Re: On Mozilla-* updates

To: debian-security@lists.debian.org
Subject: Re: On Mozilla-* updates
From: antgel <antony@antgel.co.uk>
Date: Wed, 03 Aug 2005 13:01:40 +0100
Message-id: <[🔎] 42f0b224$0$15781$db0fefd9@news.zen.co.uk>
In-reply-to: <4xbIx-1J3-19@gated-at.bofh.it>
References: <42eb820e$0$29974$db0fefd9@news.zen.co.uk> <20050731165828.GV19080@mathom.us> <42ed07db$0$16001$da0feed9@news.zen.co.uk> <20050731174501.GA2758@steve.org.uk> <20050731180920.GA28521@mails.so.argh.org> <[🔎] 20050802122951.GA11375@informatik.uni-bremen.de> <[🔎] 20050802160902.GG2508@alcor.net> <[🔎] 42efc64b$0$7594$db0fefd9@news.zen.co.uk> <[🔎] 20050802194642.GL2508@alcor.net> <[🔎] 42efd1b1$0$18043$db0fefd9@news.zen.co.uk> <[🔎] 20050802203334.GS2508@alcor.net>

Matt Zimmerman wrote:
> On Tue, Aug 02, 2005 at 09:04:01PM +0100, antgel wrote:
> 
> 
>>Matt Zimmerman wrote:
>>
>>>Have you been following this discussion?  That is exactly what we have been
>>>killing ourselves doing for the past few years.  It is a _losing battle_.
>>
>>I've been following a fair bit of the discussion, but it's hard to pull
>>the facts out from the opinion..  I'm not belittling the Debian team
>>efforts, and I'm sorry if I seemed like I was.  If it is a losing
>>battle, then it's one that we should try to equip ourselves[1] to win.
>>If you are saying that we can't equip ourselves then fine, but it's a
>>shame.  We are on the same side here.
>>
>>Antony
>>
>>[1] This includes more manpower and liaising with Mozilla to see if they
>>can help more than they are doing.
> 
> 
> I'm guessing that you're not going to volunteer on the manpower side, and I
> don't think that it would be a good way to spend resources even if we had
> them.

You'll note that I _have_ volunteered, fwiw.

> You're welcome to attempt to convince the Mozilla project to change
> the way that they work for the benefit of distribution security teams.  If I
> recall correctly, others have unsuccessfully attempted this in the past, but
> since you are interested in this issue, perhaps you will try again and
> report back to us.

If it comes to that then I will.  I'd like to see how this thread pans
out.  From what I gather so far, there are three issues:

1) There is no visibility of some Mozilla security patches due to the
embargo.

We do have visibility of these via mdz.

2) Mozilla security patches are not easy to find and isolate.

Ben has disputed this, saying that we should be able to extract all
necessary patches.  Public ones from
http://www.mozilla.org/projects/security/known-vulnerabilities.html then
bugzilla, and embargoed ones via mdz.

3) Backporting the patches, once isolated, is a ballache.  (Is it that
security patches are applied to aviary as well as trunk, and that the
problem, more specifically, is that aviary itself is too far ahead of
Debian, or that the patches are only applied to trunk?)

I'd like to hear a comment from Ben about this.

Antony

Reply to:

Follow-Ups:
- Re: On Mozilla-* updates
  - From: Ben Bucksch <ben.bucksch.news@beonex.com>
- Re: On Mozilla-* updates
  - From: Michael Stone <mstone@debian.org>
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>

References:
- Re: On Mozilla-* updates
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>
- Re: On Mozilla-* updates
  - From: antgel <antony@antgel.co.uk>
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>
- Re: On Mozilla-* updates
  - From: antgel <antony@antgel.co.uk>
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: RE: On Mozilla-* updates
Next by Date: Re: On Mozilla-* updates
Previous by thread: Re: On Mozilla-* updates
Next by thread: Re: On Mozilla-* updates
Index(es):
- Date
- Thread