On Mozilla-* updates

classic Classic list List threaded Threaded
131 messages Options
1234567
Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
Greetings,

Am Sonntag, 31. Juli 2005 20:37 schrieb Nikita V. Youshchenko:

> >> Otherwise I might as well go run Suse or Fedora, or do static
> >> Knoppix installs each has one OR the other.
> >
> > I don't see, why Fedora is more insecure than debian right now.
> > Furthermore, if you are up to use linux workstation in a productive
> > environment you should consider using Red Hat Enterprise Linux as well.
>
> Isn't it a very strange position to suggest to decrease Debian's usability
> and ask people to go away from Debian if they don't like it?  Especially on
> Debian lists...

Do you actually think, I decrease the Debian's usability, if I'm trying to put
harm from debian users?

Furthermore, this is debian-security, not debian-user, debian-kde or
whatsoever. It is the nature of this list, to look at issues from a security
point of view.

> The fact is - currently Debian is a very good choice for a large set of use
> cases - including desktop, even for newbies.

I cannot disagree more, here. Following the deb-sec discussions for years,
debian is highly *dangerous* especially  if used by newbies. Mozilla (as
often used by newbies), Kernel (essential for every server) and  probably
samba have (or had - concerning samba) been some important issues for months
or years in woody.

Thus it is foolish to recommend debian stable to newbies - mostly unaware of
what they are doing.

> And yes, keeping this situation requires some work.

Well, If you really want to keep the situation and want to archive woodies
situation - further discussion is hopeless - I guess.
Mozilla in  debian has been a catastrophe for years.

Anyway, if you are up to make debian stable (not debian flavors like ubuntu /
Knoppix, etc.) suitable for complete linux newbies, a lot of work will have
to be done - assuming it's even possible, and ignoring the probably dramtic
side effects  this steps might have upon other areas of use.

Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Debian Security mailing list
In reply to this post by Nikita V. Youshchenko-3
Nikita V. Youshchenko wrote:

>>There won't be _any_ Debian solution with the current mozilla.org policy.
>
>
> Not exactly. Correct statement is, '... with the current mozilla.org policy
> AND Debian traditional way of doing things'.
>
> I agree with this statement.
> I see the problem.
>
> The question is - how to solve it.
> Mozilla.org policy is probably out of our control.
> However, our way of doing things is not.
>

Is Mozilla.org policy out of our control? If there was enough pressure
on them to provided isolated security fixes they might actually do it.
Perhaps they don't have any clue that this is a major issue for some of
the largest linux distributions, and if they knew it was they might
devote some energy towards being more friendly to their neighbors. Has
anyone any definitive information, or is it just speculation? Has anyone
actually spoken to people at Mozilla.org about this problem?

micah


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
In reply to this post by Nikita V. Youshchenko-3
Greetings,

Am Sonntag, 31. Juli 2005 20:29 schrieb Nikita V. Youshchenko:

> >> > Mozilla and even Galeon are not an essential parts of debian -
> >> > alternatives exists (Konqueror, links, lynx, w3m, etc) Not shipping
> >> > 'em will hardly restrict debian users in their everyday life.
> >>
> >> It will.
> >> There is a large number of sites that mozilla renders correctly, while
> >> other listed browsers don't, especially in non-latin segment of the net.
> >
> > So, you really think, the must to install mozilla form external sources
> > restrict their users in their everyday life?
> > There a a lot of distributionen out there and debian stable is certainly
> > not targeting newbies like Knoppix, or suse is doing.
>
> I can't disagree that theoretically this is not restriction.
> However, if we go this way, logical consequence is to drop the distribution
> completely and just install everything from upstream.

Rubbish - Mozilla is some kind of special case - it combines various issues:

-It parsed and executes non-trusted data (e.g. webpages). Thus a special care
upon security has to be take.
- Mozilla is very complex - even more complex than emacs imho. Thus
backporting patches is a tough business.
- Mozilla is also used for rather sensitive thinks, like online banking,
purchasing, etc., therefore extra care has to be taken to protect it's users.
- The mozilla development cycle is rather dirty. ABI / API changes are nearly  
an everyday business. (just think about the 1.0.5 / 1.0.6 issue - however, I
was still unable to install any xpis like adblock with the German built,
while the standard (English) built went fine today.)
- The mozilla roadmap is unreliable and changes rapidly. Branches, that ought
to be maintainend became obsolete, new ones were introduced and new versions
come out in a short time (compared to debian releases)

By that - Mozilla doesn't fit into debian. It's simple, perhaps hard to accept
for some users, accepted by some since woody, but obvious as well.

> Strong point of Debian is that is provides a way for users to get a
> consistent system in an easy way (and in this field it is better than suse
> or whatever, and this is the exact reason why it is better even for newbies
> - if they are going to go a few steps further than initial system
> installation).

Ok - how do you define a consistent system? Have you ever count how many
browsers are currently shipped with debian? So that's the deal? Encouraging
users to use evolution instead of mozilla mail?
Encourage them, to use konqueror, w3m, etc. instead of firefox?
I mean, we won't prevent them installing debian - they can do es they like.

> Requiring users to install an important component (which Mozilla is) from
> other sources is a bad idea in this context. I think it should not be the
> way how Debian solves it's problems.

The mozilla way of solving problems clashes with the debian way  - they even
have their "You should update feature" creating an easy way for users to
update their system.

> > There won't be _any_ Debian solution with the current mozilla.org policy.
>
> Not exactly. Correct statement is, '... with the current mozilla.org policy
> AND Debian traditional way of doing things'.
> I agree with this statement.
> I see the problem.
>
> The question is - how to solve it.
> Mozilla.org policy is probably out of our control.
> However, our way of doing things is not.

Any debian solution will require massive changes in debian release policy,
development policy, etc. and will have negative side effects on other debian
components.
There are other distributions - even debian flavoured   ones - which are
handling it another way - more suitable to mozilla.

> You suggest - let's stop providing mozilla (and all dependent packages).
> So packages that almost all Debian users use will go outside of Debian.

No.
For a lot users (like me)  debian as _practically_ stopped shipping mozilla,
when then stopped shipping useful mozilla builts.
I'm suggesting to make clear, that debian has stopped to do so.

> I think - it is better to tune our way to do things to keep with real life
> [in form of mozilla.org policy] and still provide our users with consistent
> system with minimal effort from their side.
>
> >> Something like the following:
> >> (1). A new upstream mozilla should be uploaded to some location that all
> >> stable users are strongly advised to have in their sources.list [maybe
> >> security.d.o. maybe proposed-updates],
> >
> > Well, well, well, you cannot just put upstream versions into stable as
> > you might to with unstable. That's quite naive.
>
> Why?
> What exactly makes it impossible to change our habbits and allow new
> upstream version into stable _in_ _rare_ _cases_ _when_ _there_ _is_ _no_
> _other_ _way_ _to_ _provide_ a HUGE-USED set of packages?  Remember,
> "debian supports it's users"!

 This _is_ happening in debian unstable. So if you - and other users - really
want to live at the bleeding edge of development, it's up to them to run
unstable.
Putting hardly tested packages in stable is insane - it'll most certainly
break other thinks.

> >> (2). If binary incompatibility is detected,
> >
> > ... which is most probably going to happen...
>
> Do you have enough statistics to make this statement?

Follow the discussion on mozilla in woody.
The binary incompatibility happend before debian was able to provide a single
DSA on the many bugs Mozilla have suffered since the release of woody.

> >> these packages should conflict
> >> with incompatible versions of all packages in Debian that depend on
> >
> > So you provide mozilla, but throw out other packages away?
>
> Of course no. We should provide upgrades for all packages in the set at the
> same time.
>
> > I see no reason
> > for doing so. You argue, that removing packages from will hurt users and
> > should not be done.... now you are doing same.
>
> No. See above.

Putting a package in depending and conflicting relationship to other packages
at the same time, does mean removing the package!

> >> packages being uploaded, and a compatible version of these packages
> >> should be uploaded to the same location.
> >
> > That I'll might lead to the scenario I pointed out already. You might
> > going to have two different versions of gnome in stable, maintained at
> > the same time. Consider the chaos and amount of work.
>
> Why thing in stable can't be just recompiled to match updated ABIs? Do APIs
> also change in incompatible ways?

Yes.

> Is galeon (and other related packages)
> upstream also uncooperative as mozilla upstream?

Yes - this is most likely to happen.

> >> (3). If binary incompatibility is detected later (so only (1) was done
> >> and not (2)), a new upload should happen with both (1) and (2).
> >
> > I don't think, that this is going to work.
>
> I think it will. At least, the opposite can't be stated before any
> estimation of needed effort was done.

Then go on and do some.

Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
In reply to this post by Michael Stone-2
Greetings,

Am Sonntag, 31. Juli 2005 22:49 schrieb Michael Stone:
> On Sun, Jul 31, 2005 at 10:30:27PM +0200, Horst Pflugstaedt wrote:
> >it happened to Mozilla and woody: upstream made mozilla depend on e
> >newer libc. There was no way to install a new mozilla on old stable.
>
> I'd say worry about that when it actually comes up. backports managed to
> keep mozilla going on woody for a reasonably long time, IMO.

AFAIK it was a galeon not a libc issue.

Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
In reply to this post by Debian Security mailing list
Greetings,

Am Montag, 1. August 2005 00:03 schrieb Micah:

> Nikita V. Youshchenko wrote:
> >>There won't be _any_ Debian solution with the current mozilla.org policy.
> >
> > Not exactly. Correct statement is, '... with the current mozilla.org
> > policy AND Debian traditional way of doing things'.
> >
> > I agree with this statement.
> > I see the problem.
> >
> > The question is - how to solve it.
> > Mozilla.org policy is probably out of our control.
> > However, our way of doing things is not.
>
> Is Mozilla.org policy out of our control? If there was enough pressure
> on them to provided isolated security fixes they might actually do i
> Perhaps they don't have any clue that this is a major issue for some of
> the largest linux distributions, and if they knew it was they might
> devote some energy towards being more friendly to their neighbors. Has
> anyone any definitive information, or is it just speculation? Has anyone
> actually spoken to people at Mozilla.org about this problem?

f you are ablte to understand german (or machnine translated text - I don't
know which is more difficult ;-) this might help you.
http://cert.uni-stuttgart.de/ticker/article.php?mid=1183

I don't have other rather offical data on this issue right now.

Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Micah Anderson-2
In reply to this post by Debian Security mailing list
Sorry for the email with the maligned from address in that last message
([hidden email]), I'm trying out mozilla-thunderbird
with a virtual identity extention that seems to construct odd from
lines, that message was not from [hidden email], so
don't take it as such.

micah

On Sun, 31 Jul 2005, Micah wrote:

> Nikita V. Youshchenko wrote:
>
> >>There won't be _any_ Debian solution with the current mozilla.org policy.
> >
> >
> > Not exactly. Correct statement is, '... with the current mozilla.org policy
> > AND Debian traditional way of doing things'.
> >
> > I agree with this statement.
> > I see the problem.
> >
> > The question is - how to solve it.
> > Mozilla.org policy is probably out of our control.
> > However, our way of doing things is not.
> >
>
> Is Mozilla.org policy out of our control? If there was enough pressure
> on them to provided isolated security fixes they might actually do it.
> Perhaps they don't have any clue that this is a major issue for some of
> the largest linux distributions, and if they knew it was they might
> devote some energy towards being more friendly to their neighbors. Has
> anyone any definitive information, or is it just speculation? Has anyone
> actually spoken to people at Mozilla.org about this problem?
>
> micah
>
>
> --
> To UNSUBSCRIBE, email to [hidden email]
> with a subject of "unsubscribe". Trouble? Contact [hidden email]
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Matt Zimmerman
In reply to this post by Jan Luehr-10
On Sun, Jul 31, 2005 at 02:03:28PM +0200, Jan Luehr wrote:
> Am Sonntag, 31. Juli 2005 09:49 schrieb Bernd Eckenfels:
> > No but I think most of the desktop packages suffer from the slow release
> > cycle.
>
> Debian is not primarily intended for being used as a desktop system.  If
> you are up to desktop centric usage, you should probably run Ubuntu
> instead.

Debian isn't _primarily_ intended for any such specific purpose, but that
doesn't mean that it isn't suitable.

Regardless of whether Ubuntu provides a more suitable option for a given
user, I don't think that it's appropriate to make this sort of statement
about Debian when there isn't a consensus within the project to support it.

--
 - mdz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Nikita V. Youshchenko-3
In reply to this post by Debian Security mailing list
> > Mozilla.org policy is probably out of our control.
> > However, our way of doing things is not.
>
> Is Mozilla.org policy out of our control? If there was enough pressure
> on them to provided isolated security fixes they might actually do it.
> Perhaps they don't have any clue that this is a major issue for some of
> the largest linux distributions, and if they knew it was they might
> devote some energy towards being more friendly to their neighbors. Has
> anyone any definitive information, or is it just speculation? Has anyone
> actually spoken to people at Mozilla.org about this problem?

I assume that existance of the initial announcement [1] indicates that
non-easy-solvable issue exists.

I'm skeptical about pressure on Mozilla foundation. They provide a browser
with sensible market share, and are big enough to simply ignore any Debian
actions. Something similar to FDL issue.
Of cource, if people haveenthusiasm and energy to bug Mozilla foundation,
they should go ahaed. But probably not at the cost of removing mozilla
browsers from Debian (and hurting users).

[1] http://lists.debian.org/debian-security/2005/07/msg00315.html


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Vincent Bernat
In reply to this post by Nikita V. Youshchenko-3
OoO  Pendant le  journal télévisé  du dimanche  31 juillet  2005, vers
20:29, "Nikita V. Youshchenko" <[hidden email]> disait:

> Requiring users to install an important component (which Mozilla is) from
> other sources is a bad idea in this context. I think it should not be the
> way how Debian solves it's problems.

For supporting this point, Firefox  is ranked 244 on popcon. Konqueror
is 545.
--
panic("bad_user_access_length executed (not cool, dude)");
        2.0.38 /usr/src/linux/kernel/panic.c


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Nikita V. Youshchenko-3
> > Requiring users to install an important component (which Mozilla is)
> > from other sources is a bad idea in this context. I think it should
> > not be the way how Debian solves it's problems.
>
> For supporting this point, Firefox  is ranked 244 on popcon. Konqueror
> is 545.

I'm afraid popcon is not authorative in this issue. Browser is primamry for
desktops, and desktop users probably don't widely participate in popcon.

Konqueror is installed together with the rest of KDE - actually as a
dependency - and that's why it is rated high.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Stefano Salvi-2
In reply to this post by Vincent Bernat
Vincent Bernat wrote:

> OoO  Pendant le  journal télévisé  du dimanche  31 juillet  2005, vers
> 20:29, "Nikita V. Youshchenko" <[hidden email]> disait:
>
>
>>Requiring users to install an important component (which Mozilla is) from
>>other sources is a bad idea in this context. I think it should not be the
>>way how Debian solves it's problems.
>
>
> For supporting this point, Firefox  is ranked 244 on popcon. Konqueror
> is 545.
You have to note that Konqeror is installed by default by the "desktop
environment" task. Everyone using Kde OR Gnome has conqueror installed
unless disinstalled manually. (the same could be told about Mozilla)
Firefox is an optional package: who installs it has the WILL to install it!
I think that eliminating Mozilla or Firefox (or Thunderbird) would
greatly damage Debian.
I think that two kinds of people are interested in Debian:
- Ones who want Security
- Ones who want Stability
Both appreciate the fine granularity and strong dependency system of
Debina packages, but have different needs.
Cutting one category in favor for the other would be a mistake.
One possible solutioni is to leave to the user the choice between
maximal security or maximal functionality.

A possible solution could be an option on apt-get to warn when you
install less secure packages and dispose a feed for "desktop
applications", the style of "security" feed, to keep these packages
updated, allowing also version updates.

I know this is not the right place, but I think that marging two desktop
environments (Gnome and Kde) in a single task of Tasksel is not a good
thing, as a user usually sticks to one environment, but has a whole
different one installed and never used.

        Stefano


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
In reply to this post by Matt Zimmerman
Greetings,

Am Montag, 1. August 2005 05:47 schrieb Matt Zimmerman:

> On Sun, Jul 31, 2005 at 02:03:28PM +0200, Jan Luehr wrote:
> > Am Sonntag, 31. Juli 2005 09:49 schrieb Bernd Eckenfels:
> > > No but I think most of the desktop packages suffer from the slow
> > > release cycle.
> >
> > Debian is not primarily intended for being used as a desktop system.  If
> > you are up to desktop centric usage, you should probably run Ubuntu
> > instead.
>
> Debian isn't _primarily_ intended for any such specific purpose, but that
> doesn't mean that it isn't suitable.
>
> Regardless of whether Ubuntu provides a more suitable option for a given
> user, I don't think that it's appropriate to make this sort of statement
> about Debian when there isn't a consensus within the project to support it.

Have I said so? I've tried to point out, that debian is "an universal
operating system" - as proclaimed on the homepage.
So at least here is a common consensus for the purpose of debian.
If I recommend to use another operating system for a more special purpose,
what's wrong here?

Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Frank Wein
In reply to this post by Joey Schulze
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Schulze wrote:

> Moin,
>
> it seems that less than two months after the release of sarge it is
> not possible to support Mozilla, Thunderbird, Firefox (and probably
> Galeon) packages anymore.  (in terms of fixing security related
> problems)
>
> Unfortunately the Mozilla Foundation does not provide dedicated and
> clean patches for security updates but only releases new versions that
> fix tons of security related problems and other stuff that is or may
> be irrelevant for security updates.  As a result, it is extremely
> difficult to get security patches extracted and backported.  This is
> an utter disaster for security teams and distributions that try to
> support their releases.
[...]
> For these packages, help and/or advice is appreciated.

So i don't know if the package maintainers already know this tool
(especially in regard to
http://kitenet.net/~joey/blog/entry/bug_hiding_systems-2005-07-30-06-25.html)
called Bonsai, it can be very useful to extract single patches more or
less easily ;) (even before the the new version has been released).
Bonsai keeps a database with all checkins to the CVS repository of
cvs.mozilla.org.
As a example lets take the the Bug # from that blog post, Bug 294795.
Now lets construct a query and see what we can get. First open
http://bonsai.mozilla.org/cvsqueryform.cgi, now in the Branch field you
have to enter AVIARY_1_0_1_20050124_BRANCH (that's the
Firefox/Thunderbird 1.0.x Branch) and on the bottom of the page you have
to enter "[X] Between 2005-05-11 00:00 and 2005-07-19 23:00". Those two
are the rough dates when FF 1.0.4 and FF 1.0.6 were released. So run the
query and you'll get a list of checkins on that branch between the two
releases, now you search on this page for the Bug # (i would say the bug
# is always noted in the checkin comment except when someone forgets it,
but that happens almost never), so 294795. This will point you at the
checkin with the comment "Fixing bug 294795. Don't leave references from
cloned member functions to the scope where xpconnect creates the
functions (safe context). r=bzbarsky[at]mit.edu,
sr=brendan[at]mozilla.org, a=dveditz[at]cruzio.com". Now you could
either manually merge this checkin by clicking on the version in the 4th
column which will display you the diff or check out the new version from
the CVS mirror (cvs-mirror.mozilla.org) for example by doing "cvs -j1.11
- -j1.11.44 -r AVIARY_1_0_1_20050124_BRANCH
mozilla/js/src/xpconnect/src/XPCDispObject.cpp". You can get the version
numbers needed by clicking on the version in the 4th column, you'll see
the versions then noted at the top.

HTH
Frank
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFC7e5raT2V74kAr9URAiJLAKCJJZ7VBFq4BpkS+SZQnleA9g31lwCdF7lM
jec0GUzBiikcv2UaScDK4us=
=e/MW
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Bernd Eckenfels
In reply to this post by Jan Luehr-10
In article <[hidden email]> you wrote:
> If I recommend to use another operating system for a more special purpose,
> what's wrong here?

