Source: iceweasel Severity: wishlist
Hi. For quite some time now, the Debian iceweasel package tracks the ESR version in testing/unstable and the current version of FF is only available in experimental or through "unoffical" repos. I think many people run their desktop and or production servers on testing or even unstable, but still, in order not having to use a completely outdated FF one needs to use experimental, which is kinda annoying. Sure, pulling it in from experimental is quite easy via apt_preferences, but in experimental there is no security support (unlike testing). I guess the main reason of tracking ESR is probably to have a "long-term- supported" version in stable, but - wearing the security expert hat - assuming that such versions are really still secure after perhaps more than 1 or 2 years is probably an illusion. Even when they're still supported by upstream, they simply receive far less scrutiny (in terms of security audits/analysis) than the current versions. Also often security holes are silently fixed, without being identified as such. Long story short, I think it's at least somewhat questionable whether something such dynamic as a browser can be really long-term-supported. Anyway,... may I wish the following: Let the iceweasel package track current versions of FF and add e.g. an iceweasel-esr package, which tracks the ESR version. Since you anyway provide the current versions really fast in experimental, it shouldn't be too difficult to do the same for at least unstable. Such package could either never enter testing, or (based on my security analysis above) one could simply declare it unsupported in testing/stable after some short time, and request people to use a versions from backports. Cheers, Chris. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
