Re: Re: On Mozilla-* updates

> Be prepared for reality, in half a year or in one year, there won't be > 1.0.x Mozilla Firefox packages anymore that build on Debian stable. > At least that's what I anticipate. I can say that I still backport mozilla-firefox for my woody users (I am the maintainer of the gnome2.2 backport for w

Re: On Mozilla-* updates

1) why wasnt there a DSA about this problem ? ups, sorry, guess i misunderstood : "The security team informs the users about _security_problems_ by posting security advisories about Debian packages on this list." (http://lists.debian.org/debian-security-announce/) nvm -- To UNSUBSCRIBE, email

Re: On Mozilla-* updates

In article <[EMAIL PROTECTED]> you wrote: > Read this thread again. We do need an DSA. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: On Mozilla-* updates

* Matthias Westphal wrote: > 2) why wasnt firefox 1.04 removed off the package list immediately > if the problem couldnt be fixed in time ? Read this thread again. Norbert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: On Mozilla-* updates

hi, regarding the security problems of firefox in stable i have following questions: 1) why wasnt there a DSA about this problem ? 2) why wasnt firefox 1.04 removed off the package list immediately if the problem couldnt be fixed in time ? IMHO keeping firefox 1.04 for about 3 months gives a

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 03:25:37PM -0700, Thomas Bushnell BSG wrote: What is wrong with volatile? It's for exactly this case. No, it's not. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: On Mozilla-* updates

Frans Pop <[EMAIL PROTECTED]> writes: > On Thursday 04 August 2005 00:39, Thomas Bushnell BSG wrote: >> Frans Pop <[EMAIL PROTECTED]> writes: >> > On Thursday 04 August 2005 00:25, Thomas Bushnell BSG wrote: >> >> What is wrong with volatile? It's for exactly this case. >> > >> > No it is not. vo

Re: On Mozilla-* updates

On Thursday 04 August 2005 00:39, Thomas Bushnell BSG wrote: > Frans Pop <[EMAIL PROTECTED]> writes: > > On Thursday 04 August 2005 00:25, Thomas Bushnell BSG wrote: > >> What is wrong with volatile? It's for exactly this case. > > > > No it is not. volatile-sloppy [1] may be (if that's implemente

Re: On Mozilla-* updates

Frans Pop <[EMAIL PROTECTED]> writes: > On Thursday 04 August 2005 00:25, Thomas Bushnell BSG wrote: >> What is wrong with volatile? It's for exactly this case. > > No it is not. volatile-sloppy [1] may be (if that's implemented). > > [1] http://lists.debian.org/debian-devel-announce/2005/05/msg0

Re: On Mozilla-* updates

On Thursday 04 August 2005 00:25, Thomas Bushnell BSG wrote: > What is wrong with volatile? It's for exactly this case. No it is not. volatile-sloppy [1] may be (if that's implemented). [1] http://lists.debian.org/debian-devel-announce/2005/05/msg00016.html pgpQYcm3oGbIO.pgp Description: PGP s

Re: On Mozilla-* updates

Mathieu JANIN <[EMAIL PROTECTED]> writes: > I was thinking about a policy for managing packages built around "never > patched" softwares like Moz/FireFox. > Volatile and Security repositories do not fit for that, everybody agrees > with that. What is wrong with volatile? It's for exactly this ca

Re: On Mozilla-* updates

Adeodato Simó <[EMAIL PROTECTED]> writes: > * Thomas Bushnell BSG [Tue, 02 Aug 2005 16:07:08 -0700]: > >> It would be very nice if Mozilla would publish to distributions like >> ours a description of the security problem, and then a separate patch >> for that specific problem. > > "Publish to di

Re: On Mozilla-* updates

Matt Zimmerman wrote: Ben has now explained that this is in fact not sufficient. No, I have not. Please read again what I wrote. There is clearly a communication gap. And it's not on my end. You still haven't answered my very specific questions about your problems and what you want. -

Re: On Mozilla-* updates

Jeff wrote: > > So if the dependency information is correct (I have attached the > dependencies that I examined), one application: enigmail, and six > locales would break by using an update to fix the security issue. > We can arrange that enigmail and those locales won't break - it's quite simple

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 06:51:59PM +0200, Ben Bucksch wrote: > Matt Zimmerman wrote: > > >Ben has now explained that this is in fact not sufficient. > > > > > No, I have not. Please read again what I wrote. > > >There is clearly a communication gap. > > > And it's not on my end. You still haven'

Re: On Mozilla-* updates

What exactly breaks if the update to v1.06 is applied, as upstream recommends? I realise you are seeking a general solution. I believe that we need case specific information. This will enable us to evaluate any proposed general solutions, with the illumination of real facts. Actually, I see th

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 01:01:40PM +0100, antgel wrote: > Matt Zimmerman wrote: > > You're welcome to attempt to convince the Mozilla project to change > > the way that they work for the benefit of distribution security teams. If I > > recall correctly, others have unsuccessfully attempted this in

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 02:51:04PM +0200, Ben Bucksch wrote: > antgel wrote: > > >2) Mozilla security patches are not easy to find and isolate. > > > >Ben has disputed this, saying that we should be able to extract all > >necessary patches. Public ones from > >http://www.mozilla.org/projects/secu

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 01:01:40PM +0100, antgel wrote: You'll note that I _have_ volunteered, fwiw. So stop discussing and start doing... Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: On Mozilla-* updates

antgel wrote: 2) Mozilla security patches are not easy to find and isolate. Ben has disputed this, saying that we should be able to extract all necessary patches. Public ones from http://www.mozilla.org/projects/security/known-vulnerabilities.html then bugzilla, and embargoed ones via mdz.

RE: On Mozilla-* updates

Hi. (excuse me in advance for my bad english or french barbarisms :) ) I was thinking about a policy for managing packages built around "never patched" softwares like Moz/FireFox. Volatile and Security repositories do not fit for that, everybody agrees with that. So: Sid version would try and fol

Re: On Mozilla-* updates

David Ehle wrote: > ... > What I don't want to > see is this discussion drag on eternally on > woe-is-me-they-wont-play-like-i-like-i-hate-change fashion, It's too late for that... ;-) -- Paul -- Did you know? Most email-borne viruses use a false sender address, s

Re: On Mozilla-* updates

Greetings, Am Dienstag, 2. August 2005 12:39 schrieb Jeff: > > Joey, > > > > Working from the following assumptions: > > * it possible to include Mozilla in Debian stable, > > * extracting security patches from upstream is not practical, > > > > and ignoring the interesting, but extraneous threads

Re: On Mozilla-* updates

Willi Mann wrote: > >> Even when there is no ABI/API change, packages that depend on Mozilla >> generally depend on exact version numbers. I do not know on which >> side the bug lies, but if you are saying that a new galeon package is >> not necessary when a compatible mozilla shows up, my experi

Re: On Mozilla-* updates

Even when there is no ABI/API change, packages that depend on Mozilla generally depend on exact version numbers. I do not know on which side the bug lies, but if you are saying that a new galeon package is not necessary when a compatible mozilla shows up, my experience is that this is very ofte

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 07:28:00PM -0500, David Ehle wrote: This is not a rant, its cutting through the horse crap. If what I am suggesting is already policy then why are we having this discussion? Why was there ever an unsecure version of Mozilla in Woody? Nobody took the initiative to creat

Re: On Mozilla-* updates

> > Did you realize before this rant that this is already the policy, and has > been documented in the Security Team FAQ for several years now? This is not a rant, its cutting through the horse crap. If what I am suggesting is already policy then why are we having this discussion? Why was there

Re: On Mozilla-* updates

Adeodato Simó wrote: "Publish to distributions" is effectively the same as making it completely public, so they won't. Wrong. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contac

Re: On Mozilla-* updates

Thomas Bushnell BSG wrote: > Alexander Sack <[EMAIL PROTECTED]> writes: > > >>Matt Zimmerman wrote: >> >>>I'm guessing that you're not going to volunteer on the manpower side, and I >>>don't think that it would be a good way to spend resources even if we had >>>them. You're welcome to attempt to

Re: On Mozilla-* updates

Thomas Bushnell BSG wrote: It would be very nice if Mozilla would publish to distributions like ours a description of the security problem, and then a separate patch for that specific problem. 1. You to be going to

Re: On Mozilla-* updates

* Thomas Bushnell BSG [Tue, 02 Aug 2005 16:07:08 -0700]: > It would be very nice if Mozilla would publish to distributions like > ours a description of the security problem, and then a separate patch > for that specific problem. "Publish to distributions" is effectively the same as making it

Re: On Mozilla-* updates

Matt Zimmerman wrote: To organize their development processes such that patches can be backported with a reasonable amount of effort. I wrote a response, but deleted it, because I simply don't understand what you mean. Please be concrete, very very concrete. I'm in Los Angeles, California,

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 03:25:23PM -0700, Matt Zimmerman wrote: Can Mozilla 1.7.11 even be *built* on woody, much less upgrade seamlessly from Mozilla 1.0.0? For the purposes of this discussion I think we can ignore woody--that ship sailed a *long* time ago. I'd like to see us fix sarge before

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 01:11:59AM +0200, Frank Wein wrote: > Matt Zimmerman wrote: > >On Wed, Aug 03, 2005 at 12:08:10AM +0200, Ben Bucksch wrote: > >>BTW: Where are you located physically? Maybe you can meet with > >>mozilla.orgians in person. I think you'll like Daniel Veditz in > >>particular

Re: On Mozilla-* updates

Matt Zimmerman wrote: On Wed, Aug 03, 2005 at 12:08:10AM +0200, Ben Bucksch wrote: BTW: Where are you located physically? Maybe you can meet with mozilla.orgians in person. I think you'll like Daniel Veditz in particular. And Mozilla Foundation needs more of the SPI spirit than the OSAF spirit

Re: On Mozilla-* updates

John Hardcastle <[EMAIL PROTECTED]> writes: > I agree with David's suggestion to just put the latest releases from > Mozilla into Debian Stable. This is what volatile is for. Indeed, it was the very first and best example of why we want volatile. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED]

Re: On Mozilla-* updates

Alexander Sack <[EMAIL PROTECTED]> writes: > Matt Zimmerman wrote: >> >> I'm guessing that you're not going to volunteer on the manpower side, and I >> don't think that it would be a good way to spend resources even if we had >> them. You're welcome to attempt to convince the Mozilla project to

Re: On Mozilla-* updates

I agree with David's suggestion to just put the latest releases from Mozilla into Debian Stable. I installed Mozilla 1.7.11 yesterday and it is working fine. Mozilla IS my main app. I'm using Debian/GNU Linux from Knoppix 3.7 that I remastered and ugraded to Debian Stable. I'm running with ker

Re: On Mozilla-* updates

Matt Zimmerman wrote: > > I'm guessing that you're not going to volunteer on the manpower side, and I > don't think that it would be a good way to spend resources even if we had > them. You're welcome to attempt to convince the Mozilla project to change > the way that they work for the benefit of

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 12:08:10AM +0200, Ben Bucksch wrote: > Matt Zimmerman wrote: > >You're welcome to attempt to convince the Mozilla project to change > >the way that they work for the benefit of distribution security teams. > > > I don't even know what exactly you do want the Mozilla project

Re: On Mozilla-* updates

Matt Zimmerman wrote: I'm guessing that you're not going to volunteer on the manpower side Actually, he did, in the previous posting. Which is admirable, because this is a dauntingly huge task (and he seems semi-aware of it) - in the area of a few hours *per week*, on average. mozilla.org (an

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 04:39:21PM -0500, David Ehle wrote: > The solution to this problem is simple. We change the meaning of stable > to "stable except for such cases as security demands upgrading versions > rather than backporting patches." > > We can dilly dally about it all we want but this i

Re: On Mozilla-* updates

The solution to this problem is simple. We change the meaning of stable to "stable except for such cases as security demands upgrading versions rather than backporting patches." And then leave the old insecure version of the package in place as . We can dilly dally about it all we want but this

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 09:04:01PM +0100, antgel wrote: > Matt Zimmerman wrote: > > Have you been following this discussion? That is exactly what we have been > > killing ourselves doing for the past few years. It is a _losing battle_. > > I've been following a fair bit of the discussion, but i

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 09:56:12PM +0200, Petter Reinholdtsen wrote: > > [Noah Meyerhans] > >> How about actually maintaining them? > > > > That's exactly what I think we should do. > > Is this "we" as in you, or "we" as in someone else? "We" as in "all of us who have been suggesting that we all

Re: On Mozilla-* updates

[Noah Meyerhans] >> How about actually maintaining them? > > That's exactly what I think we should do. Is this "we" as in you, or "we" as in someone else? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 08:15:22PM +0100, antgel wrote: > Matt Zimmerman wrote: > > the issue is that they often don't apply to versions which are a few > > months old. > > Not automatically, but perhaps if we had a dedicated team of a few people > who can code, we could manually mould them to the

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 10:09:13AM -0700, Thomas Bushnell BSG wrote: > >> > IMHO, sloopy security support (by uploading new upstream versions) is > >> > better than no security support. > >> > >> Are you prepared to make sure all the packages that depend on mozilla > >> will have packages ready to

Re: On Mozilla-* updates

Willi Mann <[EMAIL PROTECTED]> writes: > [Thomas, I'm not sure if you are on the debian-security list, so I'm CCing > you] > >> Are you prepared to make sure all the packages that depend on mozilla >> will have packages ready to enter at once? > > This would only be necessary in case of an API/AB

Re: On Mozilla-* updates

Noah Meyerhans <[EMAIL PROTECTED]> writes: > On Mon, Aug 01, 2005 at 04:57:31PM -0700, Thomas Bushnell BSG wrote: >> > IMHO, sloopy security support (by uploading new upstream versions) is >> > better than no security support. >> >> Are you prepared to make sure all the packages that depend on mo

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 02:29:51PM +0200, Moritz Muehlenhoff wrote: > If the isolated patches were pulled from Mozilla Bugzilla by Matt Zimmermann > (who appears to be Debian's Mozilla security delegate) and published as part > of a DSA this would point to the core of each vulnerability and make e

Re: On Mozilla-* updates

[Thomas, I'm not sure if you are on the debian-security list, so I'm CCing you] Are you prepared to make sure all the packages that depend on mozilla will have packages ready to enter at once? This would only be necessary in case of an API/ABI change, right? The mozilla people have shown to c

Re: On Mozilla-* updates

In gmane.linux.debian.devel.security, you wrote: > Looking at how 1.0.5 was binary-incompatible with 1.0.4 I can only > assert that the community has failed already. Although I'm not sure how an "accidential API change" can slip through any kind of Mozilla QA, it has at least been corrected in 1.0

Re: On Mozilla-* updates

In gmane.linux.debian.devel.security, you wrote: >> Mozilla *appears* to have no interest in supply patches which >> *only* fix security holes to distributors. Their line is more >> "upgrade to the newest version". Whilst the new versions do >> fix the holes, they traditionally also break t

Re: On Mozilla-* updates

Joey, Working from the following assumptions: * it possible to include Mozilla in Debian stable, * extracting security patches from upstream is not practical, and ignoring the interesting, but extraneous threads, What exactly breaks if the update to v1.06 is applied, as upstream recommends?

Re: On Mozilla-* updates

it seems that less than two months after the release of sarge it is not possible to support Mozilla, Thunderbird, Firefox (and probably Galeon) packages anymore. (in terms of fixing security related problems) Unfortunately the Mozilla Foundation does not provide dedicated and clean patches for

Re: On Mozilla-* updates

* Stefano Salvi <[EMAIL PROTECTED]> [2005-08-02 09:38 +0200]: > Nicolas Rachinsky wrote: > >The desktop used to administrate a server needs less security? Weakest > >link? > I prefer to have no X on the server and administer it from command line > or Web interfaces (command line is better). > I th

Re: On Mozilla-* updates

Nicolas Rachinsky wrote: * Stefano Salvi <[EMAIL PROTECTED]> [2005-08-02 09:16 +0200]: It's shure that a server must have a higher security score than a desktop system, but it also needs different functionalities. The desktop used to administrate a server needs less security? Weakest link? I

Re: On Mozilla-* updates

* Stefano Salvi <[EMAIL PROTECTED]> [2005-08-02 09:16 +0200]: > It's shure that a server must have a higher security score than a > desktop system, but it also needs different functionalities. The desktop used to administrate a server needs less security? Weakest link? Nicolas -- To UNSUBSCRI

Re: On Mozilla-* updates

Michael Stone wrote: On Mon, Aug 01, 2005 at 09:29:24AM +0200, Stefano Salvi wrote: I think that two kinds of people are interested in Debian: - Ones who want Security - Ones who want Stability I can't even understand this statement. What kind of person is interested in "stability" which wil

Re: On Mozilla-* updates

On Mon, Aug 01, 2005 at 04:57:31PM -0700, Thomas Bushnell BSG wrote: > > IMHO, sloopy security support (by uploading new upstream versions) is > > better than no security support. > > Are you prepared to make sure all the packages that depend on mozilla > will have packages ready to enter at once?

Re: On Mozilla-* updates

Willi Mann <[EMAIL PROTECTED]> writes: > IMHO, sloopy security support (by uploading new upstream versions) is > better than no security support. Are you prepared to make sure all the packages that depend on mozilla will have packages ready to enter at once? -- To UNSUBSCRIBE, email to [EMAIL

Re: On Mozilla-* updates

On Mon, Aug 01, 2005 at 09:29:24AM +0200, Stefano Salvi wrote: > I think that two kinds of people are interested in Debian: > - Ones who want Security > - Ones who want Stability While not an unreasonable part of an analysis, I would posit these are at least second level criteria for systems users

Re: On Mozilla-* updates

On Mon, Aug 01, 2005 at 03:11:05PM +0200, Alexander Sack wrote: > Adeodato Simó wrote: > > Assuming you meant s/mozilla/ubuntu/ above: > > > > http://lists.debian.org/debian-devel/2005/07/msg01586.html > > http://lists.debian.org/debian-devel/2005/08/msg00012.html > > > > No, I meant M

Re: On Mozilla-* updates

On Mon, Aug 01, 2005 at 09:55:03AM +0200, Jan Luehr wrote: > Have I said so? I've tried to point out, that debian is "an universal > operating system" - as proclaimed on the homepage. > So at least here is a common consensus for the purpose of debian. In fact there is a controversy over that labe

Re: On Mozilla-* updates

Hi Martin, thanks for raising this publically. Sorry, if I sound provocive here, but this discussion has a history for me. As I said since several years, the only practical way for Debian to stay up-to-date with Mozilla security updates is to stay current with the latest "stable" release. Fo

Re: On Mozilla-* updates

* Geoff Crompton: >> >> For these packages, help and/or advice is appreciated. >> > > Can we try to get a DD involved in the mozilla security team? Presumably > when they become aware of a security issue, there is some discussion > about the problem and how to fix it. Access at this level may ma

Re: On Mozilla-* updates

Adeodato Simó wrote: > * Alexander Sack [Mon, 01 Aug 2005 13:25:42 +0200]: > > >>since you are a member of the mozilla security team, what are your >>experiences? >>Have you ever tried to work with them to improve their security process? What >>was the outcome? What were the problems? > > >

Re: On Mozilla-* updates

* Alexander Sack [Mon, 01 Aug 2005 13:25:42 +0200]: > since you are a member of the mozilla security team, what are your > experiences? > Have you ever tried to work with them to improve their security process? What > was the outcome? What were the problems? Assuming you meant s/mozilla/ubuntu

Re: On Mozilla-* updates

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander Sack wrote: > Just start to do it on your own and you will soon realize that this whole > thing is not as simple. The only guys that can do it properly are the mozilla > developers ... by documenting and aggregating patches that are > actual

Re: On Mozilla-* updates

On Mon, Aug 01, 2005 at 09:29:24AM +0200, Stefano Salvi wrote: I think that two kinds of people are interested in Debian: - Ones who want Security - Ones who want Stability I can't even understand this statement. What kind of person is interested in "stability" which will get their machine comp

Re: On Mozilla-* updates

Matt, since you are a member of the mozilla security team, what are your experiences? Have you ever tried to work with them to improve their security process? What was the outcome? What were the problems? Cheers, -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack

Re: On Mozilla-* updates

On Mon, Aug 01, 2005 at 11:42:04AM +0200, Frank Wein wrote: > As a example lets take the the Bug # from that blog post, Bug 294795. > Now lets construct a query and see what we can get. First open > http://bonsai.mozilla.org/cvsqueryform.cgi, now in the Branch field you > have to enter AVIARY_1_0_1

Re: On Mozilla-* updates

Greetings, Am Montag, 1. August 2005 11:53 schrieb Bernd Eckenfels: > In article <[EMAIL PROTECTED]> you wrote: > > If I recommend to use another operating system for a more special > > purpose, what's wrong here? > > It is just the wrong answer in a discussion where we look to improve > Debian. I

