Re: Mozilla products in Debian

To: debian-user@lists.debian.org
Subject: Re: Mozilla products in Debian
From: Sven Joachim <svenjoac@gmx.de>
Date: Fri, 05 Nov 2010 17:00:13 +0100
Message-id: <[🔎] 87pquj7oc2.fsf@turtle.gmx.de>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] pan.2010.11.05.14.38.32@gmail.com> ("Camaleón"'s message of "Fri, 5 Nov 2010 14:38:32 +0000 (UTC)")
References: <[🔎] 4CD370DF.8030607@sbcglobal.net> <[🔎] 201011050754.35735.bss@iguanasuicide.net> <[🔎] pan.2010.11.05.13.13.40@gmail.com> <[🔎] 201011050910.50590.bss@iguanasuicide.net> <[🔎] pan.2010.11.05.14.38.32@gmail.com>

On 2010-11-05 15:38 +0100, Camaleón wrote:

> On Fri, 05 Nov 2010 09:10:44 -0500, Boyd Stephen Smith Jr. wrote:
>
>> On Friday 05 November 2010 08:13:41 Camaleón wrote:
>
>>> > Thirdly, the policy of no new upstream versions after release isn't
>>> > changed for volatile.  (It is changed for volatile-sloppy.)
>>> 
>>> And that is what people wants to be improved :-)
>> 
>> No.  That's NOT what those who know and love Debian stable want.  The
>> lack of upstream changes is one of the main reasons I use stable on
>> servers.
>
> What happens with Mozilla packages (more exactly with Firefox/Iceweasel) 
> is that upstream version correct security flaws, meaning that right now, 
> Debian's lenny stock version of Iceweasel is vulnerable to lots of holes 
> because Mozilla does not provide support nor pacthes for 3.0.x branch.

That is true, but the Debian iceweasel/xulrunner maintainer and the
security team backport security fixes.  Note that most of the problems
are not specific to iceweasel and affect all browsers based on
xulrunner, so they are fixed in the xulrunner-1.9 package which is
updated rather frequently.

> Leaving your users base with a vulnerable browser is not very sane.

Yes, but does iceweasel in lenny actually have big security problems?
The Debian security tracker¹ lists only one unfixed problem that is
hardly critical².

> I see only one reason to force the upgrade of a stock package with a 
> newer version and is precisely the lack of support (nor patches) from 
> upstream packager.

But for Mozilla based packages the patches are available, it's just that
they are in a different branch and have to be backported.  This may not
be ideal, but the situation is hardly worse than with the Linux kernel.

> Hopefully there is "backports" holding these packages, but for Mozilla 
> products (which are included in the regular repo) should not be needed -
> to be backported- at all: lenny users should have received 3.5 release by 
> means of the security repo.

So that half of their installed extensions are broken after the upgrade?
Does not seem to be a very good idea to me.

Sven

¹ http://security-tracker.debian.org/tracker/source-package/iceweasel
² http://security-tracker.debian.org/tracker/CVE-2009-0777

Reply to:

Follow-Ups:
- Re: Mozilla products in Debian
  - From: Camaleón <noelamac@gmail.com>
- Re: Mozilla products in Debian
  - From: Doug <dmcgarrett@optonline.net>

References:
- A question for the list:
  - From: ZephyrQ <ZephyrQ@sbcglobal.net>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: Camaleón <noelamac@gmail.com>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
- Re: Mozilla products in Debian (was: A question for the list:)
  - From: Camaleón <noelamac@gmail.com>

Prev by Date: Re: A question for the list:
Next by Date: Re: Problems configuring wireless with wicd on amd64 lenny
Previous by thread: Re: Mozilla products in Debian (was: A question for the list:)
Next by thread: Re: Mozilla products in Debian
Index(es):
- Date
- Thread