Re: How should we handle greenbone-security-assistant?

To: debian-devel@lists.debian.org
Subject: Re: How should we handle greenbone-security-assistant?
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 19 Dec 2020 11:17:04 +0200
Message-id: <[🔎] 20201219091704.GA23765@localhost>
In-reply-to: <[🔎] 160830797366.3822905.5437381032436756933@auryn.jones.dk>
References: <X9tMDrI7ybtA/8md@home.ouaza.com> <[🔎] 160820908322.3822905.3803292725902751282@auryn.jones.dk> <[🔎] X9tjP0LAE31Errik@home.ouaza.com> <[🔎] 160821762690.3822905.5115071813295402750@auryn.jones.dk> <[🔎] X9xivWpXuBeLqtNh@home.ouaza.com> <[🔎] 160828336309.3822905.6407453607100318475@auryn.jones.dk> <[🔎] X9x56sSwIE7L1TDp@home.ouaza.com> <[🔎] 160829481364.3822905.9625324563442781033@auryn.jones.dk> <[🔎] 20201218143623.GB15569@localhost> <[🔎] 160830797366.3822905.5437381032436756933@auryn.jones.dk>

On Fri, Dec 18, 2020 at 05:12:53PM +0100, Jonas Smedegaard wrote:
> Quoting Adrian Bunk (2020-12-18 15:36:23)
> > On Fri, Dec 18, 2020 at 01:33:33PM +0100, Jonas Smedegaard wrote:
> > > It is indeed not realistic to fit all fast-changing code projects 
> > > into Debian.  We have made a few fast-paced projects like Firefox 
> > > fit, but in my opinion we did that in a problematic way: By 
> > > endorsing embedded code copies, which is painful to maintain.
> > > 
> > > I think we should not relax our rules, but (improve our packages so 
> > > that we can) tighten our rules to apply more consistently - e.g. 
> > > avoid embedded code copies also in Firefox.
> > 
> > Embedded code copies are the smallest problem with Firefox, and on 
> > that I would actually trust Mozilla to release fixes quickly.
> 
> I do trust Mozilla to release fixes quickly - my point was a different 
> one: Mozilla and Google and GNOME and KDE each being quick to release 
> fixes for libusrsctp or some other embedded library is still different 
> from linking with a shared copy.

Firefox in unstable is mostly using shared libraries, in (old)stable it 
is using some static libraries because Firefox wants more recent 
versions than are in the distribution.

The big problem is that Firefox is not security supportable without 
upgrading to new upstream versions that are not on the same stable
branch, such software is not suitable for distributions with
security supported stable series like Debian or Ubuntu.

>  - Jonas

cu
Adrian

Reply to:

Follow-Ups:
- Re: How should we handle greenbone-security-assistant?
  - From: Jonas Smedegaard <jonas@jones.dk>

References:
- Re: How should we handle greenbone-security-assistant?
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: How should we handle greenbone-security-assistant?
  - From: Jonas Smedegaard <jonas@jones.dk>
- Re: How should we handle greenbone-security-assistant?
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: How should we handle greenbone-security-assistant?
  - From: Jonas Smedegaard <jonas@jones.dk>
- Re: How should we handle greenbone-security-assistant?
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: How should we handle greenbone-security-assistant?
  - From: Jonas Smedegaard <jonas@jones.dk>
- Re: How should we handle greenbone-security-assistant?
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: How should we handle greenbone-security-assistant?
  - From: Jonas Smedegaard <jonas@jones.dk>
- Re: How should we handle greenbone-security-assistant?
  - From: Adrian Bunk <bunk@debian.org>
- Re: How should we handle greenbone-security-assistant?
  - From: Jonas Smedegaard <jonas@jones.dk>

Prev by Date: Re: glibc 2.32 before bullseye?
Next by Date: Re: How should we handle greenbone-security-assistant?
Previous by thread: Re: How should we handle greenbone-security-assistant?
Next by thread: Re: How should we handle greenbone-security-assistant?
Index(es):
- Date
- Thread