Re: policy change is needed to keep debian secure

To: Matt Zimmerman <mdz@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: policy change is needed to keep debian secure
From: David Ehle <ehle@agni.phys.iit.edu>
Date: Tue, 23 Aug 2005 16:03:54 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.44.0508231501590.26659-100000@agni.phys.iit.edu>
In-reply-to: <[🔎] 20050823175033.GD23036@alcor.net>

On Tue, 23 Aug 2005, Matt Zimmerman wrote:

> On Tue, Aug 23, 2005 at 12:04:17PM -0500, David Ehle wrote:
>
> > As you can see in the subject, the OP understands the policy, but believes
> > it should be changed.
>
> To what?  The suggestions that I have seen so far seem to be reiterations of
> the existing policy.

Then what is this discussion about? Why has mozilla/firfox not been moved
to the upstream version or a security patch backported and released?

> > I support introducting new packages when older versions can not be
> > realisticly maintained with backported security fixes.
>
> ...including yours.

I'm sorry, I don't understand this response.  I also wish you had been
willing to address the other issues in the post.

Matt, I'm really not sure I understand your psychology here.  What is the
objection? Yes we don't want to make a habit of moving packages into
stable if we don't have to. We have agreed that the policy DOES allow us
to if its the only realistic way to fix security problems. So what are you
defending or promoting here? Doing nothing? Continuing to do packports of
fixes?

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=237422 shows the basic
chain of events but nobody seems willing to commit to doing something
about it, or give a final answer that people find acceptable.

In that thread it is broken down to:

"What are your current plans for handling security issues in Mozilla in
woody?" (It seems this problem is continuing into sarge)
"1. ignore them
 2. upgrade Mozilla to 1.0.2
 3. evaluate and integrate all fixes"

Matt, in that thread says dropping mozilla entirely is not an option (So
we agree on something! ;) )

 Takuo Kitame says, upgrading mozilla has been rejected by the relase
manager.  Who is the release manager, and what were the reasons for this?
Has the reasoning changed since sarge being released?

Mike Stone says that nobody has done the work for option 2. I'm not very
well versed on how these responsibilities are distributed.  Who's "job" is
it to do this? Is it waiting for a volunteer?  If someone volunteered
would their work be used?

Option 3 has apparently not happened either.... Again same questions as
for option 2.  Who does this? Who could do it?  How would the work be
implemented?

So if no upgrades are being done/planned/implemented and dropping mozilla
is right out, does  that mean that the current Debian decision on
mozilla/Firfox is to simply leave it insecure?  This doesn't really seem
rational or healthy. If this IS the decision, how does one challenge it in
an effective and constructive manner?

Thanks!

David.

Reply to:

References:
- Re: policy change is needed to keep debian secure
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: policy change is needed to keep debian secure
Next by Date: Re: New squid packages 2.4.6-2woody9 restarts very often.
Previous by thread: Re: policy change is needed to keep debian secure
Next by thread: Re: hardware for authentication
Index(es):
- Date
- Thread