The solution to this problem is simple. We change the meaning of stable to "stable except for such cases as security demands upgrading versions rather than backporting patches." And then leave the old insecure version of the package in place as <package.name.insecure>.
We can dilly dally about it all we want but this is really the only viable solution. Leaving bad packages around is not an option. Taking mozilla or other core parts of most users computing experience is not really an option (unless we want to put ourselves even farther out on the fringe). So upgrading broken packages is our last option. It may be unpalatable to some, and perhaps more work, but according to this discussion it will still be less work then trying to backport the security patches alone. We are making a mountain out of a mole hill. If help is needed to do this, email me off list and I will try and help. I have servers that can be used to build at least two of the architectures. David. -- David Ehle Computing Systems Manager CAPP CSRRI rm 077 LS Bld. IIT Main Campus Chicago IL 60616 [EMAIL PROTECTED] 312-567-3751 He who fights with monsters must take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you. On Tue, 2 Aug 2005, Matt Zimmerman wrote: > On Tue, Aug 02, 2005 at 09:04:01PM +0100, antgel wrote: > > > Matt Zimmerman wrote: > > > Have you been following this discussion? That is exactly what we have > > > been > > > killing ourselves doing for the past few years. It is a _losing battle_. > > > > I've been following a fair bit of the discussion, but it's hard to pull > > the facts out from the opinion.. I'm not belittling the Debian team > > efforts, and I'm sorry if I seemed like I was. If it is a losing > > battle, then it's one that we should try to equip ourselves[1] to win. > > If you are saying that we can't equip ourselves then fine, but it's a > > shame. We are on the same side here. > > > > Antony > > > > [1] This includes more manpower and liaising with Mozilla to see if they > > can help more than they are doing. > > I'm guessing that you're not going to volunteer on the manpower side, and I > don't think that it would be a good way to spend resources even if we had > them. You're welcome to attempt to convince the Mozilla project to change > the way that they work for the benefit of distribution security teams. If I > recall correctly, others have unsuccessfully attempted this in the past, but > since you are interested in this issue, perhaps you will try again and > report back to us. > > -- > - mdz > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
