On Thu, May 30, 2013 at 08:29:16PM +0200, Didier 'OdyX' Raboud wrote: > > FWIW, I don't. I think the compromise that the security team is proposing is > > much more reasonable than such an alternative. > > That compromise (which I do definitely support for wheezy) puzzles me > most for the precedent it creates: if we "give up" [0] maintaining > some of the most security-sensitive softwares up to our stable policy, > why should other packages be bound to it?
Well, it seems to me that the decision chain is pretty clear here. The "we" you've used above is IMHO defined as the security team. It's them doing the amazing security job they do for Debian, therefore it's perfectly fine for them to decide where and when to make compromises. Other packages will be bound or not to similar compromises depending on the judgement of the security team. Note that it's already the case that the level of security support for packages in stable varies on a case by case basis, see for instance: http://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security *By default* everything it's held up to the same security standards, but "we" do apply different policies when needed, as decided by the security team. What's important is to clearly communicate to our users what they're getting. Sometime we can do that in advance, as above, in other occasion we might have to do it a posteriori. That's life. (And I suspect that, given an unlimited supply of manpower, the security team will be happy to do all the backports we needed. Unfortunately we simply don't have that supply.) > > Note that the presence of non-free extension in the 3rd party > > repositories that come pre-configured with Debian-distributed browsers > > (and incresingly more other software) is a different problem. […] > > And one we should tackle, IMHO, but that's for a separate discussion. > > I'm not sure it's that much of a separate discussion: as the original message > mentionned, we'll get the ESR17 and then ESR24 version of Firefox/Iceweasel > in > Wheezy, including the new features related to extensions and 3rd party > repositories, which are out of our control. I must admit though that I don't > know precisely how this area evolves and I do trust the "Maintainers of > Mozilla-related packages" to do it right. You're right, I've been unclear. What I meant is this: whether the 3rd party repositories that come configured with our browsers list non-free extensions by default or not (which is a change I would welcome) is a separate discussion. The existence of those 3rd party repositories, no matter the free-ness of the extensions, clearly is impacted by our security policy decisions. Cheers. -- Stefano Zacchiroli . . . . . . . z...@upsilon.cc . . . . o . . . o . o Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o Former Debian Project Leader . . @zack on identi.ca . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club »
signature.asc
Description: Digital signature
