Bug#400311: Bug#390441: Please provide references

To: 390441-submitter@bugs.debian.org, 400311@bugs.debian.org
Subject: Bug#400311: Bug#390441: Please provide references
From: Filipus Klutiero <philippe.cloutier.2@ulaval.ca>
Date: Sat, 2 Dec 2006 17:02:44 -0500
Message-id: <[🔎] 200612021702.44941.philippe.cloutier.2@ulaval.ca>
Reply-to: Filipus Klutiero <philippe.cloutier.2@ulaval.ca>, 400311@bugs.debian.org
In-reply-to: <20061202125532.GC3200@galadriel.inutil.org>
References: <200611170352.41718.philippe.cloutier.2@ulaval.ca> <20061202125532.GC3200@galadriel.inutil.org>

On Saturday 02 December 2006 07:55, Moritz Muehlenhoff wrote:
> On Fri, Nov 17, 2006 at 03:52:41AM -0500, Filipus Klutiero wrote:
> > Hi Moritz,
> > I'd like you to clarify two things. First, please provide a reference
> > for "[Mozilla's] security policy is to urge users to update to new
> > upstream versions". While I don't doubt that I could find more or less
> > official references for similar statements, this precise statement may be
> > perceived as "unfriendly" if it's inexact.
> > Second, was this discussed somewhere or is this speculation? If there was
> > discussion somewhere, please provide a reference.
>
> Most of it was private communication, but there are statements from Mozilla
> people about security support in bug 354622
>
>  As for your straw man about security bugs, what security bugs would you
>  be fixing with your own patches?  If there are security bugs, they
>  should be fixed upstream, not in your own tree.  We've had this
>  discussion repeatedly in the context of the security group, and we
>  expect that branded builds of x.y.z from <insert distro here> will be
>  the source tarball/cvs tag for x.y.z plus the set of approved patches.
>  We do not want to get into the fools' game of cherry-picking patches, or
>  individual distros deciding that Patch A isn't "security-oriented" enough.
>
> And:
>
>  Other vendors (i.e. even Red Hat Enterprise Linux) have chosen to
>  upgrade, rather than backport, as that become progressively more
>  difficult and risky in the face of ongoing security-driven
>  rearchitecture.  If there were no official releases on that branch, and
>  distros expressed interest in maintaining that branch, we would have to
>  figure out a reasonable path forward.  That would likely be best handled
>  by continuing to check in with appropriate review to the affected
>  branch(es) and doing periodic tags so that multiple distros could
>  benefit.  It is unlikely that a single distro would want to commit that
>  much effort on their own, of course, which is why people are upgrading
>  instead of continuing to maintain a branch.  Red Hat, Sun and IBM kept
>  the Mozilla Suite 1.4 branch around like that for a couple years, but
>  realized it was less work to migrate customers.
>
> Cheers,
>         Moritz

Moritz: Thank you. I opened #400311 asking for removal or clarification of the 
text which was added. Unfortunately, the quotes you provide don't support the 
statement about Mozilla's security policy, and it's useless to try explaining 
to users what might happen with Mozilla products in Etch if we don't have 
publically available references users could check.

Regarding #400311: I assume that the absence of references to discussions 
about the section as a whole means that the section is essentially 
speculation. Please consider this a vote for removal rather than 
modification.

Reply to:

Prev by Date: Bug#401317: release-notes: Chapt 4. use of aptitude etc. for upgrade
Next by Date: Bug#401317: release-notes: Chapt 4. use of aptitude etc. for upgrade
Previous by thread: Bug#401317: release-notes: Chapt 4. use of aptitude etc. for upgrade
Next by thread: Dhelp sections
Index(es):
- Date
- Thread