[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: On Mozilla-* updates

Florian Weimer wrote:

 * Some upstream authors do not provide specific security fixes (PHP,
   Mozilla, GNU libc).  Sometimes, no backports for the version in
   stable are available, and the packages are too complex that we can
   prepare them in a reasonable timeframe.

 * Some fixes are very invasive (because they address design issues)
   and thus impossible to backport.

 * security.debian.org is a single point of ownership.  If we push
   out a malicious security update, really interesting things might
That's why it might be good to have a second, distinct security path ("security essentially managed by upstream") (or whichever other path will be available). Integrated in the packet management system, but maybe with non-automatic upgrades ("New upgrades available -- do you want package X ?"), or automatic at the discretion of the trusting user.

From a user point of view, I'd appreciate if the debian team could ensure that no data is lost while doing such upgrades. E.g., I'm not sure that while upgrading from one mozilla version to the next, every user data (profile, mail, plugins etc.) is always correctly imported. In such a case, perhaps the team could provide the necessary conversion scripts, urge such improvements from upstream, or both.


Reply to: