James Andrewartha wrote:
As for your straw man about security bugs, what security bugs would
you be fixing with your own patches? If there are security bugs,
they should be fixed upstream, not in your own tree. We've had this
discussion repeatedly in the context of the security group, and we
expect that branded builds of x.y.z from <insert distro here> will be
the source tarball/cvs tag for x.y.z plus the set of approved
patches. We do not want to get into the fools' game of cherry-picking
patches, or individual distros deciding that Patch A isn't
"security-oriented" enough.
What happens when MozCo drops support for Firefox 1.5 but Debian (or
another distro) is still obligated to provide support, as has happened
with Firefox 1.0 and Mozilla Suite 1.7 in sarge? I admit this question
is largely academic as it appears Debian will be forced to ship
mozilla/browser under a different name.
Other vendors (i.e. even Red Hat Enterprise Linux) have chosen to
upgrade, rather than backport, as that become progressively more
difficult and risky in the face of ongoing security-driven
rearchitecture. If there were no official releases on that branch, and
distros expressed interest in maintaining that branch, we would have to
figure out a reasonable path forward. That would likely be best handled
by continuing to check in with appropriate review to the affected
branch(es) and doing periodic tags so that multiple distros could
benefit. It is unlikely that a single distro would want to commit that
much effort on their own, of course, which is why people are upgrading
instead of continuing to maintain a branch. Red Hat, Sun and IBM kept
the Mozilla Suite 1.4 branch around like that for a couple years, but
realized it was less work to migrate customers.
-- Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
