I'm a happy user of Testing, but I'm a bit concerned about getting updates to Firefox in a timely manner. The current version in Testing is 1.0.4-2, which has recently-announced vulnerabilities in it. The vulns (I don't like typing that word :) have been fixed in the version in Sarge, 1.0.4-2sarge1. They've been fixed in Unstable as well, in 1.0.6-2.
But when will this version come to Testing? A quick look at the changelog for the package shows that 1.0.5-1, which fixes some security issues, was uploaded to Unstable on July 16th with an urgency level of high, but four days later 1.0.6-1 was uploaded with an urgency of low. Ten days later, on July 30th, 1.0.6-2 was uploaded with an urgency of medium. But here it is over two weeks later, and Testing is still stuck on 1.0.4-2. I looked in the bug tracker, but I couldn't find any good bug to prevent these newer versions from moving to Testing. Now, I'm far from an expert, and I'm still fairly new to Debian (less than a year), but it seems like something needs to change. I don't want to run Unstable on my computer, but I don't want to be stuck with vulnerable browsers either. I could upgrade Firefox to the version that's in unstable, but there are two problems: 1) This is a poor long-term solution, having to manually upgrade packages and their dependencies to fix security problems; 2) I can't even do that in this case, because Firefox 1.0.6-2 depends on libxinerama1, which depends on libc6 >=2.3.5, but Testing is still on libc6 2.3.2. This is simply a mess. Actually, now that I think about it, I suppose the reason 1.0.6-2 hasn't moved into Testing is because of the dependency problem of libxinerama1 and libc6. But who knows when the new version of libc6 will get into Testing? It may be a very long time. In the meantime, are we Testing users supposed to keep using a vulnerable version of Firefox? I know Testing is not supported for security updates, but for high-profile packages like Firefox with high-profile vulns, don't we need a solution for this problem? And upgrading to Unstable is not a solution; there's a reason I and others use Testing instead of Unstable.