Re: Recommended method to install Firefox 3.6 in Lenny (64 bits)
On 2010-01-27 02:36 +0100, Rob Owens wrote:
> On Fri, Jan 22, 2010 at 09:21:55PM +0100, Sven Joachim wrote:
>>
>> Not really, actually security support for Iceweasel could end rather
>> soon.
>>
>> http://www.debian.org/releases/lenny/i386/release-notes/ch-information.en.html#mozilla-security
>>
>
> I'm concerned about the way this is handled. I understand that
> continuing support in Debian once upstream support has stopped may be
> infeasible, but is ceasing support while offering no alternatives (and
> not much warning) really the best solution?
There are certainly alternatives, basically any package that provides
the www-browser virtual package.
> I'll confess that I never read the release notes until now, but I think
> admins should get more warning about this issue. In the release notes,
> "Your web browser will cease to get security updates" falls in between a
> notice that "NetworkManager doesn't play nice with NIS" and "There are
> no huge changes in the KDE Desktop". An internet app w/o security
> updates seems vastly more important than the issues that surround it in
> the release notes.
Personally I would prefer if packages whose security support has ended
were removed in point releases, but that is not always possible because
other packages may (build-)depend on them. Such was the case with
Iceape in Etch.
> At the very least what I would have liked to see was an update to
> Iceweasel that doesn't actually update the software, but issues a
> warning to the admin that security updates have ceased. One step better
> would be to include a supported version of Iceweasel in Lenny main. I
> know it's against Debian policy to add new versions during a stable
> release.
Yes. New versions have to be installed from backports.org. In case of
Iceweasel there is also the problem that Debian ships many extensions
which may not be compatible with a new major version.
> But isn't it also Debian policy to provide security updates for
> the life of the release? (I may be assuming that last bit, but I hope
> not).
Yes, in the case of Mozilla packages it is lack of manpower and upstream
support that defeats this, unfortunately.
> Anyway, I've now installed Iceweasel 3.5 from backports. I just wish I
> could have gotten it from the Debain main repo that I know and trust.
> This is not a shot against the guys who run backports.org. It's just
> that I don't think backports is intended to be a substitute for
> security.debian.org.
You can trust backports.org insofar as only Debian developers can upload
packages there and only backports of versions that are already in
testing are allowed. I think that making backports.org officially
supported (as much as testing and unstable) is the goal, but lack of
manpower for security support holds this back for now.
Sven
Reply to: