[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mozilla products in Debian



On Fri, 05 Nov 2010 17:00:13 +0100, Sven Joachim wrote:

> On 2010-11-05 15:38 +0100, Camaleón wrote:
> 
>> What happens with Mozilla packages (more exactly with
>> Firefox/Iceweasel) is that upstream version correct security flaws,
>> meaning that right now, Debian's lenny stock version of Iceweasel is
>> vulnerable to lots of holes because Mozilla does not provide support
>> nor pacthes for 3.0.x branch.
> 
> That is true, but the Debian iceweasel/xulrunner maintainer and the
> security team backport security fixes.  

How is that possible? :-?

As soon as Mozilla stopped offering security patches and left tracking 
3.0.x branch there can be "hidden" bugs nor Mozilla nor Debian can be 
aware of.

> Note that most of the problems
> are not specific to iceweasel and affect all browsers based on
> xulrunner, so they are fixed in the xulrunner-1.9 package which is
> updated rather frequently.

Mmm, current xulrunner upstream release is 1.9.2 that matches Firefox 
3.6. Now I've got installed 1.9.0.19-6 (matching my icedove version).
 
>> Leaving your users base with a vulnerable browser is not very sane.
> 
> Yes, but does iceweasel in lenny actually have big security problems?
> The Debian security tracker¹ lists only one unfixed problem that is
> hardly critical².

Do you think Debian packages include all these bug fixes?

http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

>> I see only one reason to force the upgrade of a stock package with a
>> newer version and is precisely the lack of support (nor patches) from
>> upstream packager.
> 
> But for Mozilla based packages the patches are available, it's just that
> they are in a different branch and have to be backported.  This may not
> be ideal, but the situation is hardly worse than with the Linux kernel.

Yes, a backported package is better than nothing, I agree.
 
>> Hopefully there is "backports" holding these packages, but for Mozilla
>> products (which are included in the regular repo) should not be needed
>> - to be backported- at all: lenny users should have received 3.5
>> release by means of the security repo.
> 
> So that half of their installed extensions are broken after the upgrade?
> Does not seem to be a very good idea to me.

I prefer having no extensions at all than browsing the web with an 
unsupported browser :-). Anyway, you could choose not updating Iceweasel 
and keep the old branch...

Greetings,

-- 
Camaleón


Reply to: