On Sat, Jan 17, 2009 at 04:06:30PM +0100, Mike Hommey wrote: > On Sat, Jan 17, 2009 at 02:19:02PM +0100, Sylvain Beucler wrote: > > Package: iceweasel > > Version: 3.0.5-1 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > > > Since Debian stable is a "frozen" distro, it's not uncommon to install > > the official Firefox binaries when the next version of Firefox is > > released, and isn't packaged in stable or backported yet. I've also > > also seen that useful to fix browser detection (hotmail) or support > > binary extensions (probably to avoid stdlibc++ 5/6 discrepancies). > > > > Anyway, when Iceweasel is started, it silently disables the security > > update checks in the configuration. > > "about:config" reports that 'app.update.enabled' is set to false. This > > is set on startup. > > > > This is a problem, because as I mentioned people may use, concurrently > > or later, an official version of Firefox. In this case, Firefox will > > disable security update checks as directed, and thus Firefox won't be > > upgraded when there's a security fix. People may work several months > > without being notified about a security hole in their Firefox. > > > > The fact Iceweasel disables upsteam security update checks is normal, > > because Debian (not upstream) provides those. However it's a mistake > > to disable that in the configuration, because this impacts other > > versions of Firefox that do use those checks. > > > > So please don't alter 'app.update.enabled' and other settings, and > > disable Iceweasel upstream security updates checks using another > > method (e.g. by not compiling the related code, or by not using > > ~/.mozilla/firefox to store the iceweasel configuration). > > Are you sure that when running firefox again, the config value doesn't > go back to true ? Because these are global configurations that are not > stored in user profile unless you modify them... So while running > iceweasel would disable app.update.enabled, running firefox should > re-enable it. Try resetting the config item (right-click -> reset, iirc) > and try switching between iceweasel and firefox.
Okay, it appears to be a "feature" of the locked preferences. With verbatim upstream firefox, the same can happen when using locked prefs. I'll dive into the pref code to understand what's going on. Cheers, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
