[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security fixes for mozilla and firefox in Sarge?

Sam Morris wrote:

Michael Stone wrote:

IMO, if people really intend for the package to have no security support
in the long term then it should exist only in volatile. I think it is
dangerously irresponsible to ship software we do not intend to support.

But back to Debian. The system we have at the moment is not working:
users are installing packages from the stable release, in the assumption
that the packages are supported; in reality these packages are not getting updated. From a user's point of view, this assumption is perfectly reasonable, especially given statements such as:

 "Debian takes security very seriously. Most security problems brought
  to our attention are corrected within 48 hours." [1]

It was easy to make such a promise back in 1997, but today Debian is
much larger. If the security team is unable to function[2] such that the
above statement still holds true, then either the statement, or the job
that the team does, must be changed.

- It seems to me that the active security team DOES take security very seriously.
- "Most" is not all.
- Who is "debian"? Can one identifiy "debian" of the above statement with "the security team", as your statement implies? - Isn't "debian" the whole thing, e.g. including the individual maintainers -- who can support the "security update supplier team"? - Isn't "debian" also it's user community? Couldn't it collectively organize to supply ressources for a security team (manpower, money (salaries), ...)? Ok, it seems to me that this was already diskussed from a technical-organisational point of view. But what I mean here is making the users more aware if it.

Maybe instead of letting people understand the above in a (somewhat) godlike manner, e.g. "We" (whoever this is exactly) "supply everything for everybody for free", the statement should be explicited to something somewhat different, like "We/the security team/... supply everything for everybody for free as long as we can and as long as there is a reasonable support, which the community of debian and it's users supply".

Maybe this real-life reality of things is not obvious to everybody if it is not worded exactly as reality is.

Making unsustainable promises always arouses suspicions and generally backfires.

What if the person(s) having taking the responsibly on himself become sick, have an accident, want to found a family, whatever? Let's not forget all this is done by human beings, and maybe certain users with unduly high expectations should be told (or reminded of) the facts of life.

In a certain way, the whole thing only depends on the free but active goodwill which everybody can forge in himself/herself. Debian is not a system. It's an agreement of people how to organize work collectively. Based on active, freely supplied (but supplied!) goodwill. That's what makes it profoundly human.
When people don't supply that resource, the whole thing will stop.

That's what differentiates it from many other models. In many of these, "free" was taken out. And that's what makes them (at least somewhat) robotic, producing disgruntling and many distortions, since not acting freely by one's own conscience of responsibilities is not really being human, it can't work as well.

One way to solve the problem would be to partition the archive into
supported and unsupported packages:

deb http://mirror/debian sarge             main contrib non-free
deb http://mirror/debian sarge/unsupported main contrib non-free

Maybe there should be an "security managed externally" package.
Meaning that it is explicited that one may choose using some package and not updating it, or using another package, or using a package and trusting upstream to supply security. The debian maintainers would then assure that the upstream packages are compiled and available in the package system.

In a certain way, this would mean there is kind of a "pick your stability requirement" option for individual packages which lets user choose between available options.

Maybe a donation system (à la SourceForge) might help, too. Surely certain people might be able to help more if there were some way for them to get some funding in return (on voluntary basis). Or some kind of "auction" system, enabling people to express a willingness to fund certain features or specific works or people.


Reply to: