On Fri, 05 Nov 2010 17:00:13 +0100, Sven Joachim wrote: > On 2010-11-05 15:38 +0100, Camaleón wrote: > >> What happens with Mozilla packages (more exactly with >> Firefox/Iceweasel) is that upstream version correct security flaws, >> meaning that right now, Debian's lenny stock version of Iceweasel is >> vulnerable to lots of holes because Mozilla does not provide support >> nor pacthes for 3.0.x branch. > > That is true, but the Debian iceweasel/xulrunner maintainer and the > security team backport security fixes.
How is that possible? :-? As soon as Mozilla stopped offering security patches and left tracking 3.0.x branch there can be "hidden" bugs nor Mozilla nor Debian can be aware of. > Note that most of the problems > are not specific to iceweasel and affect all browsers based on > xulrunner, so they are fixed in the xulrunner-1.9 package which is > updated rather frequently. Mmm, current xulrunner upstream release is 1.9.2 that matches Firefox 3.6. Now I've got installed 1.9.0.19-6 (matching my icedove version). >> Leaving your users base with a vulnerable browser is not very sane. > > Yes, but does iceweasel in lenny actually have big security problems? > The Debian security tracker¹ lists only one unfixed problem that is > hardly critical². Do you think Debian packages include all these bug fixes? http://www.mozilla.org/security/known-vulnerabilities/firefox30.html >> I see only one reason to force the upgrade of a stock package with a >> newer version and is precisely the lack of support (nor patches) from >> upstream packager. > > But for Mozilla based packages the patches are available, it's just that > they are in a different branch and have to be backported. This may not > be ideal, but the situation is hardly worse than with the Linux kernel. Yes, a backported package is better than nothing, I agree. >> Hopefully there is "backports" holding these packages, but for Mozilla >> products (which are included in the regular repo) should not be needed >> - to be backported- at all: lenny users should have received 3.5 >> release by means of the security repo. > > So that half of their installed extensions are broken after the upgrade? > Does not seem to be a very good idea to me. I prefer having no extensions at all than browsing the web with an unsupported browser :-). Anyway, you could choose not updating Iceweasel and keep the old branch... Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.05.16.48...@gmail.com