Re: Mozilla products in Debian
On Fri, 05 Nov 2010 17:00:13 +0100, Sven Joachim wrote:
> On 2010-11-05 15:38 +0100, Camaleón wrote:
>
>> What happens with Mozilla packages (more exactly with
>> Firefox/Iceweasel) is that upstream version correct security flaws,
>> meaning that right now, Debian's lenny stock version of Iceweasel is
>> vulnerable to lots of holes because Mozilla does not provide support
>> nor pacthes for 3.0.x branch.
>
> That is true, but the Debian iceweasel/xulrunner maintainer and the
> security team backport security fixes.
How is that possible? :-?
As soon as Mozilla stopped offering security patches and left tracking
3.0.x branch there can be "hidden" bugs nor Mozilla nor Debian can be
aware of.
> Note that most of the problems
> are not specific to iceweasel and affect all browsers based on
> xulrunner, so they are fixed in the xulrunner-1.9 package which is
> updated rather frequently.
Mmm, current xulrunner upstream release is 1.9.2 that matches Firefox
3.6. Now I've got installed 1.9.0.19-6 (matching my icedove version).
>> Leaving your users base with a vulnerable browser is not very sane.
>
> Yes, but does iceweasel in lenny actually have big security problems?
> The Debian security tracker¹ lists only one unfixed problem that is
> hardly critical².
Do you think Debian packages include all these bug fixes?
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
>> I see only one reason to force the upgrade of a stock package with a
>> newer version and is precisely the lack of support (nor patches) from
>> upstream packager.
>
> But for Mozilla based packages the patches are available, it's just that
> they are in a different branch and have to be backported. This may not
> be ideal, but the situation is hardly worse than with the Linux kernel.
Yes, a backported package is better than nothing, I agree.
>> Hopefully there is "backports" holding these packages, but for Mozilla
>> products (which are included in the regular repo) should not be needed
>> - to be backported- at all: lenny users should have received 3.5
>> release by means of the security repo.
>
> So that half of their installed extensions are broken after the upgrade?
> Does not seem to be a very good idea to me.
I prefer having no extensions at all than browsing the web with an
unsupported browser :-). Anyway, you could choose not updating Iceweasel
and keep the old branch...
Greetings,
--
Camaleón
Reply to: