Re: Switching to mozilla ESR in stable-security
Le jeudi, 30 mai 2013 15.29:22, Stefano Zacchiroli a écrit :
> On Thu, May 30, 2013 at 03:20:29PM +0200, Didier 'OdyX' Raboud wrote:
> > > Which web browsers would remain in stable if we applied this criterion
> > > consistently?
> >
> > Although that makes me very sad, if we (collectively) give up packaging
> > browser extensions (hence letting our users rely on third-party
> > repositories to get access to [non-]free binaries) and frozen browsers
> > in stable, then maybe the correct answer to your question is "none".
>
> And do you think that would be the best outcome for Debian users?
No, not unless we'd provide said browsers in a different suite (hence the
bikeshed proposal). That would make the difference in applied security polices
clearer, IMHO.
> FWIW, I don't. I think the compromise that the security team is proposing is
> much more reasonable than such an alternative.
That compromise (which I do definitely support for wheezy) puzzles me most for
the precedent it creates: if we "give up" [0] maintaining some of the most
security-sensitive softwares up to our stable policy, why should other
packages be bound to it?
> Note that the presence of non-free extension in the 3rd party
> repositories that come pre-configured with Debian-distributed browsers
> (and incresingly more other software) is a different problem.
The problem is equally worrying for both free and non-free extensions IMHO.
Christoph worded it better than I could [1].
> And one we should tackle, IMHO, but that's for a separate discussion.
I'm not sure it's that much of a separate discussion: as the original message
mentionned, we'll get the ESR17 and then ESR24 version of Firefox/Iceweasel in
Wheezy, including the new features related to extensions and 3rd party
repositories, which are out of our control. I must admit though that I don't
know precisely how this area evolves and I do trust the "Maintainers of
Mozilla-related packages" to do it right.
Cheers,
OdyX
[0] And that's _definitely_ not meant as fingerpointing anyone.
[1] <[🔎] 1369924284.5345.7.camel@fermat.scientia.net>
Reply to: