Re: Switching to mozilla ESR in stable-security
- To: debian-devel@lists.debian.org
- Subject: Re: Switching to mozilla ESR in stable-security
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Sun, 2 Jun 2013 10:52:49 +0200
- Message-id: <[🔎] slrnkqm1v1.4u1.jmm@inutil.org>
- References: <20130528203303.GA5425@pisco.westfalen.local> <201305301520.29815.odyx@debian.org> <20130530132922.GB6316@upsilon.cc> <201305302029.16610.odyx@debian.org>
Didier 'OdyX' Raboud <odyx@debian.org> schrieb:
>> FWIW, I don't. I think the compromise that the security team is proposing is
>> much more reasonable than such an alternative.
>
> That compromise (which I do definitely support for wheezy) puzzles me most for
> the precedent it creates: if we "give up" [0] maintaining some of the most
> security-sensitive softwares up to our stable policy, why should other
> packages be bound to it?
- having a web browser in the distro is crucial and
$random-other-app-to-buggy-to-support isn't
- Mike has done a terrific job of backporting security fixes (up to 100
security patches per month!), but modern web browsers expose a unique
environment on their own. Even if we backport security fixes (and we
cannot continue any longer since the resources are not there anymore!)
we still miss out important security enhancements (e.g. lenny-security
missed CSP support). Not to mention the fast-moving browser requirements,
which are not security related (e.g. HTML, WebGL).
- The policy we're following is the intended update policy for enterprise
envionments (e.g. Ubuntu updates to the current upstream release even in
their oldest supported distro)
- The ESR releases shipped by Mozilla receive more QA testing than we
could possibly provide for our backports.
Cheers,
Moritz
Reply to: