Re: On Mozilla-* updates
Michael Stone wrote: On Mon, Aug 01, 2005 at 09:29:24AM +0200, Stefano Salvi wrote: I think that two kinds of people are interested in Debian: - Ones who want Security - Ones who want Stability I can't even understand this statement. What kind of person is interested in stability which will get their machine compromised? Remember, we're talking about a *web browser* here--the primary purpose of which is to connect to web sites on the internet. That seems in my mind to be an application which cries out for some level of security. And it's not like old versions will disappear forever--if you reall need some kind of pedantic stability just put your browser on hold. For stability I mean: you can install any part od the system without worrying to break your machine which is provided by the strong quality check cycle and very good dependency system. If you go on reading, I say I whish that critical components as browsers are kept updated AFTER the relase, to keep security optimal. Remember that security is always expressed in percent: there will never be 100% security. It's shure that a server must have a higher security score than a desktop system, but it also needs different functionalities. Stefano -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
* Stefano Salvi [EMAIL PROTECTED] [2005-08-02 09:16 +0200]: It's shure that a server must have a higher security score than a desktop system, but it also needs different functionalities. The desktop used to administrate a server needs less security? Weakest link? Nicolas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Nicolas Rachinsky wrote: * Stefano Salvi [EMAIL PROTECTED] [2005-08-02 09:16 +0200]: It's shure that a server must have a higher security score than a desktop system, but it also needs different functionalities. The desktop used to administrate a server needs less security? Weakest link? I prefer to have no X on the server and administer it from command line or Web interfaces (command line is better). I think that if you administer via GUI you have far less security. Yes, as you say, the GUI administration chain is the weakest link of the chain? Stefano -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
* Stefano Salvi [EMAIL PROTECTED] [2005-08-02 09:38 +0200]: Nicolas Rachinsky wrote: The desktop used to administrate a server needs less security? Weakest link? I prefer to have no X on the server and administer it from command line or Web interfaces (command line is better). I think that if you administer via GUI you have far less security. Yes, as you say, the GUI administration chain is the weakest link of the chain? If someone takes over this desktop, he also owns the server. But this is getting too far from the current discussion. Nicolas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Importance of browser security (was: On Mozilla-* updates)
Stefano Salvi wrote: I prefer to have no X on the server and administer it from command line or Web interfaces (command line is better). Let's say 1. You use Mozilla from sarge 2. Somebody cracks you through known holes in that old Mozilla, either a mass exploit or an enemy of you specifically targetting you. Which is probably the easiest way to attack you, through all firewalls. So much for browser/email security. 3. He controls your desktop 4. He downloads all your local mail and photos/images, including your confidental company mail, private mail and nude photos of your girlfriend. He posts it on the Internet, your company's billboard, and your supermarket's billboard. 5. He also installs a keyboard sniffer and downloads your private SSH keys. 6. He logs into all servers and other computers that you have access to. Including those desktops of your friends, which you remote administrate or use the password that they use for your server. And the attacker goes on from there. So much for desktop/server security. 7. One of your friends did things which are strictly legal, but your boss didn't like it at all, and fired him. Another one happened to be a dissident and gets in jail or maybe shot. So much for efficiency (this has nothing to do with efficiency). 8. Because all this costs some time, the attacker needs to live, too. He drafts your bank accounts and those of your friends as a fair compensation. The Half Life 2 source code got indeed stolen via desktop compromitation, too. But all that is insignificant in comparison to your dead friend. That's what's at stake here. I don't care, if a Mozilla security update breaks some badly written extensions. And if it breaks Galeon's print function, so be it, you can still use Mozilla in this rare case. But there's *no* recovery from a bad breakin. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Importance of browser security
Ben Bucksch wrote: Stefano Salvi wrote: I prefer to have no X on the server and administer it from command line or Web interfaces (command line is better). Let's say 1. You use Mozilla from sarge ... CUT ... Description of an exploit That's what's at stake here. I don't care, if a Mozilla security update breaks some badly written extensions. And if it breaks Galeon's print function, so be it, you can still use Mozilla in this rare case. But there's *no* recovery from a bad breakin. I completly agree with you. My point was: - server software needs strict security and less functionality; a long release cycle is welcome; it is preferred to stick to some releases of the software. - desktop software needs good security, but also new features; you prefer to get the latest release of a software. My choice is to stick on woody (I'll rebulid now with Sarge, now) for the server and use Sid on the desktop, upgrading it regularly. I think this gives me strong security on the server and good security AND features on the desktop. The difference is that I didn't install an old browser on the server and keep the browser updated constantly on the desktop. Using this policy, from time to time my desktop has some problems (I'm using unstable). I would be very happy if there was a stable branch that keeps software updated AND tracks security. Stefano -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
it seems that less than two months after the release of sarge it is not possible to support Mozilla, Thunderbird, Firefox (and probably Galeon) packages anymore. (in terms of fixing security related problems) Unfortunately the Mozilla Foundation does not provide dedicated and clean patches for security updates but only releases new versions that fix tons of security related problems and other stuff that is or may be irrelevant for security updates. As a result, it is extremely difficult to get security patches extracted and backported. This is an utter disaster for security teams and distributions that try to support their releases. Joey, Working from the following assumptions: * it possible to include Mozilla in Debian stable, * extracting security patches from upstream is not practical, and ignoring the interesting, but extraneous threads, What exactly breaks if the update to v1.06 is applied, as upstream recommends? I realise you are seeking a general solution. I believe that we need case specific information. This will enable us to evaluate any proposed general solutions, with the illumination of real facts. Regards Jeff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Joey, Working from the following assumptions: * it possible to include Mozilla in Debian stable, * extracting security patches from upstream is not practical, and ignoring the interesting, but extraneous threads, What exactly breaks if the update to v1.06 is applied, as upstream recommends? I realise you are seeking a general solution. I believe that we need case specific information. This will enable us to evaluate any proposed general solutions, with the illumination of real facts. Actually, I see that I am echoing the unanswered question from Ben in his email of 1-Aug: What hard reasons are there that prevent you from shipping Firefox 1.0.6 and Mozilla 1.7.11 right now? Once we know what breaks when this is attempted, we can look at working out a general solution. Regards Jeff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
In gmane.linux.debian.devel.security, you wrote: Mozilla *appears* to have no interest in supply patches which *only* fix security holes to distributors. Their line is more upgrade to the newest version. Whilst the new versions do fix the holes, they traditionally also break things built against them, such as extensions, galeon, etc. I thought some member of the Debian security team has access to the hidden bug reports. Can't that member extract the relevant patches then? If the isolated patches were pulled from Mozilla Bugzilla by Matt Zimmermann (who appears to be Debian's Mozilla security delegate) and published as part of a DSA this would point to the core of each vulnerability and make exploit creation easier than reconstructing this information from the large interdiffs between their stable releases. This tends towards security through obscurity, but seems to be Mozilla's policy for bugs with their internal Critical severity. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
In gmane.linux.debian.devel.security, you wrote: Looking at how 1.0.5 was binary-incompatible with 1.0.4 I can only assert that the community has failed already. Although I'm not sure how an accidential API change can slip through any kind of Mozilla QA, it has at least been corrected in 1.0.6 and was not intentional. Whatever solution we choose, I believe it is very important for us to do it within Debian and not rely on backports or some other unofficial channels. As Debian developers, it is our duty to solve this problem, and simply kicking the packages out of Debian or ignoring them from the point of view of updates and security is really no solution at all. Be prepared for reality, in half a year or in one year, there won't be 1.0.x Mozilla Firefox packages anymore that build on Debian stable. At least that's what I anticipate. Judging from their road map the stable series will move to 1.1, which will incorporate major new features like SVG support. And there seem to be changes in the freetype API that will pose further problems if they bump their API requirements for 1.1 (see #314243). Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
[Thomas, I'm not sure if you are on the debian-security list, so I'm CCing you] Are you prepared to make sure all the packages that depend on mozilla will have packages ready to enter at once? This would only be necessary in case of an API/ABI change, right? The mozilla people have shown to care about the API. See the warnings about the 1.0.5 release, the issues were soon after corrected by 1.0.6. And in the case of a new major upstream version, which should only be an issue 1 or 2 times while the Debian release cycle, I think it's doable. To make that easier, I propose to set up security testing scripts, where we upload the new upstream versions (and related packages if neccessary) as soon as they are available (so we can fix build issues, etc.), but wait with the release to the offical security repository until they are necessary. That way, we minimize the needed time and work until security updates can be released, and the new major new upstream versions can be tested by a wide audience. Willi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Tue, Aug 02, 2005 at 02:29:51PM +0200, Moritz Muehlenhoff wrote: If the isolated patches were pulled from Mozilla Bugzilla by Matt Zimmermann (who appears to be Debian's Mozilla security delegate) and published as part of a DSA this would point to the core of each vulnerability and make exploit creation easier than reconstructing this information from the large interdiffs between their stable releases. This tends towards security through obscurity, but seems to be Mozilla's policy for bugs with their internal Critical severity. Getting access to the patches is not a significant obstacle; the issue is that they often don't apply to versions which are a few months old. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Noah Meyerhans [EMAIL PROTECTED] writes: On Mon, Aug 01, 2005 at 04:57:31PM -0700, Thomas Bushnell BSG wrote: IMHO, sloopy security support (by uploading new upstream versions) is better than no security support. Are you prepared to make sure all the packages that depend on mozilla will have packages ready to enter at once? Are you prepared to kick all packages that depend on mozilla out of Debian completely? How about actually maintaining them? That's the choice we've got. Moving them to backports.org or volatile, which are not carried by the mirror network, not included in the default apt sources.list, and not getting DSA announcements, IMHO, counts as kicking them out of Debian. Oh, I see. I think the whole point of volatile is that it is *part* of Debian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Willi Mann [EMAIL PROTECTED] writes: [Thomas, I'm not sure if you are on the debian-security list, so I'm CCing you] Are you prepared to make sure all the packages that depend on mozilla will have packages ready to enter at once? This would only be necessary in case of an API/ABI change, right? The mozilla people have shown to care about the API. See the warnings about the 1.0.5 release, the issues were soon after corrected by 1.0.6. Even when there is no ABI/API change, packages that depend on Mozilla generally depend on exact version numbers. I do not know on which side the bug lies, but if you are saying that a new galeon package is not necessary when a compatible mozilla shows up, my experience is that this is very often not true. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Tue, Aug 02, 2005 at 10:09:13AM -0700, Thomas Bushnell BSG wrote: IMHO, sloopy security support (by uploading new upstream versions) is better than no security support. Are you prepared to make sure all the packages that depend on mozilla will have packages ready to enter at once? Are you prepared to kick all packages that depend on mozilla out of Debian completely? How about actually maintaining them? That's exactly what I think we should do. That's the choice we've got. Moving them to backports.org or volatile, which are not carried by the mirror network, not included in the default apt sources.list, and not getting DSA announcements, IMHO, counts as kicking them out of Debian. Oh, I see. I think the whole point of volatile is that it is *part* of Debian. Except that it isn't, for all the reasons I described. Users will not see packages in volatile unless they go out of their way to reconfigure apt, they will not receive DSA announcements regarding new versions of packages there, and the archive is not carried by the standard Debian mirrors. Can a bug be closed by an upload to volatile? noah signature.asc Description: Digital signature
Re: On Mozilla-* updates
On Tue, Aug 02, 2005 at 08:15:22PM +0100, antgel wrote: Matt Zimmerman wrote: the issue is that they often don't apply to versions which are a few months old. Not automatically, but perhaps if we had a dedicated team of a few people who can code, we could manually mould them to the version in stable? Have you been following this discussion? That is exactly what we have been killing ourselves doing for the past few years. It is a _losing battle_. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
[Noah Meyerhans] How about actually maintaining them? That's exactly what I think we should do. Is this we as in you, or we as in someone else? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Tue, Aug 02, 2005 at 09:56:12PM +0200, Petter Reinholdtsen wrote: [Noah Meyerhans] How about actually maintaining them? That's exactly what I think we should do. Is this we as in you, or we as in someone else? We as in all of us who have been suggesting that we allow e.g. firefox 1.0.6 into stable. We as in those of us who are frustrated and don't want to put any work into this based on Joey's clearly stated intent to disallow new upstream versions to be used for security updates or to be included with stable revisions, no matter what noah signature.asc Description: Digital signature
Re: On Mozilla-* updates
On Tue, Aug 02, 2005 at 09:04:01PM +0100, antgel wrote: Matt Zimmerman wrote: Have you been following this discussion? That is exactly what we have been killing ourselves doing for the past few years. It is a _losing battle_. I've been following a fair bit of the discussion, but it's hard to pull the facts out from the opinion.. I'm not belittling the Debian team efforts, and I'm sorry if I seemed like I was. If it is a losing battle, then it's one that we should try to equip ourselves[1] to win. If you are saying that we can't equip ourselves then fine, but it's a shame. We are on the same side here. Antony [1] This includes more manpower and liaising with Mozilla to see if they can help more than they are doing. I'm guessing that you're not going to volunteer on the manpower side, and I don't think that it would be a good way to spend resources even if we had them. You're welcome to attempt to convince the Mozilla project to change the way that they work for the benefit of distribution security teams. If I recall correctly, others have unsuccessfully attempted this in the past, but since you are interested in this issue, perhaps you will try again and report back to us. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
The solution to this problem is simple. We change the meaning of stable to stable except for such cases as security demands upgrading versions rather than backporting patches. And then leave the old insecure version of the package in place as package.name.insecure. We can dilly dally about it all we want but this is really the only viable solution. Leaving bad packages around is not an option. Taking mozilla or other core parts of most users computing experience is not really an option (unless we want to put ourselves even farther out on the fringe). So upgrading broken packages is our last option. It may be unpalatable to some, and perhaps more work, but according to this discussion it will still be less work then trying to backport the security patches alone. We are making a mountain out of a mole hill. If help is needed to do this, email me off list and I will try and help. I have servers that can be used to build at least two of the architectures. David. -- David Ehle Computing Systems Manager CAPP CSRRI rm 077 LS Bld. IIT Main Campus Chicago IL 60616 [EMAIL PROTECTED] 312-567-3751 He who fights with monsters must take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you. On Tue, 2 Aug 2005, Matt Zimmerman wrote: On Tue, Aug 02, 2005 at 09:04:01PM +0100, antgel wrote: Matt Zimmerman wrote: Have you been following this discussion? That is exactly what we have been killing ourselves doing for the past few years. It is a _losing battle_. I've been following a fair bit of the discussion, but it's hard to pull the facts out from the opinion.. I'm not belittling the Debian team efforts, and I'm sorry if I seemed like I was. If it is a losing battle, then it's one that we should try to equip ourselves[1] to win. If you are saying that we can't equip ourselves then fine, but it's a shame. We are on the same side here. Antony [1] This includes more manpower and liaising with Mozilla to see if they can help more than they are doing. I'm guessing that you're not going to volunteer on the manpower side, and I don't think that it would be a good way to spend resources even if we had them. You're welcome to attempt to convince the Mozilla project to change the way that they work for the benefit of distribution security teams. If I recall correctly, others have unsuccessfully attempted this in the past, but since you are interested in this issue, perhaps you will try again and report back to us. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Tue, Aug 02, 2005 at 04:39:21PM -0500, David Ehle wrote: The solution to this problem is simple. We change the meaning of stable to stable except for such cases as security demands upgrading versions rather than backporting patches. We can dilly dally about it all we want but this is really the only viable solution. Leaving bad packages around is not an option. Taking mozilla or other core parts of most users computing experience is not really an option (unless we want to put ourselves even farther out on the fringe). So upgrading broken packages is our last option. It may be unpalatable to some, and perhaps more work, but according to this discussion it will still be less work then trying to backport the security patches alone. Did you realize before this rant that this is already the policy, and has been documented in the Security Team FAQ for several years now? We are making a mountain out of a mole hill. If help is needed to do this, email me off list and I will try and help. I have servers that can be used to build at least two of the architectures. We already have hardware to build packages; that's not a problem at this time. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Matt Zimmerman wrote: I'm guessing that you're not going to volunteer on the manpower side Actually, he did, in the previous posting. Which is admirable, because this is a dauntingly huge task (and he seems semi-aware of it) - in the area of a few hours *per week*, on average. mozilla.org (and before it Netscape) has a full-time staff position just for security (he also does security features, though). You're welcome to attempt to convince the Mozilla project to change the way that they work for the benefit of distribution security teams. I don't even know what exactly you do want the Mozilla project to change. You are officially part of the Mozilla security group since some time, so you are the right person to discuss a collaboration, and execute on it. Note that a discussion involves more than 1-2 emails with statements and requests. BTW: Where are you located physically? Maybe you can meet with mozilla.orgians in person. I think you'll like Daniel Veditz in particular. And Mozilla Foundation needs more of the SPI spirit than the OSAF spirit anyways. I hope you can understand, though, that the Mozilla project can't maintain whatever version you pick for Debian stable, for *3 years*. 