[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mozilla products in Debian (was: A question for the list:)



On Friday 05 November 2010 08:13:41 Camaleón wrote:
> On Fri, 05 Nov 2010 07:54:29 -0500, Boyd Stephen Smith Jr. wrote:
> > In <pan.2010.11.05.08.38.21@gmail.com>, Camaleón wrote:
> >>On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote:
> >>> There is a third choice, I guess: Ship firefox / thunderbird in
> >>> non-free. Support for non-free is best-effort, which basically means
> >>> that if upstream is willing to fix it then the security team /
> >>> maintainers will package it.  This basically results in Debian
> >>> stable's non-free containing software with known security
> >>> vulnerabilities that Mozilla is unwilling to fix.
> >>
> >>How about "volatile"? :-?
> >>
> >>ClamAV packages are there for that precisely reason (they need to be
> >>updated -security fixes- very often).
> >>
> > Firstly, only packages that are already in the official repository are
> > included in volatile.
> 
> Icedove and Iceweasel are.

Yes, but the original request was for Firefox and Thunderbird.

> > Second, volatile is for packages that need
> > frequent, non-security updates to maintain functionality (at least in
> > the eyes of some users).  (Updating the virus signature database is not
> > considered a security update.)
> 
> AFAIK, ClamAV packages are fully upgraded (not only for fetching new
> signatures but the whole program).

In any case, they are not "security upgrades" in the Debian sense.  They do 
not fix vulnerabilities in the ClamAV package.

FWIW, even ClamAV in volatile avoids new upstream versions unless old versions 
are unable to function.

> > Thirdly, the policy of no new upstream
> > versions after release isn't changed for volatile.  (It is changed for
> > volatile-sloppy.)
> 
> And that is what people wants to be improved :-)

No.  That's NOT what those who know and love Debian stable want.  The lack of 
upstream changes is one of the main reasons I use stable on servers.
 
> > Finally, updating the Debian package *more often* is
> > the opposite of coming into trademark compliance.
> 
> You know what other "non-rolling" distros do in this case: stock
> versions of the programs remain unchanged and maintained for the time the
> distribution is supported but in pararel there are satellite repositories/
> forges.

1. Backports contains new upstream versions compiled in a released Debian 
environment.  When Squeeze is released we should have an official backports 
service.

2. No one is preventing anyone from creating such repositories.  Debian is a 
volunteer project.  Existing DDs seem to like the status quo at least to some 
degree (existing policy can be changed if there is sufficent support for a 
change).  New volunteers can work on whatever they like and the process of 
becoming a DD is well-documented and always open.
-- 
Boyd Stephen Smith Jr.           	 ,= ,-_-. =.
bss@iguanasuicide.net            	((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy 	 `-'(. .)`-'
http://iguanasuicide.net/        	     \_/

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: