On Mozilla-* updates

classic Classic list List threaded Threaded
131 messages Options
12345 ... 7
Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
Greeintgs,

Am Sonntag, 31. Juli 2005 09:49 schrieb Bernd Eckenfels:
> In article <[hidden email]> you wrote:
> > Despite of the fact, the the release is probably unable to match the
> > mozilla release cycles - do you really think, mozilla is the one and only
> > package, debian is all about? Well, I mean the killer application, the
> > thin that justify Debian?
>
> No but I think most of the desktop packages suffer from the slow release
> cycle.

Debian is not primarily intended for being used as a desktop system. If you
are up to desktop centric usage, you should probably run Ubuntu instead.

Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
In reply to this post by Nikita V. Youshchenko-3
Greetings,

Am Sonntag, 31. Juli 2005 08:57 schrieb Nikita V. Youshchenko:
> > Well, if so, why not exclude mozilla from official debian releases? - I
> > mean: Kick it out.
> > Mozilla and even Galeon are not an essential parts of debian -
> > alternatives exists (Konqueror, links, lynx, w3m, etc) Not shipping 'em
> > will hardly restrict debian users in their everyday life.
>
> It will.
> There is a large number of sites that mozilla renders correctly, while
> other listed browsers don't, especially in non-latin segment of the net.

So, you really think, the must to install mozilla form external sources
restrict their users in their everyday life?
There a a lot of distributionen out there and debian stable is certainly not
targeting newbies like Knoppix, or suse is doing.

> I'm having konqueror as my primary browser, and I face this problem on
> regular basis.


> Moving mozilla&co out of Debian will not make situation with security of
> debian installations better.

Of cource, it will - at least, it won't hurt most of them.
Debian ships a *dangerous* mozilla, putting the user in *danger* without a
warning.
If debian stops shipping mozilla, theses are won't be in danger anymore.

> Users will have to install packages themselves
> from different sources,

Yes.

> and manually check for new security problems;

As they have to do now. So is it a problem to follow mozilla-sec-announce, if
you're following debian-sec-announce already?


> in  
> many cases this will result in vulnerable packages kept untouched.

Really? The current situtation will do as well. Furthermore, it keeps packages
untouched, even if users care about security and read debian-sec-announce
daily!

> So it is
> not a way of fixing security problem, but just moving the problem from
> Debian to it's users - which is definitely against SC ('debian supports
> it's users').

Well wait, these user's already have this kind of problems. Debian is unable
to ship a correct mozilla - as proven in woody.
We'll avoid putting in danger, when we tell them, we won't ship mozilla for
security reasons.

> Situation is even worse because of binary incompatibilities,
> and complex dependency structure of affected packages like galeon. Users
> will need to have advanced technical knowledge to solve a security issue on
> their systems while keeping the systems usable.
> I believe some Debian-level solution is required.

There won't be _any_ Debian solution with the current mozilla.org policy.
Debian simply cannot extend lifetime from months (or weeks as we've seen) up
to years, if the mozilla project is _unable_ to do so as well.

> If following traditional debian way (backporting security patches to stable
> versions) is impossible, another way should be followed, while keeping
> Debian quality standards as much as possible.

> Something like the following:
> (1). A new upstream mozilla should be uploaded to some location that all
> stable users are strongly advised to have in their sources.list [maybe
> security.d.o. maybe proposed-updates],

Well, well, well, you cannot just put upstream versions into stable as you
might to with unstable. That's quite naive.

> (2). If binary incompatibility is detected,

... which is most probably going to happen...

> these packages should conflict
> with incompatible versions of all packages in Debian that depend on

So you provide mozilla, but throw out other packages away? I see no reason for
doing so. You argue, that removing packages from will hurt users and should
not be done.... now you are doing same.
Even if you don't consider removing them for long term, at this moment these
packages will depend on mozilla and conflict with mozilla at the same time.
And even if you put in some mozilla-firefox-1.0.6-1uptrream packages, which
will turn into an mozilla-firefox-1.0.6-1-upstream-tested package after some
weeks, users will be more confused than just telling them, they have to find
a mozilla distributor on their own.

> packages being uploaded, and a compatible version of these packages should
> be uploaded to the same location.

That I'll might lead to the scenario I pointed out already. You might going to
have two different versions of gnome in stable, maintained at the same time.
Consider the chaos and amount of work.

> (3). If binary incompatibility is detected later (so only (1) was done and
> not (2)), a new upload should happen with both (1) and (2).

I don't think, that this is going to work.

Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

David Ehle
In reply to this post by Jan Luehr-10

> Despite of the fact, the the release is probably unable to match the mozilla
> release cycles - do you really think, mozilla is the one and only package,
> debian is all about? Well, I mean the killer application, the thin that
> justify Debian?
>
> Keep smiling
> yanosz
>

For my end users, who have been switched from Windows and Outlook? Yes.
Mozilla IS the the Killer App that justifies Debian on their desktop.

Kicking mozilla out is just not an option.

Having insecure apps in stable is also not an option.

I like the the moral/social parts of debian as much as the next guy, but
as an admin responsible for the security of my systems security.debian.org
is the biggest draw of debian stable. Knowing that I can depend on stable
to stay stable AND secure is what makes it our OS and distribution of
choice.  Otherwise I might as well go run Suse or Fedora, or do static
Knoppix installs each has one OR the other.



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

David Ehle
In reply to this post by Jan Luehr-10
>
> Debian is not primarily intended for being used as a desktop system. If you
> are up to desktop centric usage, you should probably run Ubuntu instead.
>
> Keep smiling
> yanosz
>

I Can't disagree with this statement more.

We have been using Debian on desktops for at least 6 years. There Was no
Ubuntu, or Knoppix.  I have seen no change in the debian docs that say "we
are now a server distro only"  It may be that you only use debian on your
servers, and so are not concerned with desktop/workstaion installs, but
including the beamline control and data analysis sytems we have over 75
"sit down" systems.  Debian is MY opinion is as much a desktop distro as
it is a server distro, and support for both is equally important.

David.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
ja hallo erstmal,...

Am Sonntag, 31. Juli 2005 15:11 schrieb David Ehle:

> > Debian is not primarily intended for being used as a desktop system. If
> > you are up to desktop centric usage, you should probably run Ubuntu
> > instead.
> >
>
> I Can't disagree with this statement more.
>
> We have been using Debian on desktops for at least 6 years. There Was no
> Ubuntu, or Knoppix.  I have seen no change in the debian docs that say "we
> are now a server distro only"  

Who says that?

> It may be that you only use debian on your
> servers, and so are not concerned with desktop/workstaion installs, but
> including the beamline control and data analysis sytems we have over 75
> "sit down" systems.  Debian is MY opinion is as much a desktop distro as
> it is a server distro, and support for both is equally important.

What is - quite true, and as I'm is not primarily intended to use it as a
Desktop system.
Debian is a "universal operating" system. Desktop and server usage are only
two instances of using debian.

Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
In reply to this post by David Ehle
Greetings,

Am Sonntag, 31. Juli 2005 14:51 schrieb David Ehle:
> > Despite of the fact, the the release is probably unable to match the
> > mozilla release cycles - do you really think, mozilla is the one and only
> > package, debian is all about? Well, I mean the killer application, the
> > thin that justify Debian?

>
> For my end users, who have been switched from Windows and Outlook? Yes.
> Mozilla IS the the Killer App that justifies Debian on their desktop.

Mozilla can be run on nearly every OS running on modern workstations.
I don't see why running is mozilla the primary purpose of debian.

Even if so, mozilla can be added to debian, and if done so, the security
standard of each installation will drastically improve, if you update mozilla
by your own.

> Kicking mozilla out is just not an option.
>
> Having insecure apps in stable is also not an option.

So - this is quite contradictive, isn't it?
Mozilla, as provided in debian is not secure and as provided in upstream
clashes hard with the debian way of patching and releasing security updates.

The histories shows, that mozilla as long mozilla.org continues their patch
policy - won't be able to provide patches as needed by the debian devolpers.
Therefore debian will be unable to ship secure mozilla packages.

> I like the the moral/social parts of debian as much as the next guy, but
> as an admin responsible for the security of my systems security.debian.org
> is the biggest draw of debian stable. Knowing that I can depend on stable
> to stay stable AND secure is what makes it our OS and distribution of
> choice.  

If you've been following this list, and if you've beein following
debian-sec-ann for some months, it must have come to your mind, that debian
is not able to provide security in some certain areas, like mozilla.

> Otherwise I might as well go run Suse or Fedora, or do static
> Knoppix installs each has one OR the other.

I don't see, why Fedora is more insecure than debian right now.
Furthermore, if you are up to use linux workstation in a productive
environment you should consider using Red Hat Enterprise Linux as well.


Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
In reply to this post by Jan Luehr-10
Greetings,

Am Sonntag, 31. Juli 2005 17:37 schrieb Jan Luehr:

> ja hallo erstmal,...
>
> Am Sonntag, 31. Juli 2005 15:11 schrieb David Ehle:
> > > Debian is not primarily intended for being used as a desktop system. If
> > > you are up to desktop centric usage, you should probably run Ubuntu
> > > instead.
> >
> > I Can't disagree with this statement more.
> >
> > We have been using Debian on desktops for at least 6 years. There Was no
> > Ubuntu, or Knoppix.  I have seen no change in the debian docs that say
> > "we are now a server distro only"
>
> Who says that?
>
> > It may be that you only use debian on your
> > servers, and so are not concerned with desktop/workstaion installs, but
> > including the beamline control and data analysis sytems we have over 75
> > "sit down" systems.  Debian is MY opinion is as much a desktop distro as
> > it is a server distro, and support for both is equally important.

Sorry, I forgot something ;-):

That is quite true, and as I've said Debian is not primarily intended to use
it as a Desktop system.
Debian is an "universal operating system". Desktop and server usage are only
two examples of using debian.

Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Michael Stone-2
In reply to this post by Floris Bruynooghe
On Sat, Jul 30, 2005 at 03:22:53PM +0200, Floris Bruynooghe wrote:
>The problem is much harder when we can't actually have the backports.
>In my opinion it's *maybe* better to just leave the browsers in
>stable as they are and make an announcement to [hidden email]
>or so that their security is sub-optimal or non-existing and if they
>want they can use the new packages from volatile.

IMHO, that's flat-out stupid. If you need the security blanket of not
upgrading your browser you could always put it on hold.

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Michael Stone-2
In reply to this post by Joey Schulze
On Sat, Jul 30, 2005 at 02:35:10PM +0100, antgel wrote:
>Is it really so difficult to backport the security fixes?

Yes.

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Michael Stone-2
In reply to this post by Joey Schulze
On Sat, Jul 30, 2005 at 04:47:17PM +0200, Martin Schulze wrote:
>Looking at how 1.0.5 was binary-incompatible with 1.0.4 I can only
>assert that the community has failed already.

I disagree--the problem was noted and 1.0.6 was released to correct
that. Do you want to assert that DSA's never have to be reissued because
of bugs?

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Michael Stone-2
In reply to this post by Nikita V. Youshchenko-3
On Sun, Jul 31, 2005 at 10:57:06AM +0400, Nikita V. Youshchenko wrote:
>Moving mozilla&co out of Debian will not make situation with security of
>debian installations better. Users will have to install packages themselves
>from different sources, and manually check for new security problems;

Actually no. firefox itself indicates if you need an update. At this
point you're actually better off running an upstream firefox with the
"tell me if I'm out of date" feature than you are running the debian
version.

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Steve Kemp
In reply to this post by Michael Stone-2
On Sun, Jul 31, 2005 at 06:18:18PM +0100, antgel wrote:

> Any chance of an elaboration?  I wasn't privy to any previous discussion
> on this and I'm interested.  What's the problem with searching bugzilla
> for security patches on given versions, and applying them?  Is it the
> sheer volume?


        http://kitenet.net/~joey/blog/entry/bug_hiding_systems-2005-07-30-06-25.html

  Summery:  Even when new fixed packages are available the original
 bugs reported in Mozilla's BugZilla system are non public, as are
 patches.

  Mozilla *appears* to have no interest in supply patches which
 *only* fix security holes to distributors.  Their line is more
 "upgrade to the newest version".  Whilst the new versions do
 fix the holes, they traditionally also break things built against
 them, such as extensions, galeon, etc.

  Which is why we're seeing the problem now.

Steve
--


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Michael Stone-2
In reply to this post by Michael Stone-2
On Sun, Jul 31, 2005 at 06:18:18PM +0100, antgel wrote:
>on this and I'm interested.  What's the problem with searching bugzilla
>for security patches on given versions, and applying them?

Go ahead and try it. Many people have said it's a hard problem and you
don't seem to believe it. I suppose that the best way to become
convinced is to simply start the process.

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Andreas Barth
In reply to this post by Steve Kemp
* Steve Kemp ([hidden email]) [050731 20:00]:
> On Sun, Jul 31, 2005 at 06:18:18PM +0100, antgel wrote:

> > Any chance of an elaboration?  I wasn't privy to any previous discussion
> > on this and I'm interested.  What's the problem with searching bugzilla
> > for security patches on given versions, and applying them?  Is it the
> > sheer volume?

> http://kitenet.net/~joey/blog/entry/bug_hiding_systems-2005-07-30-06-25.html
>
>   Summery:  Even when new fixed packages are available the original
>  bugs reported in Mozilla's BugZilla system are non public, as are
>  patches.
>
>   Mozilla *appears* to have no interest in supply patches which
>  *only* fix security holes to distributors.  Their line is more
>  "upgrade to the newest version".  Whilst the new versions do
>  fix the holes, they traditionally also break things built against
>  them, such as extensions, galeon, etc.

I thought some member of the Debian security team has access to the
hidden bug reports. Can't that member extract the relevant patches then?


Cheers,
Andi


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
In reply to this post by Jan Luehr-10
Greetings,

Am Sonntag, 31. Juli 2005 18:54 schrieb antgel:

> Jan Luehr wrote:
> > Greeintgs,
> >
> > Am Sonntag, 31. Juli 2005 09:49 schrieb Bernd Eckenfels:
> >>In article <[hidden email]> you wrote:
> >>>Despite of the fact, the the release is probably unable to match the
> >>>mozilla release cycles - do you really think, mozilla is the one and
> >>> only package, debian is all about? Well, I mean the killer application,
> >>> the thin that justify Debian?
> >>
> >>No but I think most of the desktop packages suffer from the slow release
> >>cycle.
> >
> > Debian is not primarily intended for being used as a desktop system. If
> > you are up to desktop centric usage, you should probably run Ubuntu
> > instead.
>
> Says who?  I've been running a Debian desktop for years and I wouldn't

I'm not saying, that you cannot use debian for desktop work - I'm using sarge
at the moment in order to write this mail.
Al I'm trying to say is, that debian is not "primarily intended" for  desktop
work.
Debian claims to be an "universal operating system" - by that, it can be used
for desktop work. But it was never a principal of debian to create releases
that are intended for desktop work, only, or that are desktop centeric, like
SuSE or Readhat are doing.
By that, compromises have to be made.


Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Nikita V. Youshchenko-3
In reply to this post by Jan Luehr-10
>> > Mozilla and even Galeon are not an essential parts of debian -
>> > alternatives exists (Konqueror, links, lynx, w3m, etc) Not shipping 'em
>> > will hardly restrict debian users in their everyday life.
>>
>> It will.
>> There is a large number of sites that mozilla renders correctly, while
>> other listed browsers don't, especially in non-latin segment of the net.
>
> So, you really think, the must to install mozilla form external sources
> restrict their users in their everyday life?
> There a a lot of distributionen out there and debian stable is certainly
> not targeting newbies like Knoppix, or suse is doing.

I can't disagree that theoretically this is not restriction.
However, if we go this way, logical consequence is to drop the distribution
completely and just install everything from upstream.

Strong point of Debian is that is provides a way for users to get a
consistent system in an easy way (and in this field it is better than suse
or whatever, and this is the exact reason why it is better even for newbies
- if they are going to go a few steps further than initial system
installation).

Requiring users to install an important component (which Mozilla is) from
other sources is a bad idea in this context. I think it should not be the
way how Debian solves it's problems.

> There won't be _any_ Debian solution with the current mozilla.org policy.

Not exactly. Correct statement is, '... with the current mozilla.org policy
AND Debian traditional way of doing things'.

I agree with this statement.
I see the problem.

The question is - how to solve it.
Mozilla.org policy is probably out of our control.
However, our way of doing things is not.

You suggest - let's stop providing mozilla (and all dependent packages).
So packages that almost all Debian users use will go outside of Debian.

I think - it is better to tune our way to do things to keep with real life
[in form of mozilla.org policy] and still provide our users with consistent
system with minimal effort from their side.

>> Something like the following:
>> (1). A new upstream mozilla should be uploaded to some location that all
>> stable users are strongly advised to have in their sources.list [maybe
>> security.d.o. maybe proposed-updates],
>
> Well, well, well, you cannot just put upstream versions into stable as you
> might to with unstable. That's quite naive.

Why?
What exactly makes it impossible to change our habbits and allow new
upstream version into stable _in_ _rare_ _cases_ _when_ _there_ _is_ _no_
_other_ _way_ _to_ _provide_ a HUGE-USED set of packages?  Remember,
"debian supports it's users"!

>> (2). If binary incompatibility is detected,
>
> ... which is most probably going to happen...

Do you have enough statistics to make this statement?

>> these packages should conflict
>> with incompatible versions of all packages in Debian that depend on
>
> So you provide mozilla, but throw out other packages away?

Of course no. We should provide upgrades for all packages in the set at the
same time.

> I see no reason
> for doing so. You argue, that removing packages from will hurt users and
> should not be done.... now you are doing same.

No. See above.

>> packages being uploaded, and a compatible version of these packages
>> should be uploaded to the same location.
>
> That I'll might lead to the scenario I pointed out already. You might
> going to have two different versions of gnome in stable, maintained at the
> same time. Consider the chaos and amount of work.

Why thing in stable can't be just recompiled to match updated ABIs? Do APIs
also change in incompatible ways? Is galeon (and other related packages)
upstream also uncooperative as mozilla upstream?

>
>> (3). If binary incompatibility is detected later (so only (1) was done
>> and not (2)), a new upload should happen with both (1) and (2).
>
> I don't think, that this is going to work.

I think it will. At least, the opposite can't be stated before any
estimation of needed effort was done.

Nikita


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Nikita V. Youshchenko-3
In reply to this post by Jan Luehr-10
>> Otherwise I might as well go run Suse or Fedora, or do static
>> Knoppix installs each has one OR the other.
>
> I don't see, why Fedora is more insecure than debian right now.
> Furthermore, if you are up to use linux workstation in a productive
> environment you should consider using Red Hat Enterprise Linux as well.

Isn't it a very strange position to suggest to decrease Debian's usability
and ask people to go away from Debian if they don't like it?  Especially on
Debian lists...

The fact is - currently Debian is a very good choice for a large set of use
cases - including desktop, even for newbies.

And yes, keeping this situation requires some work.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Horst Pflugstaedt
In reply to this post by Nikita V. Youshchenko-3
On Sun, Jul 31, 2005 at 10:29:46PM +0400, Nikita V. Youshchenko wrote:
>
> Requiring users to install an important component (which Mozilla is) from
> other sources is a bad idea in this context. I think it should not be the
> way how Debian solves it's problems.

in thecase of mozilla this is not entirely true. I don't see any program
depending on mozilla (and not belonging to the mozilla-family) that
cannot be made dependant on other browsers.
so it might be possible to write a script or dummy package that only
integrates an upstream-mozilla in the current debian-system (just like
those scripts that do the same for sun or ibm jre):
- user/admin installs mozilla from upstream
- installs mozilla-dummy
- runs `gimme-mozilla-upstream --make-it-default-browser`
- is - more or less - happy.

The job for Debian would then be to
- take care the script doesn't break anything
- take care it works with current releases of mozilla. (as long as
  current mozilla runs on debian)

> >> (2). If binary incompatibility is detected,
> >
> > ... which is most probably going to happen...
>
> Do you have enough statistics to make this statement?

it happened to Mozilla and woody: upstream made mozilla depend on e
newer libc. There was no way to install a new mozilla on old stable.

As a matter of fact things like this will happen again. it's just a
matter of time.

>
> >> these packages should conflict
> >> with incompatible versions of all packages in Debian that depend on
> >
> > So you provide mozilla, but throw out other packages away?
>
> Of course no. We should provide upgrades for all packages in the set at the
> same time.

this will be, as already has been said, a hard job, should one of these
packages be one of the core libraries or packages (like libc,
gnome-something or others). Some packages have a really huge set of
dependencies, one way or the other.


g'night
Horst

--
Whistler: "I want peace on earth and good will toward man."
Abbott: "Oh, this is ridiculous!"
Bishop: "He's serious."
Whistler: "I want peace on earth and goodwill towards men."
Abbott: "We're the United States Government! We don't do that sort of
thing!"
Bishop: "You're just gonna have to try."
Abbott: "All right, I'll see what I can do!"
Whistler: "Thank you very much. That's all I ask."


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Michael Stone-2
On Sun, Jul 31, 2005 at 10:30:27PM +0200, Horst Pflugstaedt wrote:
>it happened to Mozilla and woody: upstream made mozilla depend on e
>newer libc. There was no way to install a new mozilla on old stable.

I'd say worry about that when it actually comes up. backports managed to
keep mozilla going on woody for a reasonably long time, IMO.

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Nikita V. Youshchenko-3
In reply to this post by Horst Pflugstaedt


> On Sun, Jul 31, 2005 at 10:29:46PM +0400, Nikita V. Youshchenko wrote:
>>
>> Requiring users to install an important component (which Mozilla is) from
>> other sources is a bad idea in this context. I think it should not be the
>> way how Debian solves it's problems.
>
> in thecase of mozilla this is not entirely true. I don't see any program
> depending on mozilla (and not belonging to the mozilla-family) that
> cannot be made dependant on other browsers.

Let me repeat.
There are lots of sites - especially in non-latin segment of the net - for
which mozilla/firefox is the only free browser that renders those
correctly.
So mozilla is important by itself, not as a dependency satisfier.

> so it might be possible to write a script or dummy package that only
> integrates an upstream-mozilla in the current debian-system (just like
> those scripts that do the same for sun or ibm jre):
> - user/admin installs mozilla from upstream
> - installs mozilla-dummy
> - runs `gimme-mozilla-upstream --make-it-default-browser`
> - is - more or less - happy.

Such solution seems ok for users (if made similat to msttcorefonts - apt-get
install xxx and things are there). However, things with heavy dependences -
like galeon - probably won't work that way.

And I don't see much difference between this approach and allowing new
upstream versions into stable.

>> >> (2). If binary incompatibility is detected,
>> >
>> > ... which is most probably going to happen...
>>
>> Do you have enough statistics to make this statement?
>
> it happened to Mozilla and woody: upstream made mozilla depend on e
> newer libc. There was no way to install a new mozilla on old stable.

Seems that you mix source and binary dependences. It is possible to
recompile against earlier libc. I doubt is used some libc function not
present in earlier libc versions.

>> >> these packages should conflict
>> >> with incompatible versions of all packages in Debian that depend on
>> >
>> > So you provide mozilla, but throw out other packages away?
>>
>> Of course no. We should provide upgrades for all packages in the set at
>> the same time.
>
> this will be, as already has been said, a hard job, should one of these
> packages be one of the core libraries or packages (like libc,
> gnome-something or others).

I'm not suggesting to upload new upstream versions of dependent packages -
I'm assuming that backporting there should me much easier than backpotring
mozilla fixes. Maybe a simple recompile, or a trivial fix. And upstream may
be more friendly.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

12345 ... 7