antgel wrote:
2) Mozilla security patches are not easy to find and isolate.
Ben has disputed this, saying that we should be able to extract all
necessary patches. Public ones from
http://www.mozilla.org/projects/security/known-vulnerabilities.html then
bugzilla, and embargoed ones via mdz.
Note that I do *not* recommend that approach. I cannot garantee that all
security fixes are listed there. Even more so for pro-active security
changes which will prevent exploits in the future. (I'm not saying that
this *does* happen, I just don't know. Here, communication between the
groups would be useful, if nothing else to establish garantees.)
Also, this is far more work than just taking an existing branch and ship
that.
3) Backporting the patches, once isolated, is a ballache. (Is it that
security patches are applied to aviary as well as trunk, and that the
problem, more specifically, is that aviary itself is too far ahead of
Debian, or that the patches are only applied to trunk?)
I'd like to hear a comment from Ben about this.
Given that the "aviary" branch (1.0.x) is maintained by mozilla.org, it
does have all the critical security fixes.
As I said, I don't know what the problems with backporting are.
I mean, right now, you are shipping FF 1.0.4 with sarge. If the 1.0.5/6
patches don't apply to *that*, then I don't know either...
Ben
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
