Keeping Debian stable by not changing things is great. Except maybe its not so great when you're trying to maintain a complicated, buggy, high profile program that handles sensitive user data and untrusted input.
Debian stable cannot stay stable without changing, sometimes drastically. Firefox in Debian stable cannot stay stable and secure by not changing. The latest upgrades to sarge's firefox have addressed (successfully?) several security vulnerabilities. I submit that the work done to create these new packages has been wasted effort, for at least two reasons. 1. Creating these packages duplicates work already done upstream. While you could argue that this is true for any security backport to a greater or lesser degree, in this case this point is important because: 2. The packages are buggy. (in subtle and creative ways, such as sometimes-broken middle clicking). In addition, the time between upstream's release and the DSA has not been minimal (one month!) (This is a whole issue in itself! Are Debian users supposed to subscribe to bugtraq etc to ensure their browser is secure?) We need to accept that we should not be wasting our valuable talent and time on backporting security fixes to complicated apps such as Firefox. I don't know which app that time should be spent on, but I know it sure ain't Firefox. Properly backporting the fixes and getting them into Debian will simply take too much time, if it is properly done at all. We would basically need to have our own Firefox developer, who, even though she understands how the code works and all the subtlety involved, has decided instead of fixing bugs and implementing features, she wants to keep security up to date on an obsolete code base. No one is going to do that. No one should be doing that. We need to figure out how to get the latest Firefox on the desktops of stable users. Something like volatile *may* be the answer. Perhaps keeping the latest secure version of Firefox in security, or experimental. Perhaps we need to completely revamp the way stable works. However, we CANNOT do nothing, or continue to believe we can maintain older versions of software as complex and intricate as Firefox. Because we can't maintain them. I submit that whoever wants 1.0.4 in sarge so bad they'll maintain it needs to step forward now, or forever hold their peace. I submit that the only feasible solution is to use the latest upstream in security updates. That means when 1.0.x is EOLed, if there are security issues still present, we remove Firefox from sarge (which is better than keeping an insecure version, and is what we are implicitly doing when we don't update it-- reference Mozilla 1.0 in woody) or use the latest upstream version. I submit that this *is* the best way for Debian users, as they will get prompt, working security updates. I submit that if someone will have/has a problem with that, they almost certainly already have a working solution in place right now, as Debian's packages have been, from a security standpoint, unworkable for a month with Firefox, and possibly longer with Mozilla. Have we heard an argument from any real life users for keeping older, buggy, and possibly insecure versions of Firefox in Debian? In summary, Debian must package the latest upstream Firefox in stable to stay stable and secure, and doing so might require policy change. That policy change is needed. -- Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
