[EMAIL PROTECTED] wrote: > I'm a happy user of Testing, but I'm a bit concerned about getting > updates to Firefox in a timely manner. The current version in Testing > is 1.0.4-2, which has recently-announced vulnerabilities in it. The > vulns (I don't like typing that word :) have been fixed in the version > in Sarge, 1.0.4-2sarge1. They've been fixed in Unstable as well, in > 1.0.6-2. > > But when will this version come to Testing? A quick look at the > changelog for the package shows that 1.0.5-1, which fixes some > security issues, was uploaded to Unstable on July 16th with an urgency > level of high, but four days later 1.0.6-1 was uploaded with an > urgency of low. Ten days later, on July 30th, 1.0.6-2 was uploaded > with an urgency of medium. But here it is over two weeks later, and > Testing is still stuck on 1.0.4-2. > > I looked in the bug tracker, but I couldn't find any good bug to > prevent these newer versions from moving to Testing. > > Now, I'm far from an expert, and I'm still fairly new to Debian (less > than a year), but it seems like something needs to change. I don't > want to run Unstable on my computer, but I don't want to be stuck with > vulnerable browsers either. > > I could upgrade Firefox to the version that's in unstable, but there > are two problems: > > 1) This is a poor long-term solution, having to manually upgrade > packages and their dependencies to fix security problems; > > 2) I can't even do that in this case, because Firefox 1.0.6-2 depends > on libxinerama1, which depends on libc6 >=2.3.5, but Testing is still > on libc6 2.3.2. > > This is simply a mess. Actually, now that I think about it, I suppose > the reason 1.0.6-2 hasn't moved into Testing is because of the > dependency problem of libxinerama1 and libc6. But who knows when the > new version of libc6 will get into Testing? It may be a very long > time. In the meantime, are we Testing users supposed to keep using a > vulnerable version of Firefox? > > I know Testing is not supported for security updates, but for > high-profile packages like Firefox with high-profile vulns, don't we > need a solution for this problem? And upgrading to Unstable is not a > solution; there's a reason I and others use Testing instead of > Unstable. >
Although I'm don't have much advice for you on this topic, but I recommend you to go over to the debian-security mailing list and read the thread http://lists.debian.org/debian-security/2005/07/msg00315.html about mozilla-* security support state of affairs. A very long thread on a valid topic and pretty informative. /KS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
