policy change is needed to keep debian secure
Keeping Debian stable by not changing things is great.
Except maybe its not so great when you're trying to maintain a complicated,
buggy, high profile program that handles sensitive user data and untrusted input.
Debian stable cannot stay stable without changing, sometimes drastically.
Firefox in Debian stable cannot stay stable and secure by not changing.
The latest upgrades to sarge's firefox have addressed (successfully?) several
security vulnerabilities. I submit that the work done to create these new
packages has been wasted effort, for at least two reasons.
1. Creating these packages duplicates work already done upstream. While you
could argue that this is true for any security backport to a greater or lesser
degree, in this case this point is important because:
2. The packages are buggy. (in subtle and creative ways, such as
sometimes-broken middle clicking).
In addition, the time between upstream's release and the DSA has not been
minimal (one month!) (This is a whole issue in itself! Are Debian users supposed
to subscribe to bugtraq etc to ensure their browser is secure?)
We need to accept that we should not be wasting our valuable talent and time on
backporting security fixes to complicated apps such as Firefox. I don't know
which app that time should be spent on, but I know it sure ain't Firefox.
Properly backporting the fixes and getting them into Debian will simply take too
much time, if it is properly done at all. We would basically need to have our
own Firefox developer, who, even though she understands how the code works and
all the subtlety involved, has decided instead of fixing bugs and implementing
features, she wants to keep security up to date on an obsolete code base.
No one is going to do that. No one should be doing that.
We need to figure out how to get the latest Firefox on the desktops of stable
users. Something like volatile *may* be the answer. Perhaps keeping the latest
secure version of Firefox in security, or experimental. Perhaps we need to
completely revamp the way stable works. However, we CANNOT do nothing, or
continue to believe we can maintain older versions of software as complex and
intricate as Firefox. Because we can't maintain them.
I submit that whoever wants 1.0.4 in sarge so bad they'll maintain it needs to
step forward now, or forever hold their peace.
I submit that the only feasible solution is to use the latest upstream in
security updates. That means when 1.0.x is EOLed, if there are security issues
still present, we remove Firefox from sarge (which is better than keeping an
insecure version, and is what we are implicitly doing when we don't update it--
reference Mozilla 1.0 in woody) or use the latest upstream version. I submit
that this *is* the best way for Debian users, as they will get prompt, working
security updates. I submit that if someone will have/has a problem with that,
they almost certainly already have a working solution in place right now, as
Debian's packages have been, from a security standpoint, unworkable for a month
with Firefox, and possibly longer with Mozilla. Have we heard an argument from
any real life users for keeping older, buggy, and possibly insecure versions of
Firefox in Debian?
In summary, Debian must package the latest upstream Firefox in stable to stay
stable and secure, and doing so might require policy change. That policy change
is needed.
-- Dan
Reply to: