Hi! Nikita V. Youshchenko [2005-07-31 23:10 +0400]: > So options seem to be: > > (1) keep vulnerable packages in stable, > (2) remove affected packages from distribution, > (3) allow new upstream into stable.
We recently had the same problem in Ubuntu. Adam Conrad and me both spend literally weeks with backporting and fixing patches, and in the end we came up with a semi-working Firefox which was pretty buggy and broke almost all extensions. So we just gave up and uploaded the new upstream versions into stable, which made relatively little trouble compared to the mess we created with backporting. It was not an easy decision since usually we follow the same strict "minimal patches" backporting policy, but we finally had to bow to reality; the Mozilla code is so ugly and intertwined that backporting patches is a battle you can't win without employing a couple of upstream developers (which just say "use the new upstream version, dude!"). I think in the end we have to do the same for Debian. Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian Developer http://www.debian.org
signature.asc
Description: Digital signature