Re: On Mozilla-* updates

In article <[EMAIL PROTECTED]> you wrote: > If I recommend to use another operating system for a more special purpose, > what's wrong here? It is just the wrong answer in a discussion where we look to improve Debian. I think it is valid to point to other systems for learning their weakness or st

Re: On Mozilla-* updates

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Schulze wrote: > Moin, > > it seems that less than two months after the release of sarge it is > not possible to support Mozilla, Thunderbird, Firefox (and probably > Galeon) packages anymore. (in terms of fixing security related > problems) >

Re: On Mozilla-* updates

Greetings, Am Montag, 1. August 2005 05:47 schrieb Matt Zimmerman: > On Sun, Jul 31, 2005 at 02:03:28PM +0200, Jan Luehr wrote: > > Am Sonntag, 31. Juli 2005 09:49 schrieb Bernd Eckenfels: > > > No but I think most of the desktop packages suffer from the slow > > > release cycle. > > > > Debian is

Re: On Mozilla-* updates

Vincent Bernat wrote: OoO Pendant le journal télévisé du dimanche 31 juillet 2005, vers 20:29, "Nikita V. Youshchenko" <[EMAIL PROTECTED]> disait: Requiring users to install an important component (which Mozilla is) from other sources is a bad idea in this context. I think it should not b

Re: On Mozilla-* updates

> > Requiring users to install an important component (which Mozilla is) > > from other sources is a bad idea in this context. I think it should > > not be the way how Debian solves it's problems. > > For supporting this point, Firefox is ranked 244 on popcon. Konqueror > is 545. I'm afraid popco

Re: On Mozilla-* updates

OoO Pendant le journal télévisé du dimanche 31 juillet 2005, vers 20:29, "Nikita V. Youshchenko" <[EMAIL PROTECTED]> disait: > Requiring users to install an important component (which Mozilla is) from > other sources is a bad idea in this context. I think it should not be the > way how Debian

Re: On Mozilla-* updates

> > Mozilla.org policy is probably out of our control. > > However, our way of doing things is not. > > Is Mozilla.org policy out of our control? If there was enough pressure > on them to provided isolated security fixes they might actually do it. > Perhaps they don't have any clue that this is a m

Re: On Mozilla-* updates

On Sun, Jul 31, 2005 at 02:03:28PM +0200, Jan Luehr wrote: > Am Sonntag, 31. Juli 2005 09:49 schrieb Bernd Eckenfels: > > No but I think most of the desktop packages suffer from the slow release > > cycle. > > Debian is not primarily intended for being used as a desktop system. If > you are up to

Re: On Mozilla-* updates

Sorry for the email with the maligned from address in that last message (debian-security@lists.debian.org), I'm trying out mozilla-thunderbird with a virtual identity extention that seems to construct odd from lines, that message was not from debian-security@lists.debian.org, so don't take it as su

Re: On Mozilla-* updates

Greetings, Am Montag, 1. August 2005 00:03 schrieb Micah: > Nikita V. Youshchenko wrote: > >>There won't be _any_ Debian solution with the current mozilla.org policy. > > > > Not exactly. Correct statement is, '... with the current mozilla.org > > policy AND Debian traditional way of doing things'

Re: On Mozilla-* updates

> On Sun, Jul 31, 2005 at 10:29:46PM +0400, Nikita V. Youshchenko wrote: >> >> Requiring users to install an important component (which Mozilla is) from >> other sources is a bad idea in this context. I think it should not be the >> way how Debian solves it's problems. > > in thecase of mozilla

Re: On Mozilla-* updates

Greetings, Am Sonntag, 31. Juli 2005 22:49 schrieb Michael Stone: > On Sun, Jul 31, 2005 at 10:30:27PM +0200, Horst Pflugstaedt wrote: > >it happened to Mozilla and woody: upstream made mozilla depend on e > >newer libc. There was no way to install a new mozilla on old stable. > > I'd say worry ab

Re: On Mozilla-* updates

Greetings, Am Sonntag, 31. Juli 2005 20:29 schrieb Nikita V. Youshchenko: > >> > Mozilla and even Galeon are not an essential parts of debian - > >> > alternatives exists (Konqueror, links, lynx, w3m, etc) Not shipping > >> > 'em will hardly restrict debian users in their everyday life. > >> > >>

