Re: Mozilla products in Debian

To: debian-user@lists.debian.org
Subject: Re: Mozilla products in Debian
From: Sven Joachim <svenjoac@gmx.de>
Date: Fri, 05 Nov 2010 19:48:04 +0100
Message-id: <[🔎] 87zktn61zv.fsf@turtle.gmx.de>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] pan.2010.11.05.16.48.30@gmail.com> ("Camaleón"'s message of "Fri, 5 Nov 2010 16:48:31 +0000 (UTC)")
References: <[🔎] 4CD370DF.8030607@sbcglobal.net> <[🔎] 201011050754.35735.bss@iguanasuicide.net> <[🔎] pan.2010.11.05.13.13.40@gmail.com> <[🔎] 201011050910.50590.bss@iguanasuicide.net> <[🔎] pan.2010.11.05.14.38.32@gmail.com> <[🔎] 87pquj7oc2.fsf@turtle.gmx.de> <[🔎] pan.2010.11.05.16.48.30@gmail.com>

On 2010-11-05 17:48 +0100, Camaleón wrote:

> On Fri, 05 Nov 2010 17:00:13 +0100, Sven Joachim wrote:
> 
>> That is true, but the Debian iceweasel/xulrunner maintainer and the
>> security team backport security fixes.  
>
> How is that possible? :-?
>
> As soon as Mozilla stopped offering security patches and left tracking 
> 3.0.x branch there can be "hidden" bugs nor Mozilla nor Debian can be 
> aware of.

There also can be^W^W are hidden bugs in the 3.6 branch which Mozilla
and Debian are not aware of.  Of course there is the possibility that in
the meantime Mozilla had inadvertently fixed some security bug in the
3.5/3.6 branches without knowing it, so that only 3.0 is vulnerable.

>> Note that most of the problems
>> are not specific to iceweasel and affect all browsers based on
>> xulrunner, so they are fixed in the xulrunner-1.9 package which is
>> updated rather frequently.
>
> Mmm, current xulrunner upstream release is 1.9.2 that matches Firefox 
> 3.6. Now I've got installed 1.9.0.19-6 (matching my icedove version).

Reading the Debian changelog for that should give you a good idea what
security bugs got fixed.

> Do you think Debian packages include all these bug fixes?
>
> http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

No, MFSA 2009-11 is not fixed (that is a Firefox-only bug).  The others
should be fixed, but I did not check everything myself.

>>> Hopefully there is "backports" holding these packages, but for Mozilla
>>> products (which are included in the regular repo) should not be needed
>>> - to be backported- at all: lenny users should have received 3.5
>>> release by means of the security repo.
>> 
>> So that half of their installed extensions are broken after the upgrade?
>> Does not seem to be a very good idea to me.
>
> I prefer having no extensions at all than browsing the web with an 
> unsupported browser :-). Anyway, you could choose not updating Iceweasel 
> and keep the old branch...

Which is what quite a few people would do, I fear.  The current
situation where the old version still gets security updates from Debian
while newer versions are available from lenny-backports is IMO better.

Sven

Reply to:

Follow-Ups:
- Re: Mozilla products in Debian
  - From: Camaleón <noelamac@gmail.com>

References:
- A question for the list:
  - From: ZephyrQ <ZephyrQ@sbcglobal.net>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: Camaleón <noelamac@gmail.com>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: Camaleón <noelamac@gmail.com>
- Re: Mozilla products in Debian
  - From: Sven Joachim <svenjoac@gmx.de>
- Re: Mozilla products in Debian
  - From: Camaleón <noelamac@gmail.com>

Prev by Date: Re: A question for the list:
Next by Date: RE: how to generate pi in c
Previous by thread: Re: Mozilla products in Debian
Next by thread: Re: Mozilla products in Debian
Index(es):
- Date
- Thread