On Sat, Mar 19, 2016 at 01:45:49AM +0900, Mike Hommey wrote:
> On Fri, Mar 18, 2016 at 05:23:21PM +0200, Henri Sivonen wrote:
> > You say you don't see #5 happening. Do you see #4 happening? If not,
> > what do you see happening?
> 
> At this point, I'm wondering if the best outcome wouldn't be 6) Distros
> die. I'm almost not joking.
> 
> > > LTS distros do update Firefox because there is no way they can support
> > > security updates on older releases (I've done it with 3.5 long enough to
> > > know it's not tractable). But they do it once a year (at every ESR bump),
> > > not every 6 weeks.
> > 
> > This is not the case for Ubuntu LTS. Even Ubuntu 12.04 gets a new
> > Firefox release every six weeks, and there is a package gcc-mozilla
> > that backports a GCC newer than the original GCC in 12.04 as a build
> > dependency:
> > http://archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_45.0+build2-0ubuntu0.12.04.1.dsc
> > 
> > So, clearly, at least in the case of Ubuntu, there is precedent for 1)
> > updating Firefox every six weeks in LTS and 2) the Firefox package
> > having a build dependency on a compiler that's newer than the
> > compilers that originally shipped with the LTS system release.
> > 
> > When I started this thread, I thought the s/IceWeasel/Firefox/ change
> > in Debian involved Debian starting to ship Firefox the way Ubuntu
> > does. For clarity: Is that not the case and Debian will only ship ESR
> > but an ESR that's within Mozilla's support period? I can see how
> > shipping ESR is the closest approximation of compliance with a policy
> > to ship outdated software, but how does ESR address Debian's package
> > dependency issues? If the next ESR requires a compiler that's not in
> > the current Debian stable, what then?
> > 
> > Looking at 
> > https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security
> > , it seems that Debian users get a more up-to-date Blink than Gecko.
> > If that policy is any indication, if ESR didn't exist, Gecko would get
> > the same deal as Blink... In other words, it looks like Debian
> > penalizes Gecko relative to Blink because ESR exists. :-(
> 
> Well, at some point Blink wasn't even in stable. I'm actually surprised
> that it is now. But as a matter of fact, Debian's old stable is not
> receiving Blink/Chromium updates (it's stuck on 37), while it receives
> updates for Iceweasel (it has 38.7 as or writing, will receive 38.8, and
> 45.2 after that)

Note that this is why Blink/Chromium can get away with very frequent updates
in stable and not Iceweasel/Firefox:

$ grep-dctrl -sPackage -FDepends chromium --and --not -FSource chromium-browser 
/var/lib/apt/lists/ftp.jp.debian.org_debian_dists_jessie_main_binary-amd64_Packages
| wc -l
2

(one is http://chromium-bsu.sourceforge.net/, the other is mozplugger,
which... sounds like a mistake... I think it's an NPAPI plugin)


$ grep-dctrl -sPackage -FDepends iceweasel --and --not -FSource iceweasel 
/var/lib/apt/lists/ftp.jp.debian.org_debian_dists_jessie_main_binary-amd64_Packages
| wc -l
64

Iceweasel/Firefox is part of an ecosystem.

Mike
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to