It is just the wrong answer in a discussion where we look to improve Debian.
I think it is valid to point to other systems for learning their weakness or
strength, but it is not valid to consider them a as a geeral solution to a
Debian problem.

Said that, I do stil think that the Ubuntu is better suited for the Deskop
exactly because the Software is fresher. And I do think a faster release
schedule would also benefit Debian. We would concentrate much more on the
overall progress. And the diversion to upstream is much less.

Independently from that, I do think Mozillas Bugfix releases should go 1:1
into the Distribution. There is no major incompatibility and it is just
wrong to expect the end user to understand about our backporting, especially
with components which are so prominent.

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Alexander Sack - Debian Bugmail
In reply to this post by Frank Wein
On Mon, Aug 01, 2005 at 11:42:04AM +0200, Frank Wein wrote:

> As a example lets take the the Bug # from that blog post, Bug 294795.
> Now lets construct a query and see what we can get. First open
> http://bonsai.mozilla.org/cvsqueryform.cgi, now in the Branch field you
> have to enter AVIARY_1_0_1_20050124_BRANCH (that's the
> Firefox/Thunderbird 1.0.x Branch) and on the bottom of the page you have
> to enter "[X] Between 2005-05-11 00:00 and 2005-07-19 23:00". Those two
> are the rough dates when FF 1.0.4 and FF 1.0.6 were released. So run the
> query and you'll get a list of checkins on that branch between the two
> releases, now you search on this page for the Bug # (i would say the bug
> # is always noted in the checkin comment except when someone forgets it,
> but that happens almost never), so 294795. This will point you at the
> checkin with the comment "Fixing bug 294795. Don't leave references from
> cloned member functions to the scope where xpconnect creates the
> functions (safe context). r=bzbarsky[at]mit.edu,
> sr=brendan[at]mozilla.org, a=dveditz[at]cruzio.com". Now you could
> either manually merge this checkin by clicking on the version in the 4th
> column which will display you the diff or check out the new version from
> the CVS mirror (cvs-mirror.mozilla.org) for example by doing "cvs -j1.11
> - -j1.11.44 -r AVIARY_1_0_1_20050124_BRANCH
> mozilla/js/src/xpconnect/src/XPCDispObject.cpp". You can get the version
> numbers needed by clicking on the version in the 4th column, you'll see
> the versions then noted at the top.

That's the theory and I am aware of it (and I guess eric knows bonsai too).
In fact, I documented the whole ~650k diff for the thunderbird
1.0.2 to 1.0.6 transition that way. I don't want to look at it again,
but there are definitly checkins that are neither documented to fix some
bug, nor are they obsolete. Not all checkins are directly named that way.
For example, checkins needed to fix some security bug are often documented
as a bug, called a blocker (but not always).

Just start to do it on your own and you will soon realize that this whole
thing is not as simple. The only guys that can do it properly are the mozilla
developers ...  by documenting and aggregating patches that are
actually applied for each single bug or mfsa. In this way they might even be able
to prevent ABI breakage by accident, like with thunderbird 1.0.5.


Cheers,
--
 GPG messages preferred.   |  .''`.  ** Debian GNU/Linux **
 Alexander Sack            | : :' :      The  universal
 [hidden email]           | `. `'      Operating System
 http://www.asoftsite.org  |   `-    http://www.debian.org


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jan Luehr-10
In reply to this post by Bernd Eckenfels
Greetings,

Am Montag, 1. August 2005 11:53 schrieb Bernd Eckenfels:
> In article <[hidden email]> you wrote:
> > If I recommend to use another operating system for a more special
> > purpose, what's wrong here?
>
> It is just the wrong answer in a discussion where we look to improve
> Debian. I think it is valid to point to other systems for learning their
> weakness or strength, but it is not valid to consider them a as a geeral
> solution to a Debian problem.

If you want to improve debian you have to consider, how debian is used.
Putting rarely tested upstream packages into stable - as often proposed here -
won't raise the quality of debian at all.

> Said that, I do stil think that the Ubuntu is better suited for the Deskop
> exactly because the Software is fresher. And I do think a faster release
> schedule would also benefit Debian.

But this won't solve the mozilla case at all. Please consider, that in woody
binary incompatibility was reached, before any DSA's came out. Please
consider also, that the d-s-team surrendered just a few weeks after sarge was
released.

> We would concentrate much more on the
> overall progress. And the diversion to upstream is much less.

Sarge's release happend less than ten weeks ago. I really doubt, that it is
possible to have less diversion to the upstream.

> Independently from that, I do think Mozillas Bugfix releases should go 1:1
> into the Distribution.

As already pointed out by Martin Schulze, there are no clean Mozilla Bugfix
releases.

> There is no major incompatibility and it is just


Looking back at the history of woody, this is not an option and you risk going
on to have dangerous mozilla packages in debian for years.

> wrong to expect the end user to understand about our backporting,
> especially with components which are so prominent.

The end user is in charge of it right no. Since debian has been unable to
provide secure mozilla packages for two years (more or less), they have to do
it already.
I really do think, that putting mozilla out of debian is a not good solution,
that will satisfy the users needs - but it is the one and only solution I can
think of, if mozilla.org is going on the way they have been going for years.
I'm going to write an email to Ben Bucksch and ask if he might consider
joining this discussion - but anyway I certainly doubt that this is going to
make things better.

Keep smiling
yanosz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Alexander Sack-7
In reply to this post by Matt Zimmerman
Matt,

since you are a member of the mozilla security team, what are your experiences?
Have you ever tried to work with them to improve their security process? What
was the outcome? What were the problems?

Cheers,
--
 GPG messages preferred.   |  .''`.  ** Debian GNU/Linux **
 Alexander Sack            | : :' :      The  universal
 [hidden email]           | `. `'      Operating System
 http://www.asoftsite.org  |   `-    http://www.debian.org/


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Michael Stone-2
In reply to this post by Stefano Salvi-2
On Mon, Aug 01, 2005 at 09:29:24AM +0200, Stefano Salvi wrote:
>I think that two kinds of people are interested in Debian:
>- Ones who want Security
>- Ones who want Stability

I can't even understand this statement. What kind of person is
interested in "stability" which will get their machine compromised?
Remember, we're talking about a *web browser* here--the primary purpose
of which is to connect to web sites on the internet. That seems in my
mind to be an application which cries out for some level of security.
And it's not like old versions will disappear forever--if you reall need
some kind of pedantic stability just put your browser on hold.

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Frank Wein
In reply to this post by Alexander Sack - Debian Bugmail
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander Sack wrote:
> Just start to do it on your own and you will soon realize that this whole
> thing is not as simple. The only guys that can do it properly are the mozilla
> developers ...  by documenting and aggregating patches that are
> actually applied for each single bug or mfsa. In this way they might even be able
> to prevent ABI breakage by accident, like with thunderbird 1.0.5.

Just wanted to note that this ABI breakage was caused by human error ;),
the developer ignored(?) the fact that 1.0.x is a stable branch or
thought that because the interfaces lives in obsolete/ it can be changed
which is not the case. Also the Mozilla team noticed the ABI change
shortly before shipping, respinned the builds with the old ABI, but then
released by accident the builds with the new ABI. The whole release was
a bit too hurried in the end.

Frank
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFC7hqJaT2V74kAr9URAoEPAJ9njED6owfPx7hx/jPcPdX/kLthiwCgoK2C
9H3W+xiYjG6mxtN7ya6RfPU=
=2Rrj
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Adeodato Simó
In reply to this post by Alexander Sack-7
* Alexander Sack [Mon, 01 Aug 2005 13:25:42 +0200]:

> since you are a member of the mozilla security team, what are your experiences?
> Have you ever tried to work with them to improve their security process? What
> was the outcome? What were the problems?

  Assuming you meant s/mozilla/ubuntu/ above:

    http://lists.debian.org/debian-devel/2005/07/msg01586.html
    http://lists.debian.org/debian-devel/2005/08/msg00012.html

--
Adeodato Simó
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
 
The Wright Brothers weren't the first to fly. They were just the first
not to crash


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

1234567