Re: On Mozilla-* updates

To: Matt Zimmerman <mdz@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: On Mozilla-* updates
From: David Ehle <ehle@agni.phys.iit.edu>
Date: Tue, 2 Aug 2005 16:39:21 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.44.0508021634250.20045-100000@agni.phys.iit.edu>
In-reply-to: <[🔎] 20050802203334.GS2508@alcor.net>

The solution to this problem is simple.  We change the meaning of stable
to "stable except for such cases as security demands upgrading versions
rather than backporting patches." And then leave the old insecure version
of the package in place as <package.name.insecure>.

We can dilly dally about it all we want but this is really the only viable
solution. Leaving bad packages around is not an option. Taking mozilla or
other core parts of most users computing experience is not really an
option (unless we want to put ourselves even farther out on the fringe).
So upgrading broken packages is our last option.  It may be unpalatable to
some, and perhaps more work, but according to this discussion it will
still be less work then trying to backport the security patches alone.

We are making a mountain out of a mole hill.  If help is needed to do
this, email me off list and I will try and help.  I have servers that can
be used to build at least two of the architectures.

David.

--
David Ehle
Computing Systems Manager
CAPP CSRRI
rm 077
LS Bld. IIT Main Campus
Chicago IL 60616
ehle@iit.edu
312-567-3751

He who fights with monsters must take care lest he thereby become a
monster. And if you gaze for long into an abyss, the abyss gazes also into
you.

On Tue, 2 Aug 2005, Matt Zimmerman wrote:

> On Tue, Aug 02, 2005 at 09:04:01PM +0100, antgel wrote:
>
> > Matt Zimmerman wrote:
> > > Have you been following this discussion?  That is exactly what we have been
> > > killing ourselves doing for the past few years.  It is a _losing battle_.
> >
> > I've been following a fair bit of the discussion, but it's hard to pull
> > the facts out from the opinion..  I'm not belittling the Debian team
> > efforts, and I'm sorry if I seemed like I was.  If it is a losing
> > battle, then it's one that we should try to equip ourselves[1] to win.
> > If you are saying that we can't equip ourselves then fine, but it's a
> > shame.  We are on the same side here.
> >
> > Antony
> >
> > [1] This includes more manpower and liaising with Mozilla to see if they
> > can help more than they are doing.
>
> I'm guessing that you're not going to volunteer on the manpower side, and I
> don't think that it would be a good way to spend resources even if we had
> them.  You're welcome to attempt to convince the Mozilla project to change
> the way that they work for the benefit of distribution security teams.  If I
> recall correctly, others have unsuccessfully attempted this in the past, but
> since you are interested in this issue, perhaps you will try again and
> report back to us.
>
> --
>  - mdz
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

Follow-Ups:
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>
- Re: On Mozilla-* updates
  - From: John Hardcastle <johnhardcastle@ihug.co.nz>

References:
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: On Mozilla-* updates
Next by Date: Re: On Mozilla-* updates
Previous by thread: Re: On Mozilla-* updates
Next by thread: Re: On Mozilla-* updates
Index(es):
- Date
- Thread