On 2005-07-29, at 9:43 AM, Martin Schulze wrote:
Using new upstream versions are bound to cause new problems. Maybe not at the moment with only going from 1.0.4 to 1.0.6 but more probably they will do later.
I guess in the long term we're on a lost track and it seems this situation has already started.
I'm inclined to say that it'd be better to ship the current release (or the earliest Mozilla-supported version for major releases) until these problems actually do become more work than the backports. The rationale is basically that the usual concerns apply less to browsers since they're less mission critical, people are more used to frequent updates (and tend to have fewer dependencies on specific versions), and new features are more useful because websites which use them are widely "deployed" independently of whatever Debian or the sysadmin do.
Given the threat exposure I think it makes more sense to stick with what the rest of the world is using (especially in cases where the fixes are not well localized), particularly since there are areas where the new features in point upgrades can add almost as much value as the pure security updates - when things like spam filters or anti- spoofing technology improve it's frequently in response to changes in the attackers' behavior, which a pure back-port model can't account for, and that generally means that even if the old software works perfectly the users are going to be complaining because they're seeing more successful attacks. We saw this in the past with SpamAssassin; it pushed us to rush newer versions into production because the tradeoff was between the certainty of "My spam filter isn't working!" complaints versus a relatively low-probability chance of finding a backwards-compatibility bug - not a decision I'm entirely happy about but it's definitely proven to be the better course so far.
Description: S/MIME cryptographic signature