1.7.x already lives since almost a year. But, as I said, that's not the problem right now. At the moment, I am still waiting for an answer to the question at the end of my first posting, which Alex repeated: What's preventing you from shipping Moz 1.7.11 and FF 1.0.6 right now? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Wed, Aug 03, 2005 at 12:08:10AM +0200, Ben Bucksch wrote: Matt Zimmerman wrote: You're welcome to attempt to convince the Mozilla project to change the way that they work for the benefit of distribution security teams. I don't even know what exactly you do want the Mozilla project to change. You are officially part of the Mozilla security group since some time, so you are the right person to discuss a collaboration, and execute on it. Note that a discussion involves more than 1-2 emails with statements and requests. To organize their development processes such that patches can be backported with a reasonable amount of effort. This is the case for most open source projects, even the kernel, to a much greater extent than Mozilla. BTW: Where are you located physically? Maybe you can meet with mozilla.orgians in person. I think you'll like Daniel Veditz in particular. And Mozilla Foundation needs more of the SPI spirit than the OSAF spirit anyways. I'm in Los Angeles, California, US. I hope you can understand, though, that the Mozilla project can't maintain whatever version you pick for Debian stable, for *3 years*. 1.7.x already lives since almost a year. But, as I said, that's not the problem right now. No one is asking Mozilla to do the job of distribution security, but the fact is that large segments of the user community want longer support cycles, and the developer community is trying to provide them. At the moment, I am still waiting for an answer to the question at the end of my first posting, which Alex repeated: What's preventing you from shipping Moz 1.7.11 and FF 1.0.6 right now? Can Mozilla 1.7.11 even be *built* on woody, much less upgrade seamlessly from Mozilla 1.0.0? -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Matt Zimmerman wrote: I'm guessing that you're not going to volunteer on the manpower side, and I don't think that it would be a good way to spend resources even if we had them. You're welcome to attempt to convince the Mozilla project to change the way that they work for the benefit of distribution security teams. How should mozilla change the way they work? If I recall correctly, others have unsuccessfully attempted this in the past, but since you are interested in this issue, perhaps you will try again and report back to us. Maybe you are right, but then, what has been tried so far? IMHO, it would be rather a bad strategy to try something the same way again and again. In consequence, without information on what has failed so far, chances to succeed become even more unlikely. Thanks -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack| : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Alexander Sack [EMAIL PROTECTED] writes: Matt Zimmerman wrote: I'm guessing that you're not going to volunteer on the manpower side, and I don't think that it would be a good way to spend resources even if we had them. You're welcome to attempt to convince the Mozilla project to change the way that they work for the benefit of distribution security teams. How should mozilla change the way they work? It would be very nice if Mozilla would publish to distributions like ours a description of the security problem, and then a separate patch for that specific problem. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
John Hardcastle [EMAIL PROTECTED] writes: I agree with David's suggestion to just put the latest releases from Mozilla into Debian Stable. This is what volatile is for. Indeed, it was the very first and best example of why we want volatile. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Matt Zimmerman wrote: On Wed, Aug 03, 2005 at 12:08:10AM +0200, Ben Bucksch wrote: BTW: Where are you located physically? Maybe you can meet with mozilla.orgians in person. I think you'll like Daniel Veditz in particular. And Mozilla Foundation needs more of the SPI spirit than the OSAF spirit anyways. I'm in Los Angeles, California, US. Well, you would need to go to Mountain View ;), there you can find the Mozilla Foundation. Frank -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Wed, Aug 03, 2005 at 01:11:59AM +0200, Frank Wein wrote: Matt Zimmerman wrote: On Wed, Aug 03, 2005 at 12:08:10AM +0200, Ben Bucksch wrote: BTW: Where are you located physically? Maybe you can meet with mozilla.orgians in person. I think you'll like Daniel Veditz in particular. And Mozilla Foundation needs more of the SPI spirit than the OSAF spirit anyways. I'm in Los Angeles, California, US. Well, you would need to go to Mountain View ;), there you can find the Mozilla Foundation. If Debian would like to fly me to Mountain View for this purpose, I would be willing to go, but I am not in a position to make such a trip by my own means. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Tue, Aug 02, 2005 at 03:25:23PM -0700, Matt Zimmerman wrote: Can Mozilla 1.7.11 even be *built* on woody, much less upgrade seamlessly from Mozilla 1.0.0? For the purposes of this discussion I think we can ignore woody--that ship sailed a *long* time ago. I'd like to see us fix sarge before it sinks, too. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Matt Zimmerman wrote: To organize their development processes such that patches can be backported with a reasonable amount of effort. I wrote a response, but deleted it, because I simply don't understand what you mean. Please be concrete, very very concrete. I'm in Los Angeles, California, US. If you happen to be in the SF Bay Area sometime, maybe schedule a meeting with Dan. I guess he'd welcome you. Can Mozilla 1.7.11 even be *built* on woody huh? Try it? Or are you expecting me to? And I thought we were talking about sarge. All hope is lost for woody. My question remains unanswered. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
* Thomas Bushnell BSG [Tue, 02 Aug 2005 16:07:08 -0700]: It would be very nice if Mozilla would publish to distributions like ours a description of the security problem, and then a separate patch for that specific problem. Publish to distributions is effectively the same as making it completely public, so they won't. See [1]. [1] http://lists.debian.org/debian-security/2005/08/msg00032.html -- Adeodato Simó EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621 A dream is an answer to a question that we don't know how to ask. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Thomas Bushnell BSG wrote: It would be very nice if Mozilla would publish to distributions like ours a description of the security problem, and then a separate patch for that specific problem. 1. You to be going to http://www.mozilla.org/projects/security/known-vulnerabilities.html 2. You to be following links to bugzilla entries 3. You to be downloading patch there or better yet search for CVS checkin, which has that bug number in commit log. This is only possible after a release, like right now, i.e. when it's already too late. Distributions like yours, in your case Matt Zimmerman, have access to the resources before that, including bug report details under embargo. It does involve watching the list to see when releases are upcoming and why. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Thomas Bushnell BSG wrote: Alexander Sack [EMAIL PROTECTED] writes: Matt Zimmerman wrote: I'm guessing that you're not going to volunteer on the manpower side, and I don't think that it would be a good way to spend resources even if we had them. You're welcome to attempt to convince the Mozilla project to change the way that they work for the benefit of distribution security teams. How should mozilla change the way they work? It would be very nice if Mozilla would publish to distributions like ours a description of the security problem, and then a separate patch for that specific problem. Yes, but let's not discuss what would be nice, but what would be sufficient in order to allow fixes for ffox/tbird and friends to go in. Would it be sufficient to have a distinct patchset for each mfsa prepared? Or do we need more? Do we need more detailed or other descriptions of the problems than published by mozilla [1]? [1] - http://www.mozilla.org/projects/security/known-vulnerabilities.html -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack| : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Adeodato Simó wrote: Publish to distributions is effectively the same as making it completely public, so they won't. Wrong. http://www.mozilla.org/projects/security/security-bugs-policy.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
Did you realize before this rant that this is already the policy, and has been documented in the Security Team FAQ for several years now? This is not a rant, its cutting through the horse crap. If what I am suggesting is already policy then why are we having this discussion? Why was there ever an unsecure version of Mozilla in Woody? Why in Sarge? If the stable version is broken and its impractical to fix it - what you have said multiple times now - then put in the new one. Warn managers of dependent packages and give them a short but realistic release date. Leave the old package around so their packages don't instantly break if they miss the dead line or someone values their status quo more than a secure system. I don't really even think maintaining the old version is neccessary, thats what pinning/holds are for. This is already what happens for kernels. We already have hardware to build packages; that's not a problem at this time. Fine, then mail me with what else I can do. If we go about it in a sensible method I'm more than willing to help. What I don't want to see is this discussion drag on eternally on woe-is-me-they-wont-play-like-i-like-i-hate-change fashion, and the situation either not be resolved or we do something stupid like drop mozilla. Just for the record I also vote against volitol. Security changes should go into stable proper. david. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Tue, Aug 02, 2005 at 07:28:00PM -0500, David Ehle wrote: This is not a rant, its cutting through the horse crap. If what I am suggesting is already policy then why are we having this discussion? Why was there ever an unsecure version of Mozilla in Woody? Nobody took the initiative to create an updated mozilla package for woody, including fixing any dependency issues. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]