antgel wrote:
Note that I do *not* recommend that approach. I cannot garantee that all security fixes are listed there. Even more so for pro-active security changes which will prevent exploits in the future. (I'm not saying that this *does* happen, I just don't know. Here, communication between the groups would be useful, if nothing else to establish garantees.)2) Mozilla security patches are not easy to find and isolate. Ben has disputed this, saying that we should be able to extract all necessary patches. Public ones from http://www.mozilla.org/projects/security/known-vulnerabilities.html then bugzilla, and embargoed ones via mdz.
Also, this is far more work than just taking an existing branch and ship that.
Given that the "aviary" branch (1.0.x) is maintained by mozilla.org, it does have all the critical security fixes.3) Backporting the patches, once isolated, is a ballache. (Is it that security patches are applied to aviary as well as trunk, and that the problem, more specifically, is that aviary itself is too far ahead of Debian, or that the patches are only applied to trunk?) I'd like to hear a comment from Ben about this.
As I said, I don't know what the problems with backporting are.I mean, right now, you are shipping FF 1.0.4 with sarge. If the 1.0.5/6 patches don't apply to *that*, then I don't know either...
Ben