Re: Firefox and Debian Testing: Getting Security Updates?
On 2005-08-17 01:01:20 -0500, a.list.address@gmail.com wrote:
> I'm a happy user of Testing, but I'm a bit concerned about getting
> updates to Firefox in a timely manner. The current version in Testing
> is 1.0.4-2, which has recently-announced vulnerabilities in it. The
> vulns (I don't like typing that word :) have been fixed in the version
> in Sarge, 1.0.4-2sarge1. They've been fixed in Unstable as well, in
> 1.0.6-2.
>
> But when will this version come to Testing?
This may take months because of dependencies, even though the
urgency level is set to high.
> I looked in the bug tracker, but I couldn't find any good bug to
> prevent these newer versions from moving to Testing.
You should look at the package developer page:
http://packages.qa.debian.org/m/mozilla-firefox.html
There you have: "The package has not yet entered testing even though
the 0-day delay is over. Check why." and by clicking on "Check why",
you can see all the dependency problems, in particular.
> Now, I'm far from an expert, and I'm still fairly new to Debian (less
> than a year), but it seems like something needs to change. I don't
> want to run Unstable on my computer, but I don't want to be stuck with
> vulnerable browsers either.
This is a bit incompatible. If you want security fixes, you may use
testing, but you need to watch the security announces and may need
to do upgrades/downgrades manually. There are no security fixes for
testing, only for stable. Security bugs are fixed in unstable too
(then moved later to testing), but even in unstable, this may take
time.
What I do is to get testing by default and upgrade packages from
unstable when need be (a good advice is to look at the important+
bugs first for packages like libc6, and use apt-listbugs).
> I could upgrade Firefox to the version that's in unstable, but there
> are two problems:
>
> 1) This is a poor long-term solution, having to manually upgrade
> packages and their dependencies to fix security problems;
>
> 2) I can't even do that in this case, because Firefox 1.0.6-2 depends
> on libxinerama1, which depends on libc6 >=2.3.5, but Testing is still
> on libc6 2.3.2.
Yes, you need to install all the dependencies. Otherwise, you should
either install the package from the (stable) security updates (with
the corresponding dependencies) or install the program from upstream.
Getting the source package and recompile it to avoid dynamical
dependencies may also be a solution, but you may need to compile
several packages... This isn't necessarily a good solution.
> This is simply a mess. Actually, now that I think about it, I suppose
> the reason 1.0.6-2 hasn't moved into Testing is because of the
> dependency problem of libxinerama1 and libc6. But who knows when the
> new version of libc6 will get into Testing? It may be a very long
> time. In the meantime, are we Testing users supposed to keep using a
> vulnerable version of Firefox?
Non, testing users are supposed to upgrade the needed packages to
unstable. In general, there are no problems. In fact, it is even
not clear that there are fewer problems with testing than with
unstable. The main "problem" with unstable is that there are more
packages to upgrade (you can see it as an advantage as well, i.e.
to have more up-to-date packages).
--
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / SPACES project at LORIA
Reply to: