[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 810-1] New Mozilla packages fix several vulnerabilities

On Tue, Sep 13, 2005 at 03:01:24PM +0100, Steve Kemp wrote:
> On Tue, Sep 13, 2005 at 09:25:22AM -0400, Roberto C. Sanchez wrote:
> > I am concerned that a version of Mozilla claiming to be an earlier will
> > eventually break user-installed extensions.  
>   ..
> > There really has to be a better way.
>   The time to make suggestions was probably when Joey asked for
>  help handling Mozilla updates:
> 	http://lists.debian.org/debian-security/2005/07/msg00315.html
Agreed.  However, since I had nothing constructive to offer in an
already busy discussion, I just kept my mouth shut so as not to create
additional noise.

>   It is a hard problem, and the Mozilla folks don't appear to give
>  much assistance for security-only fixes...
I don't mean to imply it is an easy problem.  However, I don't think
that "cloak a new version as the old version" is the right solution.  I
seem recall at least a few people voiced that opinion in the discussion
Joey started about this topic.  Yet, it appears that their advice was
not taken into consideration, or at least that someone else's advice to
the contrary won out.

Thankfully, I don't have the responsibility of making such a tough
decision.  My only motive in bringing this up was to point a potential
PR problem (disaster even?) for Debian.  Given how many people use
mozilla-browser (it is #7 in the main/web category), I don't think this
approach, especially given the potential for breakage, is a good thing.

If there are others that share the same thoughts, it may be worthwhile
to reopen the discussion.


Roberto C. Sanchez

Attachment: pgpDQlCqL5KyL.pgp
Description: PGP signature

Reply to: