Re: Mozilla products in Debian

To: debian-user@lists.debian.org
Subject: Re: Mozilla products in Debian
From: Rob Owens <rowens@ptd.net>
Date: Fri, 5 Nov 2010 19:47:58 -0400
Message-id: <[🔎] 20101105234757.GA12261@aurora.owens.net>
In-reply-to: <[🔎] pan.2010.11.05.20.07.11@gmail.com>
References: <[🔎] 4CD370DF.8030607@sbcglobal.net> <[🔎] 201011050754.35735.bss@iguanasuicide.net> <[🔎] pan.2010.11.05.13.13.40@gmail.com> <[🔎] 201011050910.50590.bss@iguanasuicide.net> <[🔎] pan.2010.11.05.14.38.32@gmail.com> <[🔎] 87pquj7oc2.fsf@turtle.gmx.de> <[🔎] pan.2010.11.05.16.48.30@gmail.com> <[🔎] 87zktn61zv.fsf@turtle.gmx.de> <[🔎] pan.2010.11.05.20.07.11@gmail.com>

On Fri, Nov 05, 2010 at 08:07:13PM +0000, Camaleón wrote:
> On Fri, 05 Nov 2010 19:48:04 +0100, Sven Joachim wrote:
> 
> > On 2010-11-05 17:48 +0100, Camaleón wrote:
> > 
> >> Do you think Debian packages include all these bug fixes?
> >>
> >> http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
> > 
> > No, MFSA 2009-11 is not fixed (that is a Firefox-only bug).  The others
> > should be fixed, but I did not check everything myself.
> 
> I've just remembered the Lenny Release Notes:
> 
> http://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#mozilla-security
> 
> So, I wonder what is the current/real security status for Iceweasel.
> 
> I do not know why Mozilla products have to follow a different path than 
> other products. For instance, would Debian security policy allow leaving 
> an old package that is not maintained anymore upstream? 
> 
> <dreaming mode on>
> 
> Let's imagine for a moment that SpamAssassin drops support (=no more 
> security patches) for its 3.2.x branch... Lenny users will be highly 
> exposed to any security flaw that can affect the old/unmaintaned branch. 
> Shouldn't they be updated to the latest/maintained upstream package via 
> stantard security updates?
> 
> Let's face the situation:
> 
> 1/ No udpating means several servers running lenny are at risk of being 
> exploited.
> 
> 2/ Updating to the new branch can break current setups but a notice about 
> the branch change and detailed steps on how to perform the change could 
> prevent users from breaking their current setup.
> 
> I, for my self, prefer to get the updated package, perform the upgrade, 
> carefully read the docs to get a soft transition to the new branch and 
> keep my e-mail server secure (remember that lenny has still a long full
> year of support).
> 
> </dreaming mode off>
> 
What I would like (and think they should have done in the case of
Iceweasel) is issue a security update that is simply a message to the
admin that stable's version of Iceweasel is now unsupported.  The
security update should not automatically upgrade Iceweasel to the
backports version, but it should suggest this to the admin as a wise
course of action.

-Rob

Reply to:

Follow-Ups:
- Re: Mozilla products in Debian
  - From: Andrei Popescu <andreimpopescu@gmail.com>

References:
- A question for the list:
  - From: ZephyrQ <ZephyrQ@sbcglobal.net>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: Camaleón <noelamac@gmail.com>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: Camaleón <noelamac@gmail.com>
- Re: Mozilla products in Debian
  - From: Sven Joachim <svenjoac@gmx.de>
- Re: Mozilla products in Debian
  - From: Camaleón <noelamac@gmail.com>
- Re: Mozilla products in Debian
  - From: Sven Joachim <svenjoac@gmx.de>
- Re: Mozilla products in Debian
  - From: Camaleón <noelamac@gmail.com>

Prev by Date: mount IDE via USB-bridge
Next by Date: KVM: High CPU load with audio enabled
Previous by thread: Re: Mozilla products in Debian
Next by thread: Re: Mozilla products in Debian
Index(es):
- Date
- Thread