[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firefox and Sarge

On Sun, Aug 22, 2004 at 08:50:16AM +1000, Andrew Pollock wrote:
> On Fri, Aug 20, 2004 at 03:22:46PM +0900, Mike Hommey wrote:
> > 
> > The main problem, as for sarge release, is that having a 0.9.3 in sarge,
> > i.e. for quite some time without being able to upload a new upstream,
> > might not help getting security fixes for it, especially considering the
> > changes between 0.9 branch and 1.0 branch. If we can get a 1.0rc in sarge,
> > security patches for 1.0 are more likely to apply without harm.
> > 
> I think the main criteria for allowing Sarge to release with Firefox (of any
> version) is whether it can be adequately maintained by the security team for
> 18 months to 2 years forward. If we can avoid something like the
> Squirrelmail mess we had with Woody, that would be a Good Thing.

I think we had the same problem with the pre-1.0 release of regular mozilla in
woody. The only thing I can say is that staying in sync with patches for those
hogs is a nightmare, because developers supports only main release or
the latest one available. Surely supporting pre-1.0 is like committing suicide,
they are _not_ tought for production environments, but for testing. 
The only sane thing to do is removing from stable when major problems came up.

Let me add that supporting for a couple of years a 0.8 (or 1.6 for mozilla) version,
when much more complete versions 1.x (2.x) will be available in a few months is indeed
a waste of time: users will upgrade to the latest anyway (by backports or
using a vanilla binary, which is not a bad option at all in many cases for those programs).
IMHO we should simply remove such kind of programs at the first point release and
invite users to do the same and move to a newer version. 

This points us to the general problem that a 2-years time slice for releasing
is a non-sense in the free-software world by many points of view, but it's surely
true for 'workstation' use...

> I'd be a bit wary of trying to provide security support for something as
> fast moving as Firefox. If you reckon that 1.0 is likely to be more
> manageable than a 0.9 release, then it may be doable, otherwise my
> inclination would be to drop it to make life easier. It might be better off
> being managed outside of Sarge on backports.org or something...
> Just my $0.05 worth...
> regards
> Andrew

Francesco P. Lovergine

Reply to: