To my knowledge, Debian isn't including "extra" security fixes over
and above what we're shipping. If they are, that would possibly be
considered an act of bad faith between downstream and upstream,
unless the security bug was Debian specific. This type of potential
"Firefox from foo is better than Firefox from bar" comparison is
something we have explicitly avoided.
As pointed out many times, we've had to backport security fixes
ourselves into 1.0.4 because security support has dropped for the 1.0
branch. So whether that's "extra" or not, I don't know. Even if we
added a security patch that the original version didn't have I don't
see how we could act in bad faith. Even if we somehow neglected to
file a bug report on it, it's not like we could hide the fact that we
had added the patch from you.
Backporting security fixes from newer releases is not really "extra"
in my mind. It'd be fixing stuff that isn't fixed elsewhere without
discussing it with us.
The argument for fixing upstream is that by taking a fix for a bug
that's unpatched upstream, you will call attention to that potential
exploit, and thus put non-Debian users at risk. The problem is
exponentially worse if we don't know the issue exists and thus don't
know we need to fix it. If that's not malicious, its at least
irresponsible, in my opinion.
-- Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
