Re: Mozilla products in Debian (was: A question for the list:)

On Fri, 05 Nov 2010 07:54:29 -0500, Boyd Stephen Smith Jr. wrote:

In <pan.2010.11.05.08.38.21@xxxxxxxxx>, Camaleón wrote:
On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote:
There is a third choice, I guess: Ship firefox / thunderbird in
non-free. Support for non-free is best-effort, which basically means
that if upstream is willing to fix it then the security team /
maintainers will package it. This basically results in Debian
stable's non-free containing software with known security
vulnerabilities that Mozilla is unwilling to fix.

How about "volatile"? :-?

ClamAV packages are there for that precisely reason (they need to be
updated -security fixes- very often).

Firstly, only packages that are already in the official repository are
included in volatile.

Icedove and Iceweasel are.

Second, volatile is for packages that need
frequent, non-security updates to maintain functionality (at least in
the eyes of some users). (Updating the virus signature database is not
considered a security update.)

AFAIK, ClamAV packages are fully upgraded (not only for fetching new
signatures but the whole program).

Thirdly, the policy of no new upstream
versions after release isn't changed for volatile. (It is changed for
volatile-sloppy.)

And that is what people wants to be improved :-)

Finally, updating the Debian package *more often* is
the opposite of coming into trademark compliance.

You know what other "non-rolling" distros do in this case: stock
versions of the programs remain unchanged and maintained for the time the
distribution is supported but in pararel there are satellite repositories/
forges where users can get upgraded versions of the most used programs
(OOo suite, Mozilla products, etc...). These are not backported apps but
newly builds matching each version.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/pan.2010.11.05.13.13.40@xxxxxxxxx

Relevant Pages

  • Re: Mozilla products in Debian (was: A question for the list:)
    ... Support for non-free is best-effort, ... that if upstream is willing to fix it then the security team / ... only packages that are already in the official repository are ... Second, volatile is for packages that need frequent, ...
    (Debian-User)
  • [Full-Disclosure] [RHSA-2003:064-01] Updated XFree86 4.1.0 packages are available
    ... security vulnerabilities have been found and fixed. ... other bug fixes, driver updates, and other enhancements have been made. ... Xterm, provided as part of the XFree86 packages, provides an escape ... Please note that this update is also available via Red Hat Network. ...
    (Full-Disclosure)
  • [Full-disclosure] [ MDVSA-2009:311 ] ghostscript
    ... Multiple security vulnerabilities has been identified and fixed ... A buffer underflow in Ghostscript's CCITTFax decoding filter allows ... Multiple interger overflows in Ghostsript's International Color ... Previousely the ghostscript packages were statically built against ...
    (Full-Disclosure)
  • [ MDVSA-2009:311 ] ghostscript
    ... Multiple security vulnerabilities has been identified and fixed ... A buffer underflow in Ghostscript's CCITTFax decoding filter allows ... Multiple interger overflows in Ghostsript's International Color ... Previousely the ghostscript packages were statically built against ...
    (Bugtraq)
  • [Full-disclosure] SUSE Security Announcement: apache, apache2 request smuggling problem (SUSE-SA:200
    ... A security flaw was found in the Apache and Apache2 web servers which ... Fixed Apache 2 server packages were released on July 26th, ... fixed Apache 1 server packages were released on August 15th. ... The preferred method for installing security updates is to use the YaST ...
    (Full-Disclosure)