(This turned into a saga - so here's the executive summary: let's let the security team do their job and find us a secure version. Talk about removing Firefox and/or definitely ruling out upgrading to a newer version is unhelpful in solving the problem.)
Neil McGovern wrote: > On Sat, Aug 20, 2005 at 09:02:47PM -0400, Daniel Sterling wrote: > >>Keeping Debian stable by not changing things is great. >>... >>Debian stable cannot stay stable without changing, sometimes drastically. >> > > Erm... I think you may be getting stability and security mixed up here. > A program or set of programs IS stable if it's not got any bugs, and > nothing changes that could introduce bugs. Changing things introduces > the possibility for bugs, and hence, produces potential instability. You're worried about potential instability in the face of a *known security flaw*?!?! How much more unstable can you get than someone being able to execute arbitrary code in your browser? [1] [2] > ... > This is where we disagree: > Packaging a new version is NOT acceptable for me, as a Debian user. >From my perspective as a Debian user, packaging a new version is most likely the *only* acceptable thing. I can't afford to be without a browser (some have suggested removing Firefox from stable), and i also can't afford to be without a secure browser, so i'm prepared to wear potential instability to get security bugs fixed. I use Debian stable on all my machines - home desktop, home server, and all other Debian servers i support (3 others for people other than myself). The only one on which Firefox is critical is my home desktop (it's not even installed on my servers). And on this system, i need to have the most secure possible version of Firefox, because i can't trust every web site on the Internet. Firefox 1.0.6 is the only currently secure version. What the security team have been discussing is whether it's easier to work out how to backport just the security fix (which Mozilla don't provide) or to compile a new version, and how and where to provide that. I don't really care either way, but from a user perspective, i really need a secure browser. > ... > Prehaps the best way forward is to use testing, and ensure that there is > security support for it. This is something the secure-testing team is > trying to do. That's a far cry from "the best way forward". Testing is too close to unstable, even for my home desktop. I chose Debian stable for my desktop because i didn't want to waste my time upgrading every 6 months like i would with Fedora Core or SuSE Pro. Even if i just pick the individual packages out of testing and unstable required to install the secure version of Firefox from unstable, i end up with the attached package list (packages.txt) to upgrade. And even tracking testing would not be enough in this case, because testing doesn't have a secure version of Firefox. [3] On my test box which tracks testing, i have to upgrade the packages shown in my second attachment (packages-testing.txt) in order to get the secure version. Tracking testing isn't a viable solution. [1] http://www.mozilla.org/security/announce/mfsa2005-56.html [2] http://www.mozilla.org/security/announce/mfsa2005-53.html [3] http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&subword=1&version=all&release=all&keywords=firefox -- Paul <http://paulgear.webhop.net> -- Did you know? If you receive a virus warning from a friend and not through a virus software vendor, it's likely to be a hoax. See <http://gear.dyndns.org:81/features/virus_hoaxes> for more info.
enoch:/root # apt-get install mozilla-firefox/unstable libxinerama1/unstable libc6/unstable libatk1.0-0/testing libgcc1/testing libstdc++6/testing Reading Package Lists... Done Building Dependency Tree... Done Selected version 1.0.6-2 (Debian:unstable) for mozilla-firefox Selected version 6.8.2.dfsg.1-5 (Debian:unstable) for libxinerama1 Selected version 2.3.5-4 (Debian:unstable) for libc6 Selected version 1.10.1-2 (Debian:testing) for libatk1.0-0 Selected version 1:4.0.1-2 (Debian:testing) for libgcc1 Selected version 4.0.1-2 (Debian:testing) for libstdc++6 The following extra packages will be installed: gcc-4.0-base libatk1.0-0 libc6 libgcc1 libstdc++6 libxinerama1 mozilla-firefox Suggested packages: glibc-doc latex-xft-fonts Recommended packages: libatk1.0-data The following packages will be REMOVED: build-essential g++ g++-3.3 gdk-imlib1-dev j2re1.4 j2sdk1.4 libart-dev libatk1.0-dev libaudiofile-dev libc6-dev libcommons-beanutils-java libcommons-collections-java libcommons-dbcp-java libcommons-digester-java libcommons-fileupload-java libcommons-logging-java libcommons-modeler-java libcommons-pool-java libcommons-validator-java libesd0-dev libexpat1-dev libfontconfig1-dev libfreetype6-dev libglib1.2-dev libglib2.0-dev libgnome-dev libgnorba-dev libgtk1.2-dev libgtk2.0-dev libgtkxmhtml-dev libice-dev libjpeg62-dev libopennms-java liborbit-dev libpango1.0-dev libpng10-dev libpng12-dev libpopt-dev libsm-dev libstdc++5-3.3-dev libstruts1.1-java libtomcat4-java libx11-dev libxext-dev libxft-dev libxi-dev libxmu-dev libxmuu-dev libxp-dev libxpm-dev libxrandr-dev libxrender-dev libxt-dev libxtrap-dev libxtst-dev libxv-dev libzvt-dev locales mozilla-firefox-gnome-support opennms opennms-server opennms-webapp tomcat4 tomcat4-admin tomcat4-webapps xlibs-dev xlibs-static-dev zlib1g-dev The following NEW packages will be installed: gcc-4.0-base libstdc++6 libxinerama1 The following packages will be upgraded: libatk1.0-0 libc6 libgcc1 mozilla-firefox 4 upgraded, 3 newly installed, 68 to remove and 0 not upgraded. Need to get 13.4MB of archives. After unpacking 241MB disk space will be freed. Do you want to continue? [Y/n] n Abort.
guest09:~# apt-get install mozilla-firefox/unstable libxinerama1/unstable
libc6/unstable +
guest09:~# apt-get install mozilla-firefox/unstable libxinerama1/unstable
libc6/unstable libglib2.0-0/unstable libc6-dev/unstable locales/unstable
lsb/unstable lsb-core/unstable lsb-cxx/unstable lsb-graphics/unstable
Reading Package Lists... Done
Building Dependency Tree... Done
Selected version 1.0.6-3 (Debian:unstable) for mozilla-firefox
Selected version 6.8.2.dfsg.1-5 (Debian:unstable) for libxinerama1
Selected version 2.3.5-4 (Debian:unstable) for libc6
Selected version 2.8.0-1 (Debian:unstable) for libglib2.0-0
Selected version 2.3.5-4 (Debian:unstable) for libc6-dev
Selected version 2.3.5-4 (Debian:unstable) for locales
Selected version 3.0-5 (Debian:unstable) for lsb
Selected version 3.0-5 (Debian:unstable) for lsb-core
Selected version 3.0-5 (Debian:unstable) for lsb-cxx
Selected version 3.0-5 (Debian:unstable) for lsb-graphics
The following extra packages will be installed:
cpp cpp-4.0 libatk1.0-0 libc6 libc6-dev libglib2.0-0 libgtk2.0-0
libgtk2.0-bin libgtk2.0-common libidl0 libkrb53 libpango1.0-0
libpango1.0-common libtiff4 libxcursor1 libxinerama1 locales lsb lsb-core
lsb-cxx lsb-graphics mozilla-firefox
Suggested packages:
cpp-doc gcc-4.0-locales glibc-doc manpages-dev krb5-doc krb5-user
ttf-kochi-gothic ttf-kochi-mincho ttf-thryomanes ttf-baekmuk
ttf-arphic-gbsn00lp ttf-arphic-bsmi00lp ttf-arphic-gkai00mp
ttf-arphic-bkai00mp mozilla-firefox-gnome-support latex-xft-fonts xprint
Recommended packages:
libatk1.0-data gcc c-compiler libglib2.0-data hicolor-icon-theme
x-ttcidfont-conf
The following NEW packages will be installed:
cpp cpp-4.0 libatk1.0-0 libglib2.0-0 libgtk2.0-0 libgtk2.0-bin
libgtk2.0-common libidl0 libkrb53 libpango1.0-0 libpango1.0-common libtiff4
libxcursor1 libxinerama1 mozilla-firefox
The following packages will be upgraded:
libc6 libc6-dev locales lsb lsb-core lsb-cxx lsb-graphics
7 upgraded, 15 newly installed, 0 to remove and 0 not upgraded.
Need to get 28.6MB of archives.
After unpacking 49.5MB of additional disk space will be used.
Do you want to continue? [Y/n] n
Abort.
signature.asc
Description: OpenPGP digital signature
