Re: Security fixes for mozilla and firefox in Sarge?
Sam Morris wrote:
Michael Stone wrote:
IMO, if people really intend for the package to have no security support
in the long term then it should exist only in volatile. I think it is
dangerously irresponsible to ship software we do not intend to support.
But back to Debian. The system we have at the moment is not working:
users are installing packages from the stable release, in the assumption
that the packages are supported; in reality these packages are not
getting updated. From a user's point of view, this assumption is
perfectly reasonable, especially given statements such as:
"Debian takes security very seriously. Most security problems brought
to our attention are corrected within 48 hours." 
It was easy to make such a promise back in 1997, but today Debian is
much larger. If the security team is unable to function such that the
above statement still holds true, then either the statement, or the job
that the team does, must be changed.
- It seems to me that the active security team DOES take security very
- "Most" is not all.
- Who is "debian"? Can one identifiy "debian" of the above statement
with "the security team", as your statement implies?
- Isn't "debian" the whole thing, e.g. including the individual
maintainers -- who can support the "security update supplier team"?
- Isn't "debian" also it's user community? Couldn't it collectively
organize to supply ressources for a security team (manpower, money
(salaries), ...)? Ok, it seems to me that this was already diskussed
from a technical-organisational point of view. But what I mean here is
making the users more aware if it.
Maybe instead of letting people understand the above in a (somewhat)
godlike manner, e.g. "We" (whoever this is exactly) "supply everything
for everybody for free", the statement should be explicited to something
somewhat different, like "We/the security team/... supply everything for
everybody for free as long as we can and as long as there is a
reasonable support, which the community of debian and it's users supply".
Maybe this real-life reality of things is not obvious to everybody if it
is not worded exactly as reality is.
Making unsustainable promises always arouses suspicions and generally
What if the person(s) having taking the responsibly on himself become
sick, have an accident, want to found a family, whatever? Let's not
forget all this is done by human beings, and maybe certain users with
unduly high expectations should be told (or reminded of) the facts of life.
In a certain way, the whole thing only depends on the free but active
goodwill which everybody can forge in himself/herself.
Debian is not a system. It's an agreement of people how to organize work
collectively. Based on active, freely supplied (but supplied!) goodwill.
That's what makes it profoundly human.
When people don't supply that resource, the whole thing will stop.
That's what differentiates it from many other models. In many of these,
"free" was taken out. And that's what makes them (at least somewhat)
robotic, producing disgruntling and many distortions, since not acting
freely by one's own conscience of responsibilities is not really being
human, it can't work as well.
One way to solve the problem would be to partition the archive into
supported and unsupported packages:
deb http://mirror/debian sarge main contrib non-free
deb http://mirror/debian sarge/unsupported main contrib non-free
Maybe there should be an "security managed externally" package.
Meaning that it is explicited that one may choose using some package and
not updating it, or using another package, or using a package and
trusting upstream to supply security. The debian maintainers would then
assure that the upstream packages are compiled and available in the
In a certain way, this would mean there is kind of a "pick your
stability requirement" option for individual packages which lets user
choose between available options.
Maybe a donation system (à la SourceForge) might help, too. Surely
certain people might be able to help more if there were some way for
them to get some funding in return (on voluntary basis).
Or some kind of "auction" system, enabling people to express a
willingness to fund certain features or specific works or people.