[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Recommended method to install Firefox 3.6 in Lenny (64 bits)

On 2010-01-27 02:36 +0100, Rob Owens wrote:

> On Fri, Jan 22, 2010 at 09:21:55PM +0100, Sven Joachim wrote:
>> 
>> Not really, actually security support for Iceweasel could end rather
>> soon.
>> 
>> http://www.debian.org/releases/lenny/i386/release-notes/ch-information.en.html#mozilla-security
>> 
>
> I'm concerned about the way this is handled.  I understand that
> continuing support in Debian once upstream support has stopped may be
> infeasible, but is ceasing support while offering no alternatives (and
> not much warning) really the best solution?

There are certainly alternatives, basically any package that provides
the www-browser virtual package.

> I'll confess that I never read the release notes until now, but I think
> admins should get more warning about this issue.  In the release notes, 
> "Your web browser will cease to get security updates" falls in between a
> notice that "NetworkManager doesn't play nice with NIS" and "There are
> no huge changes in the KDE Desktop".  An internet app w/o security
> updates seems vastly more important than the issues that surround it in
> the release notes.

Personally I would prefer if packages whose security support has ended
were removed in point releases, but that is not always possible because
other packages may (build-)depend on them.  Such was the case with
Iceape in Etch.

> At the very least what I would have liked to see was an update to
> Iceweasel that doesn't actually update the software, but issues a
> warning to the admin that security updates have ceased.  One step better
> would be to include a supported version of Iceweasel in Lenny main.  I
> know it's against Debian policy to add new versions during a stable
> release.

Yes.  New versions have to be installed from backports.org.  In case of
Iceweasel there is also the problem that Debian ships many extensions
which may not be compatible with a new major version.

> But isn't it also Debian policy to provide security updates for
> the life of the release?  (I may be assuming that last bit, but I hope
> not).

Yes, in the case of Mozilla packages it is lack of manpower and upstream
support that defeats this, unfortunately.

> Anyway, I've now installed Iceweasel 3.5 from backports.  I just wish I
> could have gotten it from the Debain main repo that I know and trust.
> This is not a shot against the guys who run backports.org.  It's just
> that I don't think backports is intended to be a substitute for
> security.debian.org.

You can trust backports.org insofar as only Debian developers can upload
packages there and only backports of versions that are already in
testing are allowed.  I think that making backports.org officially
supported (as much as testing and unstable) is the goal, but lack of
manpower for security support holds this back for now.

Sven
Reply to: