Hello.
As it is being currently discussed on debian-security [1], security team
has hard times supporting mozilla family of packages, because of
unfriendly upstream policy - they don't want to isolate security fixes
from a large changesets of new upstream releases. And given the huge size
of the package, isolating security patches at Debian level also fails.
So options seem to be:
(1) keep vulnerable packages in stable,
(2) remove affected packages from distribution,
(3) allow new upstream into stable.
(1) is how it was done in woody times; however I think that most people
agree that it is a very bad option to keep users' systems vulnerable.
(2) may be a solution - but since mozilla and related packages (firefox,
thunderbird, galeon) are widely used, removing those looks like a serious
violation of SC ("debian supports it's users").
(3) is against the way how Debian used to work for years. However, isn't it
the time to tune our processes to keep with real-world issues better?
Maybe in rare cases like this one, when these seems to be no other way to
keep important package set secure, we should allow new upstream into
Debain Stable?
This should be extremely rare situation; probably approval from the
Technical Comettie should be needed in each case.
What do you think on this?
[1] http://lists.debian.org/debian-security/2005/07/msg00315.html
Attachment:
pgpcDiJHlsJFl.pgp
Description: PGP signature