On Sat, Aug 20, 2005 at 09:02:47PM -0400, Daniel Sterling wrote: > Keeping Debian stable by not changing things is great. > > Except maybe its not so great when you're trying to maintain a complicated, > buggy, high profile program that handles sensitive user data and untrusted input. > > Debian stable cannot stay stable without changing, sometimes drastically. > Erm... I think you may be getting stability and security mixed up here. A program or set of programs IS stable if it's not got any bugs, and nothing changes that could introduce bugs. Changing things introduces the possibility for bugs, and hence, produces potential instability. > Firefox in Debian stable cannot stay stable and secure by not changing. > From what I can see, I agree with you here :) The question is though, does the security team agree? (I think that probably do, but I can't speak for them) > The latest upgrades to sarge's firefox have addressed (successfully?) several > security vulnerabilities. I submit that the work done to create these new > packages has been wasted effort, for at least two reasons. > > 1. Creating these packages duplicates work already done upstream. While you > could argue that this is true for any security backport to a greater or lesser > degree, in this case this point is important because: > 2. The packages are buggy. (in subtle and creative ways, such as > sometimes-broken middle clicking). > However, so are the new packages. An undescovered bug isn't less than one known about. > In addition, the time between upstream's release and the DSA has not been > minimal (one month!) (This is a whole issue in itself! Are Debian users supposed > to subscribe to bugtraq etc to ensure their browser is secure?) > > We need to accept that we should not be wasting our valuable talent and time on > backporting security fixes to complicated apps such as Firefox. I don't know > which app that time should be spent on, but I know it sure ain't Firefox. > > Properly backporting the fixes and getting them into Debian will simply take too > much time, if it is properly done at all. We would basically need to have our > own Firefox developer, who, even though she understands how the code works and > all the subtlety involved, has decided instead of fixing bugs and implementing > features, she wants to keep security up to date on an obsolete code base. > > No one is going to do that. No one should be doing that. > > We need to figure out how to get the latest Firefox on the desktops of stable > users. Something like volatile *may* be the answer. Perhaps keeping the latest > secure version of Firefox in security, or experimental. Perhaps we need to > completely revamp the way stable works. However, we CANNOT do nothing, or > continue to believe we can maintain older versions of software as complex and > intricate as Firefox. Because we can't maintain them. > There's also the other option. If Firefox cannotr be made to be secure, it should be dropped from stable. > I submit that whoever wants 1.0.4 in sarge so bad they'll maintain it needs to > step forward now, or forever hold their peace. > Yup, agree :) > I submit that the only feasible solution is to use the latest upstream in > security updates. That means when 1.0.x is EOLed, if there are security issues > still present, we remove Firefox from sarge (which is better than keeping an > insecure version, and is what we are implicitly doing when we don't update it-- > reference Mozilla 1.0 in woody) or use the latest upstream version. > I submit that this *is* the best way for Debian users, as they will > get prompt, working security updates. I submit that if someone will > have/has a problem with that, they almost certainly already have a > working solution in place right now, as Debian's packages have been, > from a security standpoint, unworkable for a month with Firefox, and > possibly longer with Mozilla. Have we heard an argument from any real > life users for keeping older, buggy, and possibly insecure versions of > Firefox in Debian? > > In summary, Debian must package the latest upstream Firefox in stable to stay > stable and secure, and doing so might require policy change. That policy change > is needed. > Or, as you stated your other option is to remove Firefox from stable, if it's found that security cannot be supported (I don't advocate this, I'm just trying to get a balanced thread). This is where we disagree: Packaging a new version is NOT acceptable for me, as a Debian user. You shoudn't submit that somethinf "*is* the best way for Debian users" if you're not sure on the entire userbase. On many systems I administer, code change, apart from security patches CANNOT take place, due to the need for change control. Unless there is a specific issue, from a trused source, fixing one issue, (for example, a security fix from Debian security team) I can't upgrade a sytem without extensive testing. This is, indeed the best thing to do for stable desktop users, but not stable server users. Or, for example, people who use Debian for anything public facing. The potential for something to break by introducing a bit of software which isn't tested is too high. Prehaps the best way forward is to use testing, and ensure that there is security support for it. This is something the secure-testing team is trying to do. Regards, Neil -- __ .Ž `. neilm@debian.org : :' ! ---------------- `. `Ž gpg: B345BDD3 `- Please don't cc, I'm subscribed to the list
Attachment:
signature.asc
Description: Digital signature