On Fri, 05 Nov 2010 19:48:04 +0100, Sven Joachim wrote: > On 2010-11-05 17:48 +0100, Camaleón wrote: > >> Do you think Debian packages include all these bug fixes? >> >> http://www.mozilla.org/security/known-vulnerabilities/firefox30.html > > No, MFSA 2009-11 is not fixed (that is a Firefox-only bug). The others > should be fixed, but I did not check everything myself.
I've just remembered the Lenny Release Notes: http://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#mozilla-security So, I wonder what is the current/real security status for Iceweasel. I do not know why Mozilla products have to follow a different path than other products. For instance, would Debian security policy allow leaving an old package that is not maintained anymore upstream? <dreaming mode on> Let's imagine for a moment that SpamAssassin drops support (=no more security patches) for its 3.2.x branch... Lenny users will be highly exposed to any security flaw that can affect the old/unmaintaned branch. Shouldn't they be updated to the latest/maintained upstream package via stantard security updates? Let's face the situation: 1/ No udpating means several servers running lenny are at risk of being exploited. 2/ Updating to the new branch can break current setups but a notice about the branch change and detailed steps on how to perform the change could prevent users from breaking their current setup. I, for my self, prefer to get the updated package, perform the upgrade, carefully read the docs to get a soft transition to the new branch and keep my e-mail server secure (remember that lenny has still a long full year of support). </dreaming mode off> That was an hypothetical situation but is what has happened with Mozilla products. I mean, knowing that Mozilla has a very quick development strategy, wouldn't be preferable to care about that instead of just warning the users in Release Notes and leaving them in a kind of limbo? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.05.20.07...@gmail.com
