[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: xulrunner 1.9.2 into sid?

On Tue, 29 Jun 2010 22:26:04 +0200, Stefano Zacchiroli wrote:
> On Tue, Jun 29, 2010 at 12:35:19PM -0400, Joey Hess wrote:
> > This apparently well-meaning idea that we can improve Debian's
> > security etc by talking people out of doing jobs that they have
> > volunteered to do, and are doing, is a recent trend that I really
> > don't understand.
> Amen.
> On Tue, Jun 29, 2010 at 01:34:46PM -0400, Michael Gilbert wrote:
> > I really hope I haven't come across this way.  It was certainly not
> > my intention.  Like I said in my first post to this discussion, I think
> > a debate on the merit of the status quo with respect to the mozilla
> > packages is greatly needed right now.  If the result of this debate is
> > maintaining the status quo, then that's just fine with me, but at least
> > all of the dirty laundry has been aired, and an informed decision made.
> Well, I confess that it did come across that way also to me, and
> probably to many others. The impression was something like: “someone not
> working on iceweasel security in Debian is trying to convince someone
> else which is working on that, not only to stop, but also to throw out
> of the Debian main archive iceweasel all together”.
> Try looking at it that way for a minute and you surely understand how
> surreal the debate looked like from the outside :-)

I can certainly see that perspective, and I can see now that I've chosen
my words poorly, which has lead to a major communication breakdown.

Hopefully restating clearly this time: my proposal is to no longer
distribute mozilla packages in the main stable repository; instead they
can be maintained in backports (or volatile) at the choosing of the
maintainers of those packages (or converted to webkit to remain in
stable main). I propose no changes to the mozilla packages in unstable
or experimental.

> > As for my non-involvement in mozilla security, that actually isn't
> > true.  I actually spent a great deal of effort to triage all of the
> > mozilla issues in the security tracker about a year ago, and submitted
> > bugs for the open ones. However, as a user, I have no access to
> > mozilla patches, so I could go no further.  I did what I could to
> > improve mozilla security, then I just simply lost interest because I
> > found webkit to be actually tractable.
> To the risk of repeating myself, Debian is a do-ocracy: who does the
> work and does it well (as in this case!) gets the right to decide. If
> you stopped working on iceweasel security, you kind of gave up your
> rights of directly affecting the course of the package.

Understood; however, ill-conceived security disclosure policies impede
this process. I would fix the issues myself, but I am restricted from
doing so because of upstream mozilla disclosure policy.  That policy is
the primary reason that I am no longer interested in mozilla.  I don't
really see my interests changing without changes happening upstream

Best wishes,

Reply to: