On 2010-11-05 15:38 +0100, Camaleón wrote: > On Fri, 05 Nov 2010 09:10:44 -0500, Boyd Stephen Smith Jr. wrote: > >> On Friday 05 November 2010 08:13:41 Camaleón wrote: > >>> > Thirdly, the policy of no new upstream versions after release isn't >>> > changed for volatile. (It is changed for volatile-sloppy.) >>> >>> And that is what people wants to be improved :-) >> >> No. That's NOT what those who know and love Debian stable want. The >> lack of upstream changes is one of the main reasons I use stable on >> servers. > > What happens with Mozilla packages (more exactly with Firefox/Iceweasel) > is that upstream version correct security flaws, meaning that right now, > Debian's lenny stock version of Iceweasel is vulnerable to lots of holes > because Mozilla does not provide support nor pacthes for 3.0.x branch.
That is true, but the Debian iceweasel/xulrunner maintainer and the security team backport security fixes. Note that most of the problems are not specific to iceweasel and affect all browsers based on xulrunner, so they are fixed in the xulrunner-1.9 package which is updated rather frequently. > Leaving your users base with a vulnerable browser is not very sane. Yes, but does iceweasel in lenny actually have big security problems? The Debian security tracker¹ lists only one unfixed problem that is hardly critical². > I see only one reason to force the upgrade of a stock package with a > newer version and is precisely the lack of support (nor patches) from > upstream packager. But for Mozilla based packages the patches are available, it's just that they are in a different branch and have to be backported. This may not be ideal, but the situation is hardly worse than with the Linux kernel. > Hopefully there is "backports" holding these packages, but for Mozilla > products (which are included in the regular repo) should not be needed - > to be backported- at all: lenny users should have received 3.5 release by > means of the security repo. So that half of their installed extensions are broken after the upgrade? Does not seem to be a very good idea to me. Sven ¹ http://security-tracker.debian.org/tracker/source-package/iceweasel ² http://security-tracker.debian.org/tracker/CVE-2009-0777 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87pquj7oc2....@turtle.gmx.de
