[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: On Mozilla-* updates

On Sat, Jul 30, 2005 at 12:32:42AM -0700, Chris Adams wrote:
> On 2005-07-29, at 9:43 AM, Martin Schulze wrote:
> >Using new upstream versions are bound to cause new problems.  Maybe
> >not at the moment with only going from 1.0.4 to 1.0.6 but more
> >probably they will do later.
> ...
> >I guess in the long term we're on a lost track and it seems this
> >situation has already started.
> I'm inclined to say that it'd be better to ship the current release  
> (or the earliest Mozilla-supported version for major releases) until  
> these problems actually do become more work than the backports. The  
> rationale is basically that the usual concerns apply less to browsers  
> since they're less mission critical, people are more used to frequent  
> updates (and tend to have fewer dependencies on specific versions),  
> and new features are more useful because websites which use them are  
> widely "deployed" independently of whatever Debian or the sysadmin do.
> Given the threat exposure I think it makes more sense to stick with  
> what the rest of the world is using (especially in cases where the  
> fixes are not well localized), particularly since there are areas  
> where the new features in point upgrades can add almost as much value  
> as the pure security updates - when things like spam filters or anti- 
> spoofing technology improve it's frequently in response to changes in  
> the attackers' behavior, which a pure back-port model can't account  
> for, and that generally means that even if the old software works  
> perfectly the users are going to be complaining because they're  
> seeing more successful attacks.

This all just seem arguments to put the (new) mozilla browsers into
the volatile archive.  It definately is not what I thought of as
something I'd expect for the stable archive.  If we choose stable we
do so with a reason and we know what we choose.  If we add volatile
we also know what we're doing.

The problem is much harder when we can't actually have the backports.
In my opinion it's *maybe* better to just leave the browsers in
stable as they are and make an announcement to security-announce@l.d.o
or so that their security is sub-optimal or non-existing and if they
want they can use the new packages from volatile.

It is also an option to send out the DSA's about them and stress the
fact that the problems are *only* solved in testing and volatile,
*not* via the normal security.debian.org so not in stable.  Specific
instructions are included with every DSA anyway.

Just my (current) view of the situation.


Debian GNU/Linux -- The power of freedom
www.debian.org | www.gnu.org | www.kernel.org

Reply to: