On Mozilla-* updates

classic Classic list List threaded Threaded
131 messages Options
1 ... 4567
Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Thomas Bushnell, BSG-2
Mathieu JANIN <[hidden email]> writes:

> I was thinking about a policy for managing packages built around "never
> patched" softwares like Moz/FireFox.
> Volatile and Security repositories do not fit for that, everybody agrees
> with that.

What is wrong with volatile?  It's for exactly this case.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Frans Pop
On Thursday 04 August 2005 00:25, Thomas Bushnell BSG wrote:
> What is wrong with volatile?  It's for exactly this case.

No it is not. volatile-sloppy [1] may be (if that's implemented).

[1] http://lists.debian.org/debian-devel-announce/2005/05/msg00016.html

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Thomas Bushnell, BSG-2
Frans Pop <[hidden email]> writes:

> On Thursday 04 August 2005 00:25, Thomas Bushnell BSG wrote:
>> What is wrong with volatile?  It's for exactly this case.
>
> No it is not. volatile-sloppy [1] may be (if that's implemented).
>
> [1] http://lists.debian.org/debian-devel-announce/2005/05/msg00016.html

I read that, and I read more importantly volatile.debian.net, and I
don't see any indication there of why gaim upgrades (or mozilla ones)
are not allowed in volatile.  

Thomas


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Frans Pop
On Thursday 04 August 2005 00:39, Thomas Bushnell BSG wrote:
> Frans Pop <[hidden email]> writes:
> > On Thursday 04 August 2005 00:25, Thomas Bushnell BSG wrote:
> >> What is wrong with volatile?  It's for exactly this case.
> >
> > No it is not. volatile-sloppy [1] may be (if that's implemented).
>
> I read that, and I read more importantly volatile.debian.net, and I
> don't see any indication there of why gaim upgrades (or mozilla ones)
> are not allowed in volatile.

From volatile.debian.net:
  volatile is not "just another place" for backports, but should only
  contain changes to stable programs that are necessary to keep them
          ^^^^^^^^^^^^^^^^^^^^^^^^^^
  functional;

Changes to stable programs <> new upstream versions (in principle).

As a rule, only changes to data files are accepted. Packaging changes are
also not acceptable in principle.

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Thomas Bushnell, BSG-2
Frans Pop <[hidden email]> writes:

> On Thursday 04 August 2005 00:39, Thomas Bushnell BSG wrote:
>> Frans Pop <[hidden email]> writes:
>> > On Thursday 04 August 2005 00:25, Thomas Bushnell BSG wrote:
>> >> What is wrong with volatile?  It's for exactly this case.
>> >
>> > No it is not. volatile-sloppy [1] may be (if that's implemented).
>>
>> I read that, and I read more importantly volatile.debian.net, and I
>> don't see any indication there of why gaim upgrades (or mozilla ones)
>> are not allowed in volatile.
>
> From volatile.debian.net:
>   volatile is not "just another place" for backports, but should only
>   contain changes to stable programs that are necessary to keep them
>           ^^^^^^^^^^^^^^^^^^^^^^^^^^
>   functional;
>
> Changes to stable programs <> new upstream versions (in principle).

I'm not sure I understand this.  In the case of gaim, it's in fact
specifically necessary to "keep it functional": you can't connect to
yahoo IM once the protocol's been changed.  This is even worse than
the virus scanner problem, where at least you can continue to detect
old viruses with the old definitions.

> As a rule, only changes to data files are accepted. Packaging changes are
> also not acceptable in principle.

Nothing about the documentation suggests this, and when I advocated
for volatile.debian.org, it was not with such tight restrictions.  At
least the documentation should describe the *actual* criteria.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Michael Stone-2
In reply to this post by Thomas Bushnell, BSG-2
On Wed, Aug 03, 2005 at 03:25:37PM -0700, Thomas Bushnell BSG wrote:
>What is wrong with volatile?  It's for exactly this case.

No, it's not.

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Matthias Westphal
In reply to this post by Thomas Bushnell, BSG-2
hi,

regarding the security problems of firefox in stable i have following
questions:

1) why wasnt there a DSA about this problem ?
2) why wasnt firefox 1.04 removed off the package list immediately if
the problem couldnt be fixed in time ? IMHO keeping firefox 1.04 for
about 3 months gives a wrong impression of a secure system.
3) are there any other packages with known security holes in stable ?

TIA


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Norbert Tretkowski-3
* Matthias Westphal wrote:
> 2) why wasnt firefox 1.04 removed off the package list immediately
> if the problem couldnt be fixed in time ?

Read this thread again.

Norbert


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Bernd Eckenfels
In article <[hidden email]> you wrote:
> Read this thread again.

We do need an DSA.

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Matthias Westphal
In reply to this post by Matthias Westphal
> 1) why wasnt there a DSA about this problem ?
ups, sorry, guess i misunderstood :
"The security team informs the users about _security_problems_ by
posting security advisories about Debian packages on this list."
(http://lists.debian.org/debian-security-announce/)

nvm


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Re: On Mozilla-* updates

James Strandboge
In reply to this post by Joey Schulze
> Be prepared for reality, in half a year or in one year, there won't be
> 1.0.x Mozilla Firefox packages anymore that build on Debian stable.
> At least that's what I anticipate.

I can say that I still backport mozilla-firefox for my woody users (I am
the maintainer of the gnome2.2 backport for woody) with no problems.

Though I understand your concerns, a possible option might be to supply
upstream packages until the point at which they cannot be provided
anymore (if that point is even reached).  Additionally, debian-security
can work with the debian maintainer to provide debconf warnings about
possible incompatibilities or upgrade issues.

As a user, I would be ok with upgrading if I knew what to expect.  As an
admin, I would be happy to know that my users are using a browser with
no known vulnerabilities.

Jamie Strandboge


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

1 ... 4567