[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Troubling security news for sarge users of mozilla, firefox, thunderbird...

hacker (of golf) wrote:

Thanks for posting this .. I've been wondering why no updates on
firefox.  In fact, pending updates, I already downloaded and am using
the mozilla.org tarball.  I highly value having a secure browser, so
am willing to spend the extra time making it fit into sarge.

I'm not sure I agree that taking the whole version update from moz.org
is less desirable than just incorporating the security updates into a
"frozen" browser feature package.  After all, if your smart enough to
install debian, you're smart enough to learn any new browser features
I don't believe that it is the learning of new features which is the major concern here. But if/when the API of Firefox changes and is put into stable. There are many other packages apparently which depend on the firefox API, the changing of which in stable could also necessitate the updating of dozens of other packages to later verions (whcih may also have cascading dependencies).

I for one am currently developing an application, which was *almost* written as an XML interface using firefox, I would *not* be happy if the API of Debian Firefox was changing underneath me. How many times would it change? What notice would I get? How many times and how often would I have to re-code my app just to keep it working? Isn't the whole point of Debian stable that it is after all, stable?

And if an exception can be made for new releases of Firefox into stable why can't it also be made for openoffice, gnome, pdnsd, gcc and any other of the thousands of packages in debian?

This situation AFAICS is because Mozilla.org do not release security patch/fixes, they release whole new versions of software with many changes which are not related to security. It makes it very difficult (impossible?) to keep a single version of firefox running over any significant period of time.

That said, I also appreciate that firefox is moving pretty quickly (in this stage of it's life cycle) and there are improvements all the time (which I like to use). And what of firefox extensions? If Debian Sarge lasts for two years is there any change that any extensions will be able to work with it any more?

It's a pretty tricky situation :-)


Reply to: