Re: Mozilla products in Debian
On Ma, 14 dec 10, 09:37:29, Lisi wrote: I was under the (mis?)apprehension that things were only installed from backports if I specifically asked for them, i.e. -t lenny-backports was added to aptitude, and were only updated if already installed. 'apt-cache policy iceweasel' should tell you/us more. quote l...@tux:~$ apt-cache policy iceweasel iceweasel: Installed: 3.5.15-1~bpo50+1 Candidate: 3.5.15-1~bpo50+1 Version table: *** 3.5.15-1~bpo50+1 0 200 http://backports.debian.org lenny-backports/main Packages 100 /var/lib/dpkg/status 3.0.6-3 0 500 http://mirror.ox.ac.uk lenny/main Packages 500 http://security.debian.org lenny/updates/main Packages l...@tux:~$ /quote AFAICT this means that backports packages are installed only on demand, with -t (lower priority then lenny), but they will be automatically updated (higher priority then installed versions). Looks like the recommended backports setup. I am sitting in the corner with my dunce's hat on, and I haven't even got a nice fat plum. :-(( Don't be so hard on you, it can happen to anyone. Once I called my company's IT-support (international phone call) because I was not able to log on. It took me almost 10 minutes to realize I changed my password the day before. I was so embarrassed... Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Mozilla products in Debian
On Monday 13 December 2010 20:11:19 Camaleón wrote: On Mon, 13 Dec 2010 19:57:50 +, Lisi wrote: On Sunday 05 December 2010 15:32:17 Camaleón wrote: On Sun, 05 Dec 2010 13:14:12 +, Lisi wrote: On Sunday 07 November 2010 23:24:17 Camaleón wrote: - What is the current status of Iceweasel in Lenny? - Are all the recent bugs of Firefox -that can affect 3.0 branch- fixed/ backported to Iceweasel 3.0.6? - Does 3.0.6 versioning number follow the upstream numbering? I have Lenny, and Iceweasel 3.5.15. Any updating has been done by aptitude. Then you should have backports repository enabled ;-) :-/ I was under the (mis?)apprehension that things were only installed from backports if I specifically asked for them, i.e. -t lenny-backports was added to aptitude, and were only updated if already installed. Iceweasel 3.5.x is only available for Lenny by means of the backports repo so... could it be that you installed that way and then forgot it or maybe you tweaked the backports repo pinning settings under your /etc/ apt/preferences file? :-? Yes, the possibility that my memory had failed me occurred to me after I had posted. Given the state of my memory these days, anything is possible. :-( I haven't altered the pinnings. I'm still not confident enough to do that. Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012140933.32459.lisi.re...@gmail.com
Re: Mozilla products in Debian
On Monday 13 December 2010 20:40:19 Andrei Popescu wrote: On Lu, 13 dec 10, 19:57:50, Lisi wrote: On Sunday 05 December 2010 15:32:17 Camaleón wrote: On Sun, 05 Dec 2010 13:14:12 +, Lisi wrote: I have Lenny, and Iceweasel 3.5.15. Any updating has been done by aptitude. Then you should have backports repository enabled ;-) :-/ I was under the (mis?)apprehension that things were only installed from backports if I specifically asked for them, i.e. -t lenny-backports was added to aptitude, and were only updated if already installed. 'apt-cache policy iceweasel' should tell you/us more. quote l...@tux:~$ apt-cache policy iceweasel iceweasel: Installed: 3.5.15-1~bpo50+1 Candidate: 3.5.15-1~bpo50+1 Version table: *** 3.5.15-1~bpo50+1 0 200 http://backports.debian.org lenny-backports/main Packages 100 /var/lib/dpkg/status 3.0.6-3 0 500 http://mirror.ox.ac.uk lenny/main Packages 500 http://security.debian.org lenny/updates/main Packages l...@tux:~$ /quote I am sitting in the corner with my dunce's hat on, and I haven't even got a nice fat plum. :-(( Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012140937.29951.lisi.re...@gmail.com
Re: Mozilla products in Debian
On Sunday 05 December 2010 15:32:17 Camaleón wrote: On Sun, 05 Dec 2010 13:14:12 +, Lisi wrote: On Sunday 07 November 2010 23:24:17 Camaleón wrote: - What is the current status of Iceweasel in Lenny? - Are all the recent bugs of Firefox -that can affect 3.0 branch- fixed/ backported to Iceweasel 3.0.6? - Does 3.0.6 versioning number follow the upstream numbering? I have Lenny, and Iceweasel 3.5.15. Any updating has been done by aptitude. Then you should have backports repository enabled ;-) :-/ I was under the (mis?)apprehension that things were only installed from backports if I specifically asked for them, i.e. -t lenny-backports was added to aptitude, and were only updated if already installed. Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012131957.51121.lisi.re...@gmail.com
Re: Mozilla products in Debian
On Mon, 13 Dec 2010 19:57:50 +, Lisi wrote: On Sunday 05 December 2010 15:32:17 Camaleón wrote: On Sun, 05 Dec 2010 13:14:12 +, Lisi wrote: On Sunday 07 November 2010 23:24:17 Camaleón wrote: - What is the current status of Iceweasel in Lenny? - Are all the recent bugs of Firefox -that can affect 3.0 branch- fixed/ backported to Iceweasel 3.0.6? - Does 3.0.6 versioning number follow the upstream numbering? I have Lenny, and Iceweasel 3.5.15. Any updating has been done by aptitude. Then you should have backports repository enabled ;-) :-/ I was under the (mis?)apprehension that things were only installed from backports if I specifically asked for them, i.e. -t lenny-backports was added to aptitude, and were only updated if already installed. Iceweasel 3.5.x is only available for Lenny by means of the backports repo so... could it be that you installed that way and then forgot it or maybe you tweaked the backports repo pinning settings under your /etc/ apt/preferences file? :-? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.12.13.20.11...@gmail.com
Re: Mozilla products in Debian
On Lu, 13 dec 10, 19:57:50, Lisi wrote: On Sunday 05 December 2010 15:32:17 Camaleón wrote: On Sun, 05 Dec 2010 13:14:12 +, Lisi wrote: I have Lenny, and Iceweasel 3.5.15. Any updating has been done by aptitude. Then you should have backports repository enabled ;-) :-/ I was under the (mis?)apprehension that things were only installed from backports if I specifically asked for them, i.e. -t lenny-backports was added to aptitude, and were only updated if already installed. 'apt-cache policy iceweasel' should tell you/us more. Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Mozilla products in Debian
On Sunday 07 November 2010 23:24:17 Camaleón wrote: - What is the current status of Iceweasel in Lenny? - Are all the recent bugs of Firefox -that can affect 3.0 branch- fixed/ backported to Iceweasel 3.0.6? - Does 3.0.6 versioning number follow the upstream numbering? I have Lenny, and Iceweasel 3.5.15. Any updating has been done by aptitude. Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012051314.12610.lisi.re...@gmail.com
Re: Mozilla products in Debian
On Sun, 05 Dec 2010 13:14:12 +, Lisi wrote: On Sunday 07 November 2010 23:24:17 Camaleón wrote: - What is the current status of Iceweasel in Lenny? - Are all the recent bugs of Firefox -that can affect 3.0 branch- fixed/ backported to Iceweasel 3.0.6? - Does 3.0.6 versioning number follow the upstream numbering? I have Lenny, and Iceweasel 3.5.15. Any updating has been done by aptitude. Then you should have backports repository enabled ;-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.12.05.15.32...@gmail.com
Re: Mozilla products in Debian
On Vi, 05 nov 10, 19:47:58, Rob Owens wrote: What I would like (and think they should have done in the case of Iceweasel) is issue a security update that is simply a message to the admin that stable's version of Iceweasel is now unsupported. The security update should not automatically upgrade Iceweasel to the backports version, but it should suggest this to the admin as a wise course of action. And this has happened in the past (for Etch as far as I recall, but you can search the archives). AFAICT iceweasel in lenny is still supported. Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Mozilla products in Debian
On Sun, 07 Nov 2010 20:40:09 +0200, Andrei Popescu wrote: On Vi, 05 nov 10, 19:47:58, Rob Owens wrote: What I would like (and think they should have done in the case of Iceweasel) is issue a security update that is simply a message to the admin that stable's version of Iceweasel is now unsupported. The security update should not automatically upgrade Iceweasel to the backports version, but it should suggest this to the admin as a wise course of action. And this has happened in the past (for Etch as far as I recall, but you can search the archives). AFAICT iceweasel in lenny is still supported. I would like to know at what level. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.07.19.21...@gmail.com
Re: Mozilla products in Debian
On Sunday 07 November 2010 13:21:06 Camaleón wrote: On Sun, 07 Nov 2010 20:40:09 +0200, Andrei Popescu wrote: On Vi, 05 nov 10, 19:47:58, Rob Owens wrote: What I would like (and think they should have done in the case of Iceweasel) is issue a security update that is simply a message to the admin that stable's version of Iceweasel is now unsupported. The security update should not automatically upgrade Iceweasel to the backports version, but it should suggest this to the admin as a wise course of action. And this has happened in the past (for Etch as far as I recall, but you can search the archives). AFAICT iceweasel in lenny is still supported. I would like to know at what level. At the same level as other package for which Debian is the de facto upstream. Any variance in that would mean a DSA would be issued. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: Mozilla products in Debian
On Sun, 07 Nov 2010 16:15:10 -0600, Boyd Stephen Smith Jr. wrote: On Sunday 07 November 2010 13:21:06 Camaleón wrote: On Sun, 07 Nov 2010 20:40:09 +0200, Andrei Popescu wrote: On Vi, 05 nov 10, 19:47:58, Rob Owens wrote: What I would like (and think they should have done in the case of Iceweasel) is issue a security update that is simply a message to the admin that stable's version of Iceweasel is now unsupported. The security update should not automatically upgrade Iceweasel to the backports version, but it should suggest this to the admin as a wise course of action. And this has happened in the past (for Etch as far as I recall, but you can search the archives). AFAICT iceweasel in lenny is still supported. I would like to know at what level. At the same level as other package for which Debian is the de facto upstream. Any variance in that would mean a DSA would be issued. That says not much for the users. There have been many bugs reported since 3.0 up to the latest 3.6 branch so: - What is the current status of Iceweasel in Lenny? - Are all the recent bugs of Firefox -that can affect 3.0 branch- fixed/ backported to Iceweasel 3.0.6? - Does 3.0.6 versioning number follow the upstream numbering? I ask because the only official note I've read seems to be in the Release Notes of Lenny and it's a bit fuzzy (leaves many points in the air). If the current 3.0.6 is vulnerable to any of the recently discovered exploits, it's ok (users have been warned about this could happen), we can use backports to upgrade 3.5.x, but I think it would be more appropriate to get an official statement from Debian so users can: a) Rest assured knowing there is no exploitable flaw in the current version (3.0.6). b) Update to any of the releases available. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.07.23.24...@gmail.com
Re: Mozilla products in Debian
In pan.2010.11.05.16.48...@gmail.com, Camaleón wrote: I prefer having no extensions at all than browsing the web with an unsupported browser :-). Iceweasel 3.0.x isn't unsupported; Firefox 3.0.x is.[1] Security groups don't stop disclosing vulnerabilities when Mozilla decides to stop supplying patches and the security team (time permitting) and iceweasel maintainers can develop and apply patches to iceweasel. The ideal is that improvement of all Debian programs is done in collaboration with upstream. That not always the case, then DDs have to fill that role or drop the package. (Disregarding all the packages where Debian or a specific DD *is* upstream.) -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ [1] I could be wrong, I think iceweasel in Lenny was still getting security support. signature.asc Description: This is a digitally signed message part.
Re: Mozilla products in Debian (was: A question for the list:)
Dne, 05. 11. 2010 23:30:19 je Kamaraju S Kusumanchi napisal(a): Klistvud wrote: Dne, 05. 11. 2010 15:10:44 je Boyd Stephen Smith Jr. napisal(a): No. That's NOT what those who know and love Debian stable want. The lack of upstream changes is one of the main reasons I use stable on servers. +1 You can say that again. +2 Seriously! I do not understand people's itch to install the latest version. Oh, it's not that I do not understand them, I do. I just wish they would stop trying to win us over: just agree to disagree and leave it at that. -- Cheerio, Klistvud http://bufferoverflow.tiddlyspot.com Certifiable Loonix User #481801 Please reply to the list, not to me. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1289039514.671...@compax
Re: Mozilla products in Debian
On Fri, 05 Nov 2010 19:11:51 -0400, Doug wrote: On 2010-11-05 15:38 +0100, Camaleón wrote: /snip/ I see only one reason to force the upgrade of a stock package with a newer version and is precisely the lack of support (nor patches) from upstream packager. /snip/ You are quoting in the wrong way, I guess. The above paragraph is mine... I see _no_ reason to force the upgrade of any package, whether it is maintained or not, so long as it works. (...) So you prefer a working system but vulnerable to threats and exploits? I cannot leave a server in that state. Not attached to Internet. Stable should not be (by any means) a synonym of vulnerable :-/ I'm fine with _old packages_ provided they are still maintained and tracked upstream for security flaws. I'm fine with kernel 2.6.26 (don't need a newer release, don't need adding new features). But we all know what unmaintained/unsupported means: no more eyes catching security issues. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.06.11.24...@gmail.com
Re: Mozilla products in Debian
On Sat, Nov 06, 2010 at 01:05:44AM -0500, Boyd Stephen Smith Jr. wrote: The ideal is that improvement of all Debian programs is done in collaboration with upstream. That not always the case, then DDs have to fill that role or drop the package. (Disregarding all the packages where Debian or a specific DD *is* upstream.) Is there a procedure in place for dropping a package from stable? Do the rules allow it? -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101106114238.ga15...@aurora.owens.net
Re: Mozilla products in Debian
On 2010-11-06 12:42 +0100, Rob Owens wrote: Is there a procedure in place for dropping a package from stable? Yes, this actually happens from time to time. Do the rules allow it? Yes, but currently only at point releases. Sven -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/878w16wsze@turtle.gmx.de
Mozilla products in Debian (was: A question for the list:)
On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote: (...) There is a third choice, I guess: Ship firefox / thunderbird in non-free. Support for non-free is best-effort, which basically means that if upstream is willing to fix it then the security team / maintainers will package it. This basically results in Debian stable's non-free containing software with known security vulnerabilities that Mozilla is unwilling to fix. How about volatile? :-? ClamAV packages are there for that precisely reason (they need to be updated -security fixes- very often). Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.05.08.38...@gmail.com
Re: Mozilla products in Debian (was: A question for the list:)
Why not simply grab the package from mozilla and install under /opt Sent from my BlackBerry® -Original Message- From: Camaleón noela...@gmail.com Date: Fri, 5 Nov 2010 08:38:21 To: debian-user@lists.debian.org Subject: Mozilla products in Debian (was: A question for the list:) On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote: (...) There is a third choice, I guess: Ship firefox / thunderbird in non-free. Support for non-free is best-effort, which basically means that if upstream is willing to fix it then the security team / maintainers will package it. This basically results in Debian stable's non-free containing software with known security vulnerabilities that Mozilla is unwilling to fix. How about volatile? :-? ClamAV packages are there for that precisely reason (they need to be updated -security fixes- very often). Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.05.08.38...@gmail.com
Re: Mozilla products in Debian (was: A question for the list:)
On Fri, 05 Nov 2010 09:04:46 +, Chris wrote: How about volatile? :-? ClamAV packages are there for that precisely reason (they need to be updated -security fixes- very often). Why not simply grab the package from mozilla and install under /opt Sent It lacks system integration (plugins et al). Besides, Mozilla does not provide 64-bits builds for stable branch (AFAIK, only nightly builds are available and not for Thunderbird, just Firefox). Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.05.09.10...@gmail.com
Anyone compile Thunderbird (was: Mozilla products in Debian (was: A question for the list:))
On Fri, Nov 5, 2010 at 5:10 AM, Camaleón noela...@gmail.com wrote: On Fri, 05 Nov 2010 09:04:46 +, Chris wrote: How about volatile? :-? ClamAV packages are there for that precisely reason (they need to be updated -security fixes- very often). Why not simply grab the package from mozilla and install under /opt Sent It lacks system integration (plugins et al). Besides, Mozilla does not provide 64-bits builds for stable branch (AFAIK, only nightly builds are available and not for Thunderbird, just Firefox). Greetings, -- Camaleón While we are on the topic, has anyone successfully compiled Thunderbird (on Squeeze 64bit). I have no problems with Firefox, but after my Thunderbird compile, it runs and immediately exits without a word (OK, if complains that: Xlib: extension RANDR missing on display :0.0. , an artifact of running Xinerama, but Firefox also gives that warning with no problem). Stuart
Re: Mozilla products in Debian (was: A question for the list:)
In pan.2010.11.05.08.38...@gmail.com, Camaleón wrote: On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote: There is a third choice, I guess: Ship firefox / thunderbird in non-free. Support for non-free is best-effort, which basically means that if upstream is willing to fix it then the security team / maintainers will package it. This basically results in Debian stable's non-free containing software with known security vulnerabilities that Mozilla is unwilling to fix. How about volatile? :-? ClamAV packages are there for that precisely reason (they need to be updated -security fixes- very often). Firstly, only packages that are already in the official repository are included in volatile. Second, volatile is for packages that need frequent, non-security updates to maintain functionality (at least in the eyes of some users). (Updating the virus signature database is not considered a security update.) Thirdly, the policy of no new upstream versions after release isn't changed for volatile. (It is changed for volatile-sloppy.) Finally, updating the Debian package *more often* is the opposite of coming into trademark compliance. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: Mozilla products in Debian (was: A question for the list:)
On Fri, 05 Nov 2010 07:54:29 -0500, Boyd Stephen Smith Jr. wrote: In pan.2010.11.05.08.38...@gmail.com, Camaleón wrote: On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote: There is a third choice, I guess: Ship firefox / thunderbird in non-free. Support for non-free is best-effort, which basically means that if upstream is willing to fix it then the security team / maintainers will package it. This basically results in Debian stable's non-free containing software with known security vulnerabilities that Mozilla is unwilling to fix. How about volatile? :-? ClamAV packages are there for that precisely reason (they need to be updated -security fixes- very often). Firstly, only packages that are already in the official repository are included in volatile. Icedove and Iceweasel are. Second, volatile is for packages that need frequent, non-security updates to maintain functionality (at least in the eyes of some users). (Updating the virus signature database is not considered a security update.) AFAIK, ClamAV packages are fully upgraded (not only for fetching new signatures but the whole program). Thirdly, the policy of no new upstream versions after release isn't changed for volatile. (It is changed for volatile-sloppy.) And that is what people wants to be improved :-) Finally, updating the Debian package *more often* is the opposite of coming into trademark compliance. You know what other non-rolling distros do in this case: stock versions of the programs remain unchanged and maintained for the time the distribution is supported but in pararel there are satellite repositories/ forges where users can get upgraded versions of the most used programs (OOo suite, Mozilla products, etc...). These are not backported apps but newly builds matching each version. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.05.13.13...@gmail.com
Re: Mozilla products in Debian (was: A question for the list:)
On Friday 05 November 2010 08:13:41 Camaleón wrote: On Fri, 05 Nov 2010 07:54:29 -0500, Boyd Stephen Smith Jr. wrote: In pan.2010.11.05.08.38...@gmail.com, Camaleón wrote: On Fri, 05 Nov 2010 00:30:11 -0500, Boyd Stephen Smith Jr. wrote: There is a third choice, I guess: Ship firefox / thunderbird in non-free. Support for non-free is best-effort, which basically means that if upstream is willing to fix it then the security team / maintainers will package it. This basically results in Debian stable's non-free containing software with known security vulnerabilities that Mozilla is unwilling to fix. How about volatile? :-? ClamAV packages are there for that precisely reason (they need to be updated -security fixes- very often). Firstly, only packages that are already in the official repository are included in volatile. Icedove and Iceweasel are. Yes, but the original request was for Firefox and Thunderbird. Second, volatile is for packages that need frequent, non-security updates to maintain functionality (at least in the eyes of some users). (Updating the virus signature database is not considered a security update.) AFAIK, ClamAV packages are fully upgraded (not only for fetching new signatures but the whole program). In any case, they are not security upgrades in the Debian sense. They do not fix vulnerabilities in the ClamAV package. FWIW, even ClamAV in volatile avoids new upstream versions unless old versions are unable to function. Thirdly, the policy of no new upstream versions after release isn't changed for volatile. (It is changed for volatile-sloppy.) And that is what people wants to be improved :-) No. That's NOT what those who know and love Debian stable want. The lack of upstream changes is one of the main reasons I use stable on servers. Finally, updating the Debian package *more often* is the opposite of coming into trademark compliance. You know what other non-rolling distros do in this case: stock versions of the programs remain unchanged and maintained for the time the distribution is supported but in pararel there are satellite repositories/ forges. 1. Backports contains new upstream versions compiled in a released Debian environment. When Squeeze is released we should have an official backports service. 2. No one is preventing anyone from creating such repositories. Debian is a volunteer project. Existing DDs seem to like the status quo at least to some degree (existing policy can be changed if there is sufficent support for a change). New volunteers can work on whatever they like and the process of becoming a DD is well-documented and always open. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: Mozilla products in Debian (was: A question for the list:)
On Fri, 05 Nov 2010 09:10:44 -0500, Boyd Stephen Smith Jr. wrote: On Friday 05 November 2010 08:13:41 Camaleón wrote: Thirdly, the policy of no new upstream versions after release isn't changed for volatile. (It is changed for volatile-sloppy.) And that is what people wants to be improved :-) No. That's NOT what those who know and love Debian stable want. The lack of upstream changes is one of the main reasons I use stable on servers. What happens with Mozilla packages (more exactly with Firefox/Iceweasel) is that upstream version correct security flaws, meaning that right now, Debian's lenny stock version of Iceweasel is vulnerable to lots of holes because Mozilla does not provide support nor pacthes for 3.0.x branch. Leaving your users base with a vulnerable browser is not very sane. I see only one reason to force the upgrade of a stock package with a newer version and is precisely the lack of support (nor patches) from upstream packager. Hopefully there is backports holding these packages, but for Mozilla products (which are included in the regular repo) should not be needed - to be backported- at all: lenny users should have received 3.5 release by means of the security repo. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.05.14.38...@gmail.com
Re: Mozilla products in Debian (was: A question for the list:)
Dne, 05. 11. 2010 15:10:44 je Boyd Stephen Smith Jr. napisal(a): No. That's NOT what those who know and love Debian stable want. The lack of upstream changes is one of the main reasons I use stable on servers. +1 You can say that again. -- Cheerio, Klistvud http://bufferoverflow.tiddlyspot.com Certifiable Loonix User #481801 Please reply to the list, not to me. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1288968132.671...@compax
Re: Mozilla products in Debian
On 2010-11-05 15:38 +0100, Camaleón wrote: On Fri, 05 Nov 2010 09:10:44 -0500, Boyd Stephen Smith Jr. wrote: On Friday 05 November 2010 08:13:41 Camaleón wrote: Thirdly, the policy of no new upstream versions after release isn't changed for volatile. (It is changed for volatile-sloppy.) And that is what people wants to be improved :-) No. That's NOT what those who know and love Debian stable want. The lack of upstream changes is one of the main reasons I use stable on servers. What happens with Mozilla packages (more exactly with Firefox/Iceweasel) is that upstream version correct security flaws, meaning that right now, Debian's lenny stock version of Iceweasel is vulnerable to lots of holes because Mozilla does not provide support nor pacthes for 3.0.x branch. That is true, but the Debian iceweasel/xulrunner maintainer and the security team backport security fixes. Note that most of the problems are not specific to iceweasel and affect all browsers based on xulrunner, so they are fixed in the xulrunner-1.9 package which is updated rather frequently. Leaving your users base with a vulnerable browser is not very sane. Yes, but does iceweasel in lenny actually have big security problems? The Debian security tracker¹ lists only one unfixed problem that is hardly critical². I see only one reason to force the upgrade of a stock package with a newer version and is precisely the lack of support (nor patches) from upstream packager. But for Mozilla based packages the patches are available, it's just that they are in a different branch and have to be backported. This may not be ideal, but the situation is hardly worse than with the Linux kernel. Hopefully there is backports holding these packages, but for Mozilla products (which are included in the regular repo) should not be needed - to be backported- at all: lenny users should have received 3.5 release by means of the security repo. So that half of their installed extensions are broken after the upgrade? Does not seem to be a very good idea to me. Sven ¹ http://security-tracker.debian.org/tracker/source-package/iceweasel ² http://security-tracker.debian.org/tracker/CVE-2009-0777 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87pquj7oc2@turtle.gmx.de
Re: Mozilla products in Debian
On Fri, 05 Nov 2010 17:00:13 +0100, Sven Joachim wrote: On 2010-11-05 15:38 +0100, Camaleón wrote: What happens with Mozilla packages (more exactly with Firefox/Iceweasel) is that upstream version correct security flaws, meaning that right now, Debian's lenny stock version of Iceweasel is vulnerable to lots of holes because Mozilla does not provide support nor pacthes for 3.0.x branch. That is true, but the Debian iceweasel/xulrunner maintainer and the security team backport security fixes. How is that possible? :-? As soon as Mozilla stopped offering security patches and left tracking 3.0.x branch there can be hidden bugs nor Mozilla nor Debian can be aware of. Note that most of the problems are not specific to iceweasel and affect all browsers based on xulrunner, so they are fixed in the xulrunner-1.9 package which is updated rather frequently. Mmm, current xulrunner upstream release is 1.9.2 that matches Firefox 3.6. Now I've got installed 1.9.0.19-6 (matching my icedove version). Leaving your users base with a vulnerable browser is not very sane. Yes, but does iceweasel in lenny actually have big security problems? The Debian security tracker¹ lists only one unfixed problem that is hardly critical². Do you think Debian packages include all these bug fixes? http://www.mozilla.org/security/known-vulnerabilities/firefox30.html I see only one reason to force the upgrade of a stock package with a newer version and is precisely the lack of support (nor patches) from upstream packager. But for Mozilla based packages the patches are available, it's just that they are in a different branch and have to be backported. This may not be ideal, but the situation is hardly worse than with the Linux kernel. Yes, a backported package is better than nothing, I agree. Hopefully there is backports holding these packages, but for Mozilla products (which are included in the regular repo) should not be needed - to be backported- at all: lenny users should have received 3.5 release by means of the security repo. So that half of their installed extensions are broken after the upgrade? Does not seem to be a very good idea to me. I prefer having no extensions at all than browsing the web with an unsupported browser :-). Anyway, you could choose not updating Iceweasel and keep the old branch... Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.05.16.48...@gmail.com
Re: Mozilla products in Debian
On 2010-11-05 17:48 +0100, Camaleón wrote: On Fri, 05 Nov 2010 17:00:13 +0100, Sven Joachim wrote: That is true, but the Debian iceweasel/xulrunner maintainer and the security team backport security fixes. How is that possible? :-? As soon as Mozilla stopped offering security patches and left tracking 3.0.x branch there can be hidden bugs nor Mozilla nor Debian can be aware of. There also can be^W^W are hidden bugs in the 3.6 branch which Mozilla and Debian are not aware of. Of course there is the possibility that in the meantime Mozilla had inadvertently fixed some security bug in the 3.5/3.6 branches without knowing it, so that only 3.0 is vulnerable. Note that most of the problems are not specific to iceweasel and affect all browsers based on xulrunner, so they are fixed in the xulrunner-1.9 package which is updated rather frequently. Mmm, current xulrunner upstream release is 1.9.2 that matches Firefox 3.6. Now I've got installed 1.9.0.19-6 (matching my icedove version). Reading the Debian changelog for that should give you a good idea what security bugs got fixed. Do you think Debian packages include all these bug fixes? http://www.mozilla.org/security/known-vulnerabilities/firefox30.html No, MFSA 2009-11 is not fixed (that is a Firefox-only bug). The others should be fixed, but I did not check everything myself. Hopefully there is backports holding these packages, but for Mozilla products (which are included in the regular repo) should not be needed - to be backported- at all: lenny users should have received 3.5 release by means of the security repo. So that half of their installed extensions are broken after the upgrade? Does not seem to be a very good idea to me. I prefer having no extensions at all than browsing the web with an unsupported browser :-). Anyway, you could choose not updating Iceweasel and keep the old branch... Which is what quite a few people would do, I fear. The current situation where the old version still gets security updates from Debian while newer versions are available from lenny-backports is IMO better. Sven -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87zktn61zv@turtle.gmx.de
Re: Mozilla products in Debian
On Fri, 05 Nov 2010 19:48:04 +0100, Sven Joachim wrote: On 2010-11-05 17:48 +0100, Camaleón wrote: Do you think Debian packages include all these bug fixes? http://www.mozilla.org/security/known-vulnerabilities/firefox30.html No, MFSA 2009-11 is not fixed (that is a Firefox-only bug). The others should be fixed, but I did not check everything myself. I've just remembered the Lenny Release Notes: http://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#mozilla-security So, I wonder what is the current/real security status for Iceweasel. I do not know why Mozilla products have to follow a different path than other products. For instance, would Debian security policy allow leaving an old package that is not maintained anymore upstream? dreaming mode on Let's imagine for a moment that SpamAssassin drops support (=no more security patches) for its 3.2.x branch... Lenny users will be highly exposed to any security flaw that can affect the old/unmaintaned branch. Shouldn't they be updated to the latest/maintained upstream package via stantard security updates? Let's face the situation: 1/ No udpating means several servers running lenny are at risk of being exploited. 2/ Updating to the new branch can break current setups but a notice about the branch change and detailed steps on how to perform the change could prevent users from breaking their current setup. I, for my self, prefer to get the updated package, perform the upgrade, carefully read the docs to get a soft transition to the new branch and keep my e-mail server secure (remember that lenny has still a long full year of support). /dreaming mode off That was an hypothetical situation but is what has happened with Mozilla products. I mean, knowing that Mozilla has a very quick development strategy, wouldn't be preferable to care about that instead of just warning the users in Release Notes and leaving them in a kind of limbo? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.05.20.07...@gmail.com
Re: Mozilla products in Debian (was: A question for the list:)
Klistvud wrote: Dne, 05. 11. 2010 15:10:44 je Boyd Stephen Smith Jr. napisal(a): No. That's NOT what those who know and love Debian stable want. The lack of upstream changes is one of the main reasons I use stable on servers. +1 You can say that again. +2 Seriously! I do not understand people's itch to install the latest version. Just because it has a high version number does not mean it is more secure. regards -- Kamaraju S Kusumanchi http://malayamaarutham.blogspot.com/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ib20ge$t9...@dough.gmane.org
Re: Mozilla products in Debian
On 11/5/2010 12:00 PM, Sven Joachim wrote: On 2010-11-05 15:38 +0100, Camaleón wrote: On Fri, 05 Nov 2010 09:10:44 -0500, Boyd Stephen Smith Jr. wrote: /snip/ I see only one reason to force the upgrade of a stock package with a newer version and is precisely the lack of support (nor patches) from upstream packager. /snip/ I see _no_ reason to force the upgrade of any package, whether it is maintained or not, so long as it works. Right now I have a broken system since PCLOS forced me to upgrade synaptiks. It was working perfectly the way it was, and so was the OS. Now the OS is shot all to hell, and I'm not sure what to do about it. Two previous attempts to upgrade the OS from 2010 to 2010.07 went down in flames, and now I suppose I will have to try .10 and see what happens. What may very well happen is that I run the XP that I got with the laptop. It's not as smart or as interesting as PCLOS, but it seems to be less likely to crash. --doug Blessed are the peacemakers...for they shall be shot at from both sides. --A.M. Greeley -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cd48f37.1030...@optonline.net
Re: Mozilla products in Debian
On Fri, Nov 05, 2010 at 08:07:13PM +, Camaleón wrote: On Fri, 05 Nov 2010 19:48:04 +0100, Sven Joachim wrote: On 2010-11-05 17:48 +0100, Camaleón wrote: Do you think Debian packages include all these bug fixes? http://www.mozilla.org/security/known-vulnerabilities/firefox30.html No, MFSA 2009-11 is not fixed (that is a Firefox-only bug). The others should be fixed, but I did not check everything myself. I've just remembered the Lenny Release Notes: http://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#mozilla-security So, I wonder what is the current/real security status for Iceweasel. I do not know why Mozilla products have to follow a different path than other products. For instance, would Debian security policy allow leaving an old package that is not maintained anymore upstream? dreaming mode on Let's imagine for a moment that SpamAssassin drops support (=no more security patches) for its 3.2.x branch... Lenny users will be highly exposed to any security flaw that can affect the old/unmaintaned branch. Shouldn't they be updated to the latest/maintained upstream package via stantard security updates? Let's face the situation: 1/ No udpating means several servers running lenny are at risk of being exploited. 2/ Updating to the new branch can break current setups but a notice about the branch change and detailed steps on how to perform the change could prevent users from breaking their current setup. I, for my self, prefer to get the updated package, perform the upgrade, carefully read the docs to get a soft transition to the new branch and keep my e-mail server secure (remember that lenny has still a long full year of support). /dreaming mode off What I would like (and think they should have done in the case of Iceweasel) is issue a security update that is simply a message to the admin that stable's version of Iceweasel is now unsupported. The security update should not automatically upgrade Iceweasel to the backports version, but it should suggest this to the admin as a wise course of action. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101105234757.ga12...@aurora.owens.net
