Re: Security updates realized by new releases, case for backports?
On 10/03/2013 05:44 PM, Marko Randjelovic wrote:
> On Thu, 03 Oct 2013 14:37:22 +0200
> Paul van der Vlis <paul@vandervlis.nl> wrote:
>
>> Hello,
>>
>> In some cases security updates for packages in main are realized by
>> new releases, e.g. Iceweasel and Wordpress. Such packages can give
>> problems, e.g. in Wordpress there are missing themes.
>>
>> In my opinion such packages should be added to backports and then
>> declared "end of live" in main. I think it's common to take extra care
>> with backports.
>>
>> Backports could be enabled by default in a new release, e.g. to have
>> Iceweasel in a fresh install.
>>
>> What's your opinion?
>>
>> With regards,
>> Paul van der Vlis.
>>
>>
>>
>>
>>
>
> Obviously, web browser and web applications are critical for security because they are exposed to eventual attacks. Hence, I agree they should not be updated to new upstream version but instead only backported with security patches. But with web browser situation is even more complicated because web sites are constantly using newer features, support for old browsers is dropped and old browser gradually become less and less usable. It is not the problem with Debian, but with relevant web sites, i.e their way of development, but we must provide people who need it new web browsers and I agree it should be via backports. But probably we could also provide some intermediary solution, e.g Konqueror backport that will not be newest, but newer than in stable?
>
Konqueror isn't solution, because most websites check you browser
strings and uses flash, javascript and so on. Yes, i know at i can
change these strings, but most in cases this isn't enough if i like use
this website.
I used Debian stable my everyday use and this sitation how iceweasel and
icedove now is upgreded is good for me. This quite good compromize with
usability and convience. Remember, Debian version is ESR and not latest
one. I am used stable over ten years my main version and this is first
time when i can used websites most in time wuthout installed some where
newer package or rolled my own package.
When you used backports i think lot of peoples are quite confused,
because apt-cache show package shows 2 and sometimes 3 (user used 3
party repo exm. deb-multimedia) same programs and only difference is
version number
When you made apt-get install boinc you get version 7.0.27+dfsg-5 and
when you made apt-get -t wheezy-backports install boinc and you get
version 7.0.65+dfsg-3~bpo70+1
How ordinary user can handle this? apt-get install package refuses
install latest version and when they understand how to install latest
version. They installed lot of packages from backports and broke their
installation.
If i remember correctly it's very difficult take security patch from
firefox, because whole code is totally different example version 17 vs
24. Security team shoukd first evaluate is our version broken and then
made new patch fron scratch and possible security patch give only idea
what they shoud do.
Just my thougts, Riku
Reply to: