Re: Switching to mozilla ESR in stable-security

To: debian-devel@lists.debian.org
Subject: Re: Switching to mozilla ESR in stable-security
From: "Didier 'OdyX' Raboud" <odyx@debian.org>
Date: Thu, 30 May 2013 20:29:16 +0200
Message-id: <[🔎] 201305302029.16610.odyx@debian.org>
In-reply-to: <[🔎] 20130530132922.GB6316@upsilon.cc>
References: <[🔎] 20130528203303.GA5425@pisco.westfalen.local> <[🔎] 201305301520.29815.odyx@debian.org> <[🔎] 20130530132922.GB6316@upsilon.cc>

Le jeudi, 30 mai 2013 15.29:22, Stefano Zacchiroli a écrit :
> On Thu, May 30, 2013 at 03:20:29PM +0200, Didier 'OdyX' Raboud wrote:
> > > Which web browsers would remain in stable if we applied this criterion
> > > consistently?
> > 
> > Although that makes me very sad, if we (collectively) give up packaging
> > browser extensions (hence letting our users rely on third-party
> > repositories to get access to [non-]free binaries) and frozen browsers
> > in stable, then maybe the correct answer to your question is "none".
> 
> And do you think that would be the best outcome for Debian users?

No, not unless we'd provide said browsers in a different suite (hence the 
bikeshed proposal). That would make the difference in applied security polices 
clearer, IMHO.

> FWIW, I don't. I think the compromise that the security team is proposing is
> much more reasonable than such an alternative.

That compromise (which I do definitely support for wheezy) puzzles me most for 
the precedent it creates: if we "give up" [0] maintaining some of the most 
security-sensitive softwares up to our stable policy, why should other 
packages be bound to it?

> Note that the presence of non-free extension in the 3rd party
> repositories that come pre-configured with Debian-distributed browsers
> (and incresingly more other software) is a different problem.

The problem is equally worrying for both free and non-free extensions IMHO. 
Christoph worded it better than I could [1].

> And one we should tackle, IMHO, but that's for a separate discussion.

I'm not sure it's that much of a separate discussion: as the original message 
mentionned, we'll get the ESR17 and then ESR24 version of Firefox/Iceweasel in 
Wheezy, including the new features related to extensions and 3rd party 
repositories, which are out of our control. I must admit though that I don't 
know precisely how this area evolves and I do trust the "Maintainers of 
Mozilla-related packages" to do it right.

Cheers,

OdyX

[0] And that's _definitely_ not meant as fingerpointing anyone.
[1] <[🔎] 1369924284.5345.7.camel@fermat.scientia.net>

Reply to:

Follow-Ups:
- Re: Switching to mozilla ESR in stable-security
  - From: Stefano Zacchiroli <zack@debian.org>

References:
- Switching to mozilla ESR in stable-security
  - From: Moritz Muehlenhoff <jmm@debian.org>
- Re: Switching to mozilla ESR in stable-security
  - From: "Didier 'OdyX' Raboud" <odyx@debian.org>
- Re: Switching to mozilla ESR in stable-security
  - From: Stefano Zacchiroli <zack@debian.org>

Prev by Date: Re: systemd .service file conversion
Next by Date: Re: systemd .service file conversion
Previous by thread: Re: Switching to mozilla ESR in stable-security
Next by thread: Re: Switching to mozilla ESR in stable-security
Index(es):
- Date
- Thread