Re: policy change is needed to keep debian secure
On Sat, Aug 20, 2005 at 09:02:47PM -0400, Daniel Sterling wrote:
> Firefox in Debian stable cannot stay stable and secure by not changing.
>
> The latest upgrades to sarge's firefox have addressed (successfully?) several
> security vulnerabilities. I submit that the work done to create these new
> packages has been wasted effort, for at least two reasons.
>
> 1. Creating these packages duplicates work already done upstream. While you
> could argue that this is true for any security backport to a greater or lesser
> degree, in this case this point is important because:
> 2. The packages are buggy. (in subtle and creative ways, such as
> sometimes-broken middle clicking).
>
> In addition, the time between upstream's release and the DSA has not been
> minimal (one month!) (This is a whole issue in itself! Are Debian users supposed
> to subscribe to bugtraq etc to ensure their browser is secure?)
There is definitly work needed to improve all this. Nevertheless, giving up
high (enterprise suitable) security/qa standards is pretty dumb IMO.
>
> We need to accept that we should not be wasting our valuable talent and time on
> backporting security fixes to complicated apps such as Firefox. I don't know
> which app that time should be spent on, but I know it sure ain't Firefox.
Anyway, we are working on a solution that will make those self-crafted backports
obsolete in future.
>
> Properly backporting the fixes and getting them into Debian will simply take too
> much time, if it is properly done at all. We would basically need to have our
> own Firefox developer, who, even though she understands how the code works and
> all the subtlety involved, has decided instead of fixing bugs and implementing
> features, she wants to keep security up to date on an obsolete code base.
>
> No one is going to do that. No one should be doing that.
In fact there are other parties interested in getting fixes for a stable
branch too. So lets see what the final outcome will be.
>
> We need to figure out how to get the latest Firefox on the desktops of stable
> users. Something like volatile *may* be the answer. Perhaps keeping the latest
> secure version of Firefox in security, or experimental. Perhaps we need to
> completely revamp the way stable works. However, we CANNOT do nothing, or
> continue to believe we can maintain older versions of software as complex and
> intricate as Firefox. Because we can't maintain them.
We are trying to work things out with mozilla security group. Until now
they were cooperative. Lets see what follows next. In fact, we don't do
nothing. But the idea is to work things out with upstream or otherwise drop
unsupportable software like firefox :)
>
> I submit that whoever wants 1.0.4 in sarge so bad they'll maintain it needs to
> step forward now, or forever hold their peace.
I just don't want to break things, while giving QA a chance to judge if a
fix is good and won't break compatibility. This time it was done in an
imperfect fashion, but we are working to find a way to get exactly those
fixes released upstream into debian in a timely manner.
I think all people seriously considering this will say: let's keep 1.0.4 or
drop this stuff from the archive. Taking full upstream releases is definitly
not stable enough in the long run. Maybe this time it might have worked, but
who knows what happens next time and so on.
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
asac@debian.org | `. `' Operating System
http://www.jwsdot.com/ | `- http://www.debian.org/
Reply to: