* Mike Connor ([EMAIL PROTECTED]) wrote: > > >>To my knowledge, Debian isn't including "extra" security fixes over > >>and above what we're shipping. If they are, that would possibly be > >>considered an act of bad faith between downstream and upstream, > >>unless the security bug was Debian specific. This type of potential > >>"Firefox from foo is better than Firefox from bar" comparison is > >>something we have explicitly avoided. > > > >As pointed out many times, we've had to backport security fixes > >ourselves into 1.0.4 because security support has dropped for the 1.0 > >branch. So whether that's "extra" or not, I don't know. Even if we > >added a security patch that the original version didn't have I don't > >see how we could act in bad faith. Even if we somehow neglected to > >file a bug report on it, it's not like we could hide the fact that we > >had added the patch from you. > > Backporting security fixes from newer releases is not really "extra" > in my mind. It'd be fixing stuff that isn't fixed elsewhere without > discussing it with us. > > The argument for fixing upstream is that by taking a fix for a bug > that's unpatched upstream, you will call attention to that potential > exploit, and thus put non-Debian users at risk. The problem is > exponentially worse if we don't know the issue exists and thus don't > know we need to fix it. If that's not malicious, its at least > irresponsible, in my opinion.
Well on the one hand if there's a patch available to fix a security issue that I can get my hands on, I probably won't wait until the official release from Mozilla to apply the fix. If I can get my hands on it, that means umpteen many people can too, so I would see no point in delaying even if it does draw attention to the vulnerability. On the other hand if somehow I was privy to a vulnerability that upstream wasn't, of course I would report it. I'm a good citizen in this community as I'm sure nearly all of Debian is. But my point was even if I didn't (eg, hit by a bus, had dental surgery, was mad at you because you ran over my puppy or merely because I forgot) I couldn't actually hide the fact that I did it effectively. It's all out in the open, so I don't see how I could be accused of bad faith or irresponsibility. -- Eric Dorland <[EMAIL PROTECTED]> ICQ: #61138586, Jabber: [EMAIL PROTECTED] 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6
signature.asc
Description: Digital signature