On 2010-01-27 02:36 +0100, Rob Owens wrote: > On Fri, Jan 22, 2010 at 09:21:55PM +0100, Sven Joachim wrote: >> >> Not really, actually security support for Iceweasel could end rather >> soon. >> >> http://www.debian.org/releases/lenny/i386/release-notes/ch-information.en.html#mozilla-security >> > > I'm concerned about the way this is handled. I understand that > continuing support in Debian once upstream support has stopped may be > infeasible, but is ceasing support while offering no alternatives (and > not much warning) really the best solution?
There are certainly alternatives, basically any package that provides the www-browser virtual package. > I'll confess that I never read the release notes until now, but I think > admins should get more warning about this issue. In the release notes, > "Your web browser will cease to get security updates" falls in between a > notice that "NetworkManager doesn't play nice with NIS" and "There are > no huge changes in the KDE Desktop". An internet app w/o security > updates seems vastly more important than the issues that surround it in > the release notes. Personally I would prefer if packages whose security support has ended were removed in point releases, but that is not always possible because other packages may (build-)depend on them. Such was the case with Iceape in Etch. > At the very least what I would have liked to see was an update to > Iceweasel that doesn't actually update the software, but issues a > warning to the admin that security updates have ceased. One step better > would be to include a supported version of Iceweasel in Lenny main. I > know it's against Debian policy to add new versions during a stable > release. Yes. New versions have to be installed from backports.org. In case of Iceweasel there is also the problem that Debian ships many extensions which may not be compatible with a new major version. > But isn't it also Debian policy to provide security updates for > the life of the release? (I may be assuming that last bit, but I hope > not). Yes, in the case of Mozilla packages it is lack of manpower and upstream support that defeats this, unfortunately. > Anyway, I've now installed Iceweasel 3.5 from backports. I just wish I > could have gotten it from the Debain main repo that I know and trust. > This is not a shot against the guys who run backports.org. It's just > that I don't think backports is intended to be a substitute for > security.debian.org. You can trust backports.org insofar as only Debian developers can upload packages there and only backports of versions that are already in testing are allowed. I think that making backports.org officially supported (as much as testing and unstable) is the goal, but lack of manpower for security support holds this back for now. Sven -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org