I second this post. Dan, Thank you for saying so clearly.
On Sat, 20 Aug 2005, Daniel Sterling wrote: > Keeping Debian stable by not changing things is great. > > Except maybe its not so great when you're trying to maintain a complicated, > buggy, high profile program that handles sensitive user data and untrusted > input. > > Debian stable cannot stay stable without changing, sometimes drastically. > > Firefox in Debian stable cannot stay stable and secure by not changing. > > The latest upgrades to sarge's firefox have addressed (successfully?) several > security vulnerabilities. I submit that the work done to create these new > packages has been wasted effort, for at least two reasons. > > 1. Creating these packages duplicates work already done upstream. While you > could argue that this is true for any security backport to a greater or lesser > degree, in this case this point is important because: > 2. The packages are buggy. (in subtle and creative ways, such as > sometimes-broken middle clicking). > > In addition, the time between upstream's release and the DSA has not been > minimal (one month!) (This is a whole issue in itself! Are Debian users > supposed > to subscribe to bugtraq etc to ensure their browser is secure?) > > We need to accept that we should not be wasting our valuable talent and time > on > backporting security fixes to complicated apps such as Firefox. I don't know > which app that time should be spent on, but I know it sure ain't Firefox. > > Properly backporting the fixes and getting them into Debian will simply take > too > much time, if it is properly done at all. We would basically need to have our > own Firefox developer, who, even though she understands how the code works and > all the subtlety involved, has decided instead of fixing bugs and implementing > features, she wants to keep security up to date on an obsolete code base. > > No one is going to do that. No one should be doing that. > > We need to figure out how to get the latest Firefox on the desktops of stable > users. Something like volatile *may* be the answer. Perhaps keeping the latest > secure version of Firefox in security, or experimental. Perhaps we need to > completely revamp the way stable works. However, we CANNOT do nothing, or > continue to believe we can maintain older versions of software as complex and > intricate as Firefox. Because we can't maintain them. > > I submit that whoever wants 1.0.4 in sarge so bad they'll maintain it needs to > step forward now, or forever hold their peace. > > I submit that the only feasible solution is to use the latest upstream in > security updates. That means when 1.0.x is EOLed, if there are security issues > still present, we remove Firefox from sarge (which is better than keeping an > insecure version, and is what we are implicitly doing when we don't update > it-- > reference Mozilla 1.0 in woody) or use the latest upstream version. I submit > that this *is* the best way for Debian users, as they will get prompt, working > security updates. I submit that if someone will have/has a problem with that, > they almost certainly already have a working solution in place right now, as > Debian's packages have been, from a security standpoint, unworkable for a > month > with Firefox, and possibly longer with Mozilla. Have we heard an argument from > any real life users for keeping older, buggy, and possibly insecure versions > of > Firefox in Debian? > > In summary, Debian must package the latest upstream Firefox in stable to stay > stable and secure, and doing so might require policy change. That policy > change > is needed. > > -- Dan > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
