized by new releases, case for backports?
  - From: Paul van der Vlis <paul@vandervlis.nl>
- Re: Security updates realized by new releases, case for backports?
  - From: Marko Randjelovic <markoran@eunet.rs>

Prev by Date: Re: Security updates realized by new releases, case for backports?
Next by Date: Re: Security updates realized by new releases, case for backports?
Previous by thread: Re: Security updates realized by new releases, case for backports?
Next by thread: Re: Security updates realized by new releases, case for backports?
Index(es):
- Date
- Thread