Your message dated Mon, 14 Mar 2016 11:15:21 +0100
with message-id <[email protected]>
and subject line Re: iceweasel: stop tracking ESR in testing/unstable and make
an iceweasel-esr package instead
has caused the Debian Bug report #783274,
regarding iceweasel: stop tracking ESR in testing/unstable and make an
iceweasel-esr package instead
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
783274: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783274
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: iceweasel
Severity: wishlist
Hi.
For quite some time now, the Debian iceweasel package tracks the ESR version
in testing/unstable and the current version of FF is only available in
experimental or through "unoffical" repos.
I think many people run their desktop and or production servers on testing
or even unstable, but still, in order not having to use a completely outdated
FF one needs to use experimental, which is kinda annoying.
Sure, pulling it in from experimental is quite easy via apt_preferences,
but in experimental there is no security support (unlike testing).
I guess the main reason of tracking ESR is probably to have a "long-term-
supported" version in stable, but - wearing the security expert hat - assuming
that such versions are really still secure after perhaps more than 1 or 2 years
is probably an illusion.
Even when they're still supported by upstream, they simply receive far less
scrutiny (in terms of security audits/analysis) than the current versions.
Also often security holes are silently fixed, without being identified as such.
Long story short, I think it's at least somewhat questionable whether something
such dynamic as a browser can be really long-term-supported.
Anyway,... may I wish the following:
Let the iceweasel package track current versions of FF and add e.g. an
iceweasel-esr package, which tracks the ESR version.
Since you anyway provide the current versions really fast in experimental,
it shouldn't be too difficult to do the same for at least unstable.
Such package could either never enter testing, or (based on my security analysis
above) one could simply declare it unsupported in testing/stable after some
short time, and request people to use a versions from backports.
Cheers,
Chris.
--- End Message ---
--- Begin Message ---
I guess that this bug can be closed, we have firefox and firefox-esr
packages now.
Laurent Bigonville
--- End Message ---
