Re: On Mozilla-* updates

To: debian-security@lists.debian.org
Subject: Re: On Mozilla-* updates
From: Matt Zimmerman <mdz@debian.org>
Date: Wed, 3 Aug 2005 08:40:58 -0700
Message-id: <[🔎] 20050803154058.GN11479@alcor.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 42F0BDB8.9030707@beonex.com>
References: <20050731174501.GA2758@steve.org.uk> <20050731180920.GA28521@mails.so.argh.org> <[🔎] 20050802122951.GA11375@informatik.uni-bremen.de> <[🔎] 20050802160902.GG2508@alcor.net> <[🔎] 42efc64b$0$7594$db0fefd9@news.zen.co.uk> <[🔎] 20050802194642.GL2508@alcor.net> <[🔎] 42efd1b1$0$18043$db0fefd9@news.zen.co.uk> <[🔎] 20050802203334.GS2508@alcor.net> <[🔎] 42f0b224$0$15781$db0fefd9@news.zen.co.uk> <[🔎] 42F0BDB8.9030707@beonex.com>

On Wed, Aug 03, 2005 at 02:51:04PM +0200, Ben Bucksch wrote:
> antgel wrote:
> 
> >2) Mozilla security patches are not easy to find and isolate.
> >
> >Ben has disputed this, saying that we should be able to extract all
> >necessary patches.  Public ones from
> >http://www.mozilla.org/projects/security/known-vulnerabilities.html then
> >bugzilla, and embargoed ones via mdz.
> > 
> >
> Note that I do *not* recommend that approach. I cannot garantee that all 
> security fixes are listed there. Even more so for pro-active security 
> changes which will prevent exploits in the future. (I'm not saying that 
> this *does* happen, I just don't know. Here, communication between the 
> groups would be useful, if nothing else to establish garantees.)

How are we to be informed of all vulnerabilities known to Mozilla security
personnel, if not via this web page?

While I do have access to the embargoed bugs, I receive no notification when
security-related bugs are created in Bugzilla.

Probably the best way to handle this is for Mozilla to notify vendor-sec
when such an issue becomes known to them.

> >3) Backporting the patches, once isolated, is a ballache.  (Is it that
> >security patches are applied to aviary as well as trunk, and that the
> >problem, more specifically, is that aviary itself is too far ahead of
> >Debian, or that the patches are only applied to trunk?)
> >
> >I'd like to hear a comment from Ben about this.
> > 
> >
> Given that the "aviary" branch (1.0.x) is maintained by mozilla.org, it 
> does have all the critical security fixes.
> As I said, I don't know what the problems with backporting are.
> 
> I mean, right now, you are shipping FF 1.0.4 with sarge. If the 1.0.5/6 
> patches don't apply to *that*, then I don't know either...

Yes, right now we don't have too many problems applying patches because we
only just put out a new release.  However, our experience with older
releases (Debian 3.0 in July 2002, and also Ubuntu 4.10 in October 2003) is
that it becomes impossible to usefully apply patches long before the support
lifetime of the release is over.

-- 
 - mdz

Reply to:

References:
- Re: On Mozilla-* updates
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>
- Re: On Mozilla-* updates
  - From: antgel <antony@antgel.co.uk>
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>
- Re: On Mozilla-* updates
  - From: antgel <antony@antgel.co.uk>
- Re: On Mozilla-* updates
  - From: Matt Zimmerman <mdz@debian.org>
- Re: On Mozilla-* updates
  - From: antgel <antony@antgel.co.uk>
- Re: On Mozilla-* updates
  - From: Ben Bucksch <ben.bucksch.news@beonex.com>

Prev by Date: Re: On Mozilla-* updates
Next by Date: Re: On Mozilla-* updates
Previous by thread: Re: On Mozilla-* updates
Next by thread: Re: On Mozilla-* updates
Index(es):
- Date
- Thread