Re: On Mozilla-* updates

Nikita V. Youshchenko wrote: >>There won't be _any_ Debian solution with the current mozilla.org policy. > > > Not exactly. Correct statement is, '... with the current mozilla.org policy > AND Debian traditional way of doing things'. > > I agree with this statement. > I see the problem. > > Th

Re: On Mozilla-* updates

Greetings, Am Sonntag, 31. Juli 2005 20:37 schrieb Nikita V. Youshchenko: > >> Otherwise I might as well go run Suse or Fedora, or do static > >> Knoppix installs each has one OR the other. > > > > I don't see, why Fedora is more insecure than debian right now. > > Furthermore, if you are up to us

Re: On Mozilla-* updates

On Sun, Jul 31, 2005 at 10:30:27PM +0200, Horst Pflugstaedt wrote: it happened to Mozilla and woody: upstream made mozilla depend on e newer libc. There was no way to install a new mozilla on old stable. I'd say worry about that when it actually comes up. backports managed to keep mozilla going

Re: On Mozilla-* updates

On Sun, Jul 31, 2005 at 10:29:46PM +0400, Nikita V. Youshchenko wrote: > > Requiring users to install an important component (which Mozilla is) from > other sources is a bad idea in this context. I think it should not be the > way how Debian solves it's problems. in thecase of mozilla this is not

Re: On Mozilla-* updates

>> > Mozilla and even Galeon are not an essential parts of debian - >> > alternatives exists (Konqueror, links, lynx, w3m, etc) Not shipping 'em >> > will hardly restrict debian users in their everyday life. >> >> It will. >> There is a large number of sites that mozilla renders correctly, while >>

Re: On Mozilla-* updates

>> Otherwise I might as well go run Suse or Fedora, or do static >> Knoppix installs each has one OR the other. > > I don't see, why Fedora is more insecure than debian right now. > Furthermore, if you are up to use linux workstation in a productive > environment you should consider using Red Hat

Re: On Mozilla-* updates

Greetings, Am Sonntag, 31. Juli 2005 18:54 schrieb antgel: > Jan Luehr wrote: > > Greeintgs, > > > > Am Sonntag, 31. Juli 2005 09:49 schrieb Bernd Eckenfels: > >>In article <[EMAIL PROTECTED]> you wrote: > >>>Despite of the fact, the the release is probably unable to match the > >>>mozilla release

Re: On Mozilla-* updates

* Steve Kemp ([EMAIL PROTECTED]) [050731 20:00]: > On Sun, Jul 31, 2005 at 06:18:18PM +0100, antgel wrote: > > Any chance of an elaboration? I wasn't privy to any previous discussion > > on this and I'm interested. What's the problem with searching bugzilla > > for security patches on given vers

Re: On Mozilla-* updates

On Sun, Jul 31, 2005 at 06:18:18PM +0100, antgel wrote: > Any chance of an elaboration? I wasn't privy to any previous discussion > on this and I'm interested. What's the problem with searching bugzilla > for security patches on given versions, and applying them? Is it the > sheer volume?

Re: On Mozilla-* updates

On Sun, Jul 31, 2005 at 06:18:18PM +0100, antgel wrote: on this and I'm interested. What's the problem with searching bugzilla for security patches on given versions, and applying them? Go ahead and try it. Many people have said it's a hard problem and you don't seem to believe it. I suppose t

Re: On Mozilla-* updates

On Sun, Jul 31, 2005 at 10:57:06AM +0400, Nikita V. Youshchenko wrote: Moving mozilla&co out of Debian will not make situation with security of debian installations better. Users will have to install packages themselves from different sources, and manually check for new security problems; Actua

Re: On Mozilla-* updates

On Sat, Jul 30, 2005 at 04:47:17PM +0200, Martin Schulze wrote: Looking at how 1.0.5 was binary-incompatible with 1.0.4 I can only assert that the community has failed already. I disagree--the problem was noted and 1.0.6 was released to correct that. Do you want to assert that DSA's never have

Re: On Mozilla-* updates

On Sat, Jul 30, 2005 at 02:35:10PM +0100, antgel wrote: Is it really so difficult to backport the security fixes? Yes. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

  1   2   >