Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

["Pavlos K. Ponos" <pavlos.ponos@gmail.com>]

Hello,

Since the latest gcc version for Wheezy is the 4.7 and Chromium "moves" to 4.8, what shall we do? Till the next stable release (Jessie), are we vulnerable to security issues?
As mentioned before, we can build environments to support all the upstream features but this goes against the "stable philosophy" of Debian, at least in its stable version.

So, what are the alternatives in our case?
Maybe it sound a "stupid" question but what about if we keep track of backports and proposed updates in Wheezy?

Thanks in advance for your feedback.
Regards,
Pavlos

Pavlos K. Ponos

On 02/01/2015 01:02 AM, Michael Gilbert wrote:

On Sat, Jan 31, 2015 at 5:44 PM, Darius Jahandarie wrote:

Security support for the chromium web browser is now discontinued
for the stable distribution (wheezy).  Chromium upstream stopped
supporting wheezy's build environment (gcc 4.7, make, etc.), so
there is no longer any practical way to continue building security
updates.

How unfortunate.

Was this due to the chromium team not being aware of this consequence?

No, it was a conscious decision (they considered Debian specifically):
http://phajdan-jr.blogspot.com/2014/08/can-your-distro-compile-chromium.html

What can we do to make it easier and more compelling for upstreams to
continue supporting popular build environments needed for keeping the
internet safe?

Another option is to update build environments to support all of the
features upstreams want to use, but that doesn't fit well with
Debian's long-term stable model.  I spent time looking into that, but
with jessie releasing soon (with a sufficient build environment), I
didn't have the motivation or time to do that.

Best wishes,
Mike