Firefox and Debian Testing: Getting Security Updates?

To: debian-users <debian-user@lists.debian.org>
Subject: Firefox and Debian Testing: Getting Security Updates?
From: "a.list.address@gmail.com" <a.list.address@gmail.com>
Date: Wed, 17 Aug 2005 01:01:20 -0500
Message-id: <[🔎] d4093bc205081623017034ced3@mail.gmail.com>

I'm a happy user of Testing, but I'm a bit concerned about getting
updates to Firefox in a timely manner.  The current version in Testing
is 1.0.4-2, which has recently-announced vulnerabilities in it.  The
vulns (I don't like typing that word :) have been fixed in the version
in Sarge, 1.0.4-2sarge1.  They've been fixed in Unstable as well, in
1.0.6-2.

But when will this version come to Testing?  A quick look at the
changelog for the package shows that 1.0.5-1, which fixes some
security issues, was uploaded to Unstable on July 16th with an urgency
level of high, but four days later 1.0.6-1 was uploaded with an
urgency of low.  Ten days later, on July 30th, 1.0.6-2 was uploaded
with an urgency of medium.  But here it is over two weeks later, and
Testing is still stuck on 1.0.4-2.

I looked in the bug tracker, but I couldn't find any good bug to
prevent these newer versions from moving to Testing.

Now, I'm far from an expert, and I'm still fairly new to Debian (less
than a year), but it seems like something needs to change.  I don't
want to run Unstable on my computer, but I don't want to be stuck with
vulnerable browsers either.

I could upgrade Firefox to the version that's in unstable, but there
are two problems:

 1) This is a poor long-term solution, having to manually upgrade
packages and their dependencies to fix security problems;

2) I can't even do that in this case, because Firefox 1.0.6-2 depends
on libxinerama1, which depends on libc6 >=2.3.5, but Testing is still
on libc6 2.3.2.

This is simply a mess.  Actually, now that I think about it, I suppose
the reason 1.0.6-2 hasn't moved into Testing is because of the
dependency problem of libxinerama1 and libc6.  But who knows when the
new version of libc6 will get into Testing?  It may be a very long
time.  In the meantime, are we Testing users supposed to keep using a
vulnerable version of Firefox?

I know Testing is not supported for security updates, but for
high-profile packages like Firefox with high-profile vulns, don't we
need a solution for this problem?  And upgrading to Unstable is not a
solution; there's a reason I and others use Testing instead of
Unstable.

Reply to:

Follow-Ups:
- Re: Firefox and Debian Testing: Getting Security Updates?
  - From: "[KS]" <lists04@fastmail.fm>
- Re: Firefox and Debian Testing: Getting Security Updates?
  - From: Maurits van Rees <maurits@vanrees.org>
- Re: Firefox and Debian Testing: Getting Security Updates?
  - From: Jon Dowland <lists@alcopop.org>
- Re: Firefox and Debian Testing: Getting Security Updates?
  - From: Peter J Ross <pjr.spam@gmail.com>
- Re: Firefox and Debian Testing: Getting Security Updates?
  - From: Jonathan Kaye <jonathan.kaye@univie.ac.at>
- Re: Firefox and Debian Testing: Getting Security Updates?
  - From: Vincent Lefevre <vincent@vinc17.org>
- Re: Firefox and Debian Testing: Getting Security Updates?
  - From: "a.list.address@gmail.com" <a.list.address@gmail.com>

Prev by Date: Re: diary with encryption
Next by Date: Re: diary with encryption
Previous by thread: Re: WINE
Next by thread: Re: Firefox and Debian Testing: Getting Security Updates?
Index(es):
- Date
- Thread