On Wed, Aug 03, 2005 at 02:51:04PM +0200, Ben Bucksch wrote: > antgel wrote: > > >2) Mozilla security patches are not easy to find and isolate. > > > >Ben has disputed this, saying that we should be able to extract all > >necessary patches. Public ones from > >http://www.mozilla.org/projects/security/known-vulnerabilities.html then > >bugzilla, and embargoed ones via mdz. > > > > > Note that I do *not* recommend that approach. I cannot garantee that all > security fixes are listed there. Even more so for pro-active security > changes which will prevent exploits in the future. (I'm not saying that > this *does* happen, I just don't know. Here, communication between the > groups would be useful, if nothing else to establish garantees.)
How are we to be informed of all vulnerabilities known to Mozilla security personnel, if not via this web page? While I do have access to the embargoed bugs, I receive no notification when security-related bugs are created in Bugzilla. Probably the best way to handle this is for Mozilla to notify vendor-sec when such an issue becomes known to them. > >3) Backporting the patches, once isolated, is a ballache. (Is it that > >security patches are applied to aviary as well as trunk, and that the > >problem, more specifically, is that aviary itself is too far ahead of > >Debian, or that the patches are only applied to trunk?) > > > >I'd like to hear a comment from Ben about this. > > > > > Given that the "aviary" branch (1.0.x) is maintained by mozilla.org, it > does have all the critical security fixes. > As I said, I don't know what the problems with backporting are. > > I mean, right now, you are shipping FF 1.0.4 with sarge. If the 1.0.5/6 > patches don't apply to *that*, then I don't know either... Yes, right now we don't have too many problems applying patches because we only just put out a new release. However, our experience with older releases (Debian 3.0 in July 2002, and also Ubuntu 4.10 in October 2003) is that it becomes impossible to usefully apply patches long before the support lifetime of the release is over. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
