[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security related bug report - no maintainer reaction for 1 year

Matt Zimmerman <mdz@debian.org> writes:

> On Tue, Jul 27, 2004 at 10:46:01AM -0700, Brian Nelson wrote:
>> Like this?
>> http://www.mozilla.org/projects/security/known-vulnerabilities.html
> Yes, that list is an excellent place to start.  The next step is to
> determine which of those 80 bugs indeed affect woody, and justify a security
> update, and how to fix them.

Well, up to the November 2003 update, it lists the milestones affected,
and nearly all 63 of those bugs seem to apply to Woody's 1.0 version.
After that, they stopped listing the milestones, probably because it was
too difficult to figure out all the ones affected.

It would be a Herculean task to go through each bug, verify it applies
to Woody, backport the patch required to fix it (if it's even possible
to backport every patch considering how active Mozilla development has
been the past couple years), and come out with something usable.  I'm
certainly not about to try it, especially considering how much easier it
would be to just use the latest Mozilla version instead.

You win again, gravity!

Reply to: