Re: Mozilla products in Debian
On Fri, 05 Nov 2010 19:48:04 +0100, Sven Joachim wrote:
> On 2010-11-05 17:48 +0100, Camaleón wrote:
>
>> Do you think Debian packages include all these bug fixes?
>>
>> http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
>
> No, MFSA 2009-11 is not fixed (that is a Firefox-only bug). The others
> should be fixed, but I did not check everything myself.
I've just remembered the Lenny Release Notes:
http://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#mozilla-security
So, I wonder what is the current/real security status for Iceweasel.
I do not know why Mozilla products have to follow a different path than
other products. For instance, would Debian security policy allow leaving
an old package that is not maintained anymore upstream?
<dreaming mode on>
Let's imagine for a moment that SpamAssassin drops support (=no more
security patches) for its 3.2.x branch... Lenny users will be highly
exposed to any security flaw that can affect the old/unmaintaned branch.
Shouldn't they be updated to the latest/maintained upstream package via
stantard security updates?
Let's face the situation:
1/ No udpating means several servers running lenny are at risk of being
exploited.
2/ Updating to the new branch can break current setups but a notice about
the branch change and detailed steps on how to perform the change could
prevent users from breaking their current setup.
I, for my self, prefer to get the updated package, perform the upgrade,
carefully read the docs to get a soft transition to the new branch and
keep my e-mail server secure (remember that lenny has still a long full
year of support).
</dreaming mode off>
That was an hypothetical situation but is what has happened with Mozilla
products. I mean, knowing that Mozilla has a very quick development
strategy, wouldn't be preferable to care about that instead of just warning
the users in Release Notes and leaving them in a kind of limbo?
Greetings,
--
Camaleón
Reply to: