Re: On Mozilla-* updates

[Martin Schulze <joey@infodrom.org>]

Noah Meyerhans wrote:
> Most other OS vendors are willing to make updates for errata beyond
> simple security updates.  Often this means minor updates to software
> packages like web browsers.  I believe the community will be better able
> to help us prepare e.g. bug-free firefox 1.0.5 packages than it will to
> produce 1.0.4+security packages.  I believe these updated packages

Looking at how 1.0.5 was binary-incompatible with 1.0.4 I can only
assert that the community has failed already.

> should be tested as thoroughly as possible and released via
> security.debian.org and included in the next sarge revision.  As an

We don't have the proper framework for thoroughly testing security
updates before they are visible on security.debian.org similar to the
10 days embargo from unstable into testing.  The regular testing is
not sufficient as it can't cover all details.

> Whatever solution we choose, I believe it is very important for us to do
> it within Debian and not rely on backports or some other unofficial
> channels.  As Debian developers, it is our duty to solve this problem,
> and simply kicking the packages out of Debian or ignoring them from the
> point of view of updates and security is really no solution at all.

Be prepared for reality, in half a year or in one year, there won't be
1.0.x Mozilla Firefox packages anymore that build on Debian stable.
At least that's what I anticipate.

Regards,

	Joey

-- 
Experience is something you don't get until just after you need it.

Please always Cc to me when replying to me on the lists.