[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: php vulnerabilities

Hallo Florian,

On Fri, Dec 24, 2004 at 12:37:24AM +0100, Florian Weimer wrote:
> Look at the Mozilla version in stable, and the issues surrounding it,
> and you will understand.

Yes, actually I really think that backporting is not possible nor effective
in a lot of situations. And yes you are right, a new Upstream Version needs
Soaking. However this discussion is therefore quite theoretical, I see
currently nearly no way for any major update to slip into stable.

Too much core maintainers would object. It is more likely the
software is removed on an revision. (and i am not sure it that is a "good"
solution, especially for commonly  used programs)

Mozilla is a quite interesting subject to study: It might break a lot of
stuff if upgraded (due to the libs), and it is extremly complicated to
backport the fixes (since no patch list is available).

And even If (or especially when!) debian developers succeed in fixing all the
bugs by backporting, the user would be frustrated by  having to live with
outdated versions.

(I think this is true for most "productvity applications" and less true for
server apps where a conservative patching means sense and is more common
upstream anyway. (and less complicated to backport single fixes)).

This is somewhat the "microsoft problem" - gui software and multi function
packagaes are simply not sanely maintainable.

  (OO)      -- Bernd_Eckenfels@Mörscher_Strasse_8.76185Karlsruhe.de --
 ( .. )      ecki@{inka.de,linux.de,debian.org}  http://www.eckes.org/
  o--o     1024D/E383CD7E  eckes@IRCNet  v:+497211603874  f:+497211606754
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to: