Re: mozilla - the forgotten package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, Am Mittwoch, 10. März 2004 22:39 schrieb Florian Weimer: Sven Hoexter wrote: Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? AFAIK, 1.4 is the more stable branch, and fixes are still backported to it (at least by MandrakeSoft 8-). Is that your campaign? http://cert.uni-stuttgart.de/ticker/article.php?mid=1183 Imho security fixes for mozilla are very important. Some exploits currently existing in mozilla justifies some rc bugs for mozilla. Imho the consequences of being unable to provide sec. updates for a popular end-user client software is obvious: Kick the package out of stable, testing and unstable! Being in stable implicies security, which is NOT provided. Just me 2cents. Keep smiling yanosz -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iQIVAwUBQFBtVdAHMQ8GQaYRAQLQDA//R5txp+sE7Iu7kJjaoaD/WDK43kN6GXr5 m0+LlQD/BuS8aOnoqFqo7Zbj+p+S/cVI4fZ9ZoR5w1WSgKk0Dn875af/fLTIUMFQ DLpbI35KXwzSarSrya9P2tpBEXAQ2aLzhqnckureJ9s9uuxE0lcoYr6XnHBK90N2 0AcEzxeYMid04eqDGWK+TCEfDVm6g2XMnECEtJqxL3augt1tK7JXRNa9kOpkm3rZ lN8ostQXZ5s8Fe84TXfz4iSOFYBy5HfqM3tp1h7od/02Zw8p6bSTg/KiRZHwnp89 w8IT3hghbSEFeLfA2NpPpo6HIEwmnH5O67nO2NgQ0SOCrElBf8VKr2bWin6Q999A 3vAB1M0vNpeRTiYwGYzztdH7yo6A+jkcuPZL1DRIPT4dChOotS6zmW3v0TY2MVU5 xKtDK2G6xIS8k0tZ7MZ13tD2flGq6Vc/SVlcmfmv9EgIDJQLcukV7EnJsUbAq5/J jYTDOrWJ9K+leZ3obAswXLfNfJD6Hide/3CGrcf3WfARrlHaaRhWLBy1OrrrhL87 bYyJaONMEW+CQ3R39gBriuAjJ26o6ytssriErZkVnqUwWYovYV8/4I79jAd9vi4I YOpB8fBpq2LI2fH5JtFa4N15tfECcouIDfH4fG5jHvZ3zFDb1hJAKUKNQ3zbSk1j +yGIyCF6kq4= =XlV6 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
Norbert Tretkowski wrote: * Sven Hoexter wrote: On Wed, Mar 10, 2004 at 08:48:02PM +0100, Florian Weimer wrote: [...] Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? I know that the backports.org mozilla packages are working at least on i386. They aren't working on alpha. This doesn't justify to leave i386 users at risk, IMHO. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
Jan Lühr wrote: AFAIK, 1.4 is the more stable branch, and fixes are still backported to it (at least by MandrakeSoft 8-). Is that your campaign? http://cert.uni-stuttgart.de/ticker/article.php?mid=1183 Well, sort of, but it's a bit out of control now. There's no obvious solution. If Debian sticks to 1.0 on principle, there's nothing we can do. It's unlikely we'll find a volunteer who backports all those fixes to 1.0. I haven't found any commercial distributor who still supports 1.0, either. If we integrate 1.4 (that is, 1.4.2) into stable, we can take security fixes from upstream and/or other distributors. It might still be a lot of work (I'm going to try it next weekend or so), but it looks like a more manageable task. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Thu, Mar 11, 2004 at 04:32:30PM +0100, Florian Weimer wrote: There's no obvious solution. If Debian sticks to 1.0 on principle, there's nothing we can do. It's unlikely we'll find a volunteer who backports all those fixes to 1.0. I haven't found any commercial distributor who still supports 1.0, either. If we integrate 1.4 (that is, 1.4.2) into stable, we can take security fixes from upstream and/or other distributors. It might still be a lot of work (I'm going to try it next weekend or so), but it looks like a more manageable task. This introduces a whole new set of problems, given Mozilla's upgrade history (not preserving user configuration data, breaking compatibility with dependent applications, etc.) -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Thu, 11 Mar 2004 at 12:24:15PM -0500, Matt Zimmerman wrote: This introduces a whole new set of problems, given Mozilla's upgrade history (not preserving user configuration data, breaking compatibility with dependent applications, etc.) We could offer a second Mozilla package, leaving the current on in place for compatibility sakes. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
Greetings, Am Donnerstag, 11. März 2004 19:22 schrieb Phillip Hofmeister: On Thu, 11 Mar 2004 at 12:24:15PM -0500, Matt Zimmerman wrote: This introduces a whole new set of problems, given Mozilla's upgrade history (not preserving user configuration data, breaking compatibility with dependent applications, etc.) We could offer a second Mozilla package, leaving the current on in place for compatibility sakes. Good idea. Who is in charge with this decision? Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Thu, Mar 11, 2004 at 01:22:17PM -0500, Phillip Hofmeister wrote: We could offer a second Mozilla package, leaving the current on in place for compatibility sakes. I'd rather see just one package. A new package doesn't do anything to fix the existing security problems. I don't care at all which version we use, but so far I haven't seen a lot of effort for either backporting patches or building a newer mozilla for all woody archs. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, Am Mittwoch, 10. März 2004 22:39 schrieb Florian Weimer: Sven Hoexter wrote: Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? AFAIK, 1.4 is the more stable branch, and fixes are still backported to it (at least by MandrakeSoft 8-). Is that your campaign? http://cert.uni-stuttgart.de/ticker/article.php?mid=1183 Imho security fixes for mozilla are very important. Some exploits currently existing in mozilla justifies some rc bugs for mozilla. Imho the consequences of being unable to provide sec. updates for a popular end-user client software is obvious: Kick the package out of stable, testing and unstable! Being in stable implicies security, which is NOT provided. Just me 2cents. Keep smiling yanosz -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iQIVAwUBQFBtVdAHMQ8GQaYRAQLQDA//R5txp+sE7Iu7kJjaoaD/WDK43kN6GXr5 m0+LlQD/BuS8aOnoqFqo7Zbj+p+S/cVI4fZ9ZoR5w1WSgKk0Dn875af/fLTIUMFQ DLpbI35KXwzSarSrya9P2tpBEXAQ2aLzhqnckureJ9s9uuxE0lcoYr6XnHBK90N2 0AcEzxeYMid04eqDGWK+TCEfDVm6g2XMnECEtJqxL3augt1tK7JXRNa9kOpkm3rZ lN8ostQXZ5s8Fe84TXfz4iSOFYBy5HfqM3tp1h7od/02Zw8p6bSTg/KiRZHwnp89 w8IT3hghbSEFeLfA2NpPpo6HIEwmnH5O67nO2NgQ0SOCrElBf8VKr2bWin6Q999A 3vAB1M0vNpeRTiYwGYzztdH7yo6A+jkcuPZL1DRIPT4dChOotS6zmW3v0TY2MVU5 xKtDK2G6xIS8k0tZ7MZ13tD2flGq6Vc/SVlcmfmv9EgIDJQLcukV7EnJsUbAq5/J jYTDOrWJ9K+leZ3obAswXLfNfJD6Hide/3CGrcf3WfARrlHaaRhWLBy1OrrrhL87 bYyJaONMEW+CQ3R39gBriuAjJ26o6ytssriErZkVnqUwWYovYV8/4I79jAd9vi4I YOpB8fBpq2LI2fH5JtFa4N15tfECcouIDfH4fG5jHvZ3zFDb1hJAKUKNQ3zbSk1j +yGIyCF6kq4= =XlV6 -END PGP SIGNATURE-
Re: mozilla - the forgotten package?
Norbert Tretkowski wrote: * Sven Hoexter wrote: On Wed, Mar 10, 2004 at 08:48:02PM +0100, Florian Weimer wrote: [...] Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? I know that the backports.org mozilla packages are working at least on i386. They aren't working on alpha. This doesn't justify to leave i386 users at risk, IMHO. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com.
Re: mozilla - the forgotten package?
Jan Lühr wrote: AFAIK, 1.4 is the more stable branch, and fixes are still backported to it (at least by MandrakeSoft 8-). Is that your campaign? http://cert.uni-stuttgart.de/ticker/article.php?mid=1183 Well, sort of, but it's a bit out of control now. There's no obvious solution. If Debian sticks to 1.0 on principle, there's nothing we can do. It's unlikely we'll find a volunteer who backports all those fixes to 1.0. I haven't found any commercial distributor who still supports 1.0, either. If we integrate 1.4 (that is, 1.4.2) into stable, we can take security fixes from upstream and/or other distributors. It might still be a lot of work (I'm going to try it next weekend or so), but it looks like a more manageable task. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com.
Re: mozilla - the forgotten package?
On Thu, Mar 11, 2004 at 04:32:30PM +0100, Florian Weimer wrote: There's no obvious solution. If Debian sticks to 1.0 on principle, there's nothing we can do. It's unlikely we'll find a volunteer who backports all those fixes to 1.0. I haven't found any commercial distributor who still supports 1.0, either. If we integrate 1.4 (that is, 1.4.2) into stable, we can take security fixes from upstream and/or other distributors. It might still be a lot of work (I'm going to try it next weekend or so), but it looks like a more manageable task. This introduces a whole new set of problems, given Mozilla's upgrade history (not preserving user configuration data, breaking compatibility with dependent applications, etc.) -- - mdz
Re: mozilla - the forgotten package?
On Thu, 11 Mar 2004 at 12:24:15PM -0500, Matt Zimmerman wrote: This introduces a whole new set of problems, given Mozilla's upgrade history (not preserving user configuration data, breaking compatibility with dependent applications, etc.) We could offer a second Mozilla package, leaving the current on in place for compatibility sakes. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: mozilla - the forgotten package?
Greetings, Am Donnerstag, 11. März 2004 19:22 schrieb Phillip Hofmeister: On Thu, 11 Mar 2004 at 12:24:15PM -0500, Matt Zimmerman wrote: This introduces a whole new set of problems, given Mozilla's upgrade history (not preserving user configuration data, breaking compatibility with dependent applications, etc.) We could offer a second Mozilla package, leaving the current on in place for compatibility sakes. Good idea. Who is in charge with this decision? Keep smiling yanosz
Re: mozilla - the forgotten package?
On Thu, Mar 11, 2004 at 01:22:17PM -0500, Phillip Hofmeister wrote: We could offer a second Mozilla package, leaving the current on in place for compatibility sakes. I'd rather see just one package. A new package doesn't do anything to fix the existing security problems. I don't care at all which version we use, but so far I haven't seen a lot of effort for either backporting patches or building a newer mozilla for all woody archs. Mike Stone
Re: mozilla - the forgotten package?
On Tue, Mar 09, 2004 at 11:59:01AM -0800, Matt Zimmerman wrote: Anyone with the time and ability can work on a project like this without joining the security team. Mozilla in particular is a huge amount of work to bring up to date and so far no one has found it critical enough relative to the effort required. Is there a list of such unresolved security problems which is accessible by people not in the security team? There was talk once about providing such a list, but AFAICT nothing happened - hmm, or is it the list of security-tagged bugs? Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
Jan Lühr wrote: So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. How many of Mozilla's security bugs which are fix during routine upgrades are discussed publicly? Can they be backported easily? -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
Greetings, Am Mittwoch, 10. März 2004 17:06 schrieben Sie: Jan Lühr wrote: So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. How many of Mozilla's security bugs which are fix during routine upgrades are discussed publicly? Can they be backported easily? I'm not in touch with the mozilla code. Thus I cannot say how easy it is to backport 'em. Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Wed, Mar 10, 2004 at 05:06:12PM +0100, Florian Weimer wrote: Jan L?hr wrote: So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. How many of Mozilla's security bugs which are fix during routine upgrades are discussed publicly? Can they be backported easily? A number of the bug reports and patches (in Bugzilla) are still not publicly accessible, even though the bugs have been known and released for quite some time. Some are straightforward to backport; others involve a lengthy search just to determine if the same problem exists in an older version. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
Jan Lühr wrote: Am Mittwoch, 10. März 2004 17:06 schrieben Sie: Jan Lühr wrote: So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. How many of Mozilla's security bugs which are fix during routine upgrades are discussed publicly? Can they be backported easily? I'm not in touch with the mozilla code. Thus I cannot say how easy it is to backport 'em. Some of the known bugs are described at the following page: http://www.mozilla.org/projects/security/known-vulnerabilities.html Mandrake has recently released an advisory, maybe their patches could be used for the 1.0 backports. Hmm, has there been any Mozilla security update for woody? This looks like a *lot* of work. Maybe it's better to take some other distribution's Mozilla 1.4 package and ship that. 8- -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Wed, Mar 10, 2004 at 07:44:11PM +0100, Florian Weimer wrote: Hmm, has there been any Mozilla security update for woody? This looks like a *lot* of work. Maybe it's better to take some other distribution's Mozilla 1.4 package and ship that. 8- That's highly unlikely to happen. It's been discussed before. In fact, at one point somebody uploaded mozilla 1.0.2 to stable-proposed-updates, but that was rejected. Apparently, although the mozilla developers claimed they wouldn't do it, 1.0.2 broke compatibility with derivitive browsers like Galeon. I don't recall the details. When I was working on trying to construct a security upload for mozilla a while back, I was basing a lot of my work on mozilla 1.0.1 (1.0.2 wasn't out yet). By examining the list of bugs fixed in 1.0.1, I had a good place to start to try and track down some patches. Unfortunately, the changes were rather large and in many cases were not entirely self-contained and would have wound up pulling even more new code in. It was, generally, a fairly painful experience, and although I did get some patches applied (and tested!) I never felt like I made significant progress toward fixing all the known bugs. I haven't looked at the code in quite some time. Honestly, at this point, who uses Mozilla 1.0? Why? noah pgp0.pgp Description: PGP signature
Re: mozilla - the forgotten package?
Noah Meyerhans wrote: On Wed, Mar 10, 2004 at 07:44:11PM +0100, Florian Weimer wrote: Hmm, has there been any Mozilla security update for woody? This looks like a *lot* of work. Maybe it's better to take some other distribution's Mozilla 1.4 package and ship that. 8- That's highly unlikely to happen. It's been discussed before. In fact, at one point somebody uploaded mozilla 1.0.2 to stable-proposed-updates, but that was rejected. Apparently, although the mozilla developers claimed they wouldn't do it, 1.0.2 broke compatibility with derivitive browsers like Galeon. I don't recall the details. Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Wed, Mar 10, 2004 at 02:34:44PM -0500, Noah Meyerhans wrote: It was, generally, a fairly painful experience, and although I did get some patches applied (and tested!) I never felt like I made significant progress toward fixing all the known bugs. This was my feeling as well, applying some of the trivial patches to fix known bugs and holes was worthwhile in itself, but it seems rather half-hearted to release a security update which essentially says: This update fixes XX bugs, but YY security related bugs still exist. I haven't looked at the code in quite some time. Me neither right now, although one of the hardest parts about getting started was figuring out the build/package system - that was useful. Honestly, at this point, who uses Mozilla 1.0? Why? Everybody using Debian Stable? Although I'm not too sure of the number of people that would be. I know that all my servers are stable machiens, but they don't have much in the way of X11 libraries installed upon them, let alone Mozilla. Steve -- # Debian Security Audit Project http://www.shellcode.org/Audit/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Wed, Mar 10, 2004 at 08:48:02PM +0100, Florian Weimer wrote: Noah Meyerhans wrote: Hi, That's highly unlikely to happen. It's been discussed before. In fact, at one point somebody uploaded mozilla 1.0.2 to stable-proposed-updates, but that was rejected. Apparently, although the mozilla developers claimed they wouldn't do it, 1.0.2 broke compatibility with derivitive browsers like Galeon. I don't recall the details. Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? I know that the backports.org mozilla packages are working at least on i386. (ok beside the fact that you're braking third party apps). Haven't checked what's in proposed-updates so far. Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
Sven Hoexter wrote: Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? AFAIK, 1.4 is the more stable branch, and fixes are still backported to it (at least by MandrakeSoft 8-). -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
* Sven Hoexter wrote: On Wed, Mar 10, 2004 at 08:48:02PM +0100, Florian Weimer wrote: [...] Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? I know that the backports.org mozilla packages are working at least on i386. They aren't working on alpha. Norbert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Tue, Mar 09, 2004 at 11:59:01AM -0800, Matt Zimmerman wrote: Anyone with the time and ability can work on a project like this without joining the security team. Mozilla in particular is a huge amount of work to bring up to date and so far no one has found it critical enough relative to the effort required. Is there a list of such unresolved security problems which is accessible by people not in the security team? There was talk once about providing such a list, but AFAICT nothing happened - hmm, or is it the list of security-tagged bugs? Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: mozilla - the forgotten package?
Jan Lühr wrote: So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. How many of Mozilla's security bugs which are fix during routine upgrades are discussed publicly? Can they be backported easily? -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com.
Re: mozilla - the forgotten package?
Greetings, Am Mittwoch, 10. März 2004 17:06 schrieben Sie: Jan Lühr wrote: So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. How many of Mozilla's security bugs which are fix during routine upgrades are discussed publicly? Can they be backported easily? I'm not in touch with the mozilla code. Thus I cannot say how easy it is to backport 'em. Keep smiling yanosz
Re: mozilla - the forgotten package?
On Wed, Mar 10, 2004 at 05:06:12PM +0100, Florian Weimer wrote: Jan L?hr wrote: So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. How many of Mozilla's security bugs which are fix during routine upgrades are discussed publicly? Can they be backported easily? A number of the bug reports and patches (in Bugzilla) are still not publicly accessible, even though the bugs have been known and released for quite some time. Some are straightforward to backport; others involve a lengthy search just to determine if the same problem exists in an older version. -- - mdz
Re: mozilla - the forgotten package?
Jan Lühr wrote: Am Mittwoch, 10. März 2004 17:06 schrieben Sie: Jan Lühr wrote: So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. How many of Mozilla's security bugs which are fix during routine upgrades are discussed publicly? Can they be backported easily? I'm not in touch with the mozilla code. Thus I cannot say how easy it is to backport 'em. Some of the known bugs are described at the following page: http://www.mozilla.org/projects/security/known-vulnerabilities.html Mandrake has recently released an advisory, maybe their patches could be used for the 1.0 backports. Hmm, has there been any Mozilla security update for woody? This looks like a *lot* of work. Maybe it's better to take some other distribution's Mozilla 1.4 package and ship that. 8- -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com.
Re: mozilla - the forgotten package?
On Wed, Mar 10, 2004 at 07:44:11PM +0100, Florian Weimer wrote: Hmm, has there been any Mozilla security update for woody? This looks like a *lot* of work. Maybe it's better to take some other distribution's Mozilla 1.4 package and ship that. 8- That's highly unlikely to happen. It's been discussed before. In fact, at one point somebody uploaded mozilla 1.0.2 to stable-proposed-updates, but that was rejected. Apparently, although the mozilla developers claimed they wouldn't do it, 1.0.2 broke compatibility with derivitive browsers like Galeon. I don't recall the details. When I was working on trying to construct a security upload for mozilla a while back, I was basing a lot of my work on mozilla 1.0.1 (1.0.2 wasn't out yet). By examining the list of bugs fixed in 1.0.1, I had a good place to start to try and track down some patches. Unfortunately, the changes were rather large and in many cases were not entirely self-contained and would have wound up pulling even more new code in. It was, generally, a fairly painful experience, and although I did get some patches applied (and tested!) I never felt like I made significant progress toward fixing all the known bugs. I haven't looked at the code in quite some time. Honestly, at this point, who uses Mozilla 1.0? Why? noah pgp3Ds4Z6Mgzu.pgp Description: PGP signature
Re: mozilla - the forgotten package?
Noah Meyerhans wrote: On Wed, Mar 10, 2004 at 07:44:11PM +0100, Florian Weimer wrote: Hmm, has there been any Mozilla security update for woody? This looks like a *lot* of work. Maybe it's better to take some other distribution's Mozilla 1.4 package and ship that. 8- That's highly unlikely to happen. It's been discussed before. In fact, at one point somebody uploaded mozilla 1.0.2 to stable-proposed-updates, but that was rejected. Apparently, although the mozilla developers claimed they wouldn't do it, 1.0.2 broke compatibility with derivitive browsers like Galeon. I don't recall the details. Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com.
Re: mozilla - the forgotten package?
On Wed, Mar 10, 2004 at 02:34:44PM -0500, Noah Meyerhans wrote: It was, generally, a fairly painful experience, and although I did get some patches applied (and tested!) I never felt like I made significant progress toward fixing all the known bugs. This was my feeling as well, applying some of the trivial patches to fix known bugs and holes was worthwhile in itself, but it seems rather half-hearted to release a security update which essentially says: This update fixes XX bugs, but YY security related bugs still exist. I haven't looked at the code in quite some time. Me neither right now, although one of the hardest parts about getting started was figuring out the build/package system - that was useful. Honestly, at this point, who uses Mozilla 1.0? Why? Everybody using Debian Stable? Although I'm not too sure of the number of people that would be. I know that all my servers are stable machiens, but they don't have much in the way of X11 libraries installed upon them, let alone Mozilla. Steve -- # Debian Security Audit Project http://www.shellcode.org/Audit/
Re: mozilla - the forgotten package?
On Wed, Mar 10, 2004 at 08:48:02PM +0100, Florian Weimer wrote: Noah Meyerhans wrote: Hi, That's highly unlikely to happen. It's been discussed before. In fact, at one point somebody uploaded mozilla 1.0.2 to stable-proposed-updates, but that was rejected. Apparently, although the mozilla developers claimed they wouldn't do it, 1.0.2 broke compatibility with derivitive browsers like Galeon. I don't recall the details. Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? I know that the backports.org mozilla packages are working at least on i386. (ok beside the fact that you're braking third party apps). Haven't checked what's in proposed-updates so far. Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep]
Re: mozilla - the forgotten package?
Sven Hoexter wrote: Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? AFAIK, 1.4 is the more stable branch, and fixes are still backported to it (at least by MandrakeSoft 8-). -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com, libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, wanadoo.fr, yahoo.com.
Re: mozilla - the forgotten package?
* Sven Hoexter wrote: On Wed, Mar 10, 2004 at 08:48:02PM +0100, Florian Weimer wrote: [...] Okay, if that's the case, I'm going to start a campaign for including Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? I know that the backports.org mozilla packages are working at least on i386. They aren't working on alpha. Norbert
Re: mozilla - the forgotten package?
On Tue, Mar 09, 2004 at 05:15:42PM +0100, Jan L??hr wrote: over the last months, various security related bugs in mozilla appeared and were fixed in new versions of mozilla - but what about the debian package? Are there any efforts for making mozilla secure or to backport the mozilla patches to debian? Due to depency with galeon new mozilla versions cannot be intergrated easily, but right now, the debian mozilla contains some seriuos security related bugs. So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. I think it's a case of time and energy. I started updating the current woody packages to handle some of the reports, after mdz pointed me to a list. However it was very timeconsuming and very shortly after I started I stopped having to support graphical stable boxes; so it became a non issue for me. There are patches around for some (most?) of the holes, it just takes somebody with the patience to apply them and build fixed versions to share - then I'm sure we'd see a new stable release. Steve -- # Debian Security Audit Project http://www.shellcode.org/Audit/ pgp0.pgp Description: PGP signature
Re: mozilla - the forgotten package?
Greetings, Am Dienstag, 9. März 2004 17:20 schrieb Steve Kemp: On Tue, Mar 09, 2004 at 05:15:42PM +0100, Jan L??hr wrote: over the last months, various security related bugs in mozilla appeared and were fixed in new versions of mozilla - but what about the debian package? Are there any efforts for making mozilla secure or to backport the mozilla patches to debian? Due to depency with galeon new mozilla versions cannot be intergrated easily, but right now, the debian mozilla contains some seriuos security related bugs. So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. I think it's a case of time and energy. I started updating the current woody packages to handle some of the reports, after mdz pointed me to a list. However it was very timeconsuming and very shortly after I started I stopped having to support graphical stable boxes; so it became a non issue for me. There are patches around for some (most?) of the holes, it just takes somebody with the patience to apply them and build fixed versions to share - then I'm sure we'd see a new stable release. So this is all in all a capacity problem? Doesn't have the debian security team enough ressource to port exisiting patches to debian packages? Why not enlarging the team? Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Tue, Mar 09, 2004 at 08:53:23PM +0100, Jan L?hr wrote: So this is all in all a capacity problem? Doesn't have the debian security team enough ressource to port exisiting patches to debian packages? Why not enlarging the team? You do not need to be a member of the security team to submit patches. Why don't you send some, and we'll release updated packages. noah pgp0.pgp Description: PGP signature
Re: mozilla - the forgotten package?
On Tue, Mar 09, 2004 at 08:53:23PM +0100, Jan L?hr wrote: So this is all in all a capacity problem? Doesn't have the debian security team enough ressource to port exisiting patches to debian packages? Why not enlarging the team? Anyone with the time and ability can work on a project like this without joining the security team. Mozilla in particular is a huge amount of work to bring up to date and so far no one has found it critical enough relative to the effort required. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
Greetings, Am Dienstag, 9. März 2004 20:54 schrieb Noah Meyerhans: On Tue, Mar 09, 2004 at 08:53:23PM +0100, Jan L?hr wrote: So this is all in all a capacity problem? Doesn't have the debian security team enough ressource to port exisiting patches to debian packages? Why not enlarging the team? You do not need to be a member of the security team to submit patches. Why don't you send some, and we'll release updated packages. sorry, I'm not a good c++ coder. I'll think about it, when I'm able to do so. Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Tue, Mar 09, 2004 at 05:15:42PM +0100, Jan L??hr wrote: over the last months, various security related bugs in mozilla appeared and were fixed in new versions of mozilla - but what about the debian package? Are there any efforts for making mozilla secure or to backport the mozilla patches to debian? Due to depency with galeon new mozilla versions cannot be intergrated easily, but right now, the debian mozilla contains some seriuos security related bugs. So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. I think it's a case of time and energy. I started updating the current woody packages to handle some of the reports, after mdz pointed me to a list. However it was very timeconsuming and very shortly after I started I stopped having to support graphical stable boxes; so it became a non issue for me. There are patches around for some (most?) of the holes, it just takes somebody with the patience to apply them and build fixed versions to share - then I'm sure we'd see a new stable release. Steve -- # Debian Security Audit Project http://www.shellcode.org/Audit/ pgpdHHAWbk4mn.pgp Description: PGP signature
Re: mozilla - the forgotten package?
Greetings, Am Dienstag, 9. März 2004 17:20 schrieb Steve Kemp: On Tue, Mar 09, 2004 at 05:15:42PM +0100, Jan L??hr wrote: over the last months, various security related bugs in mozilla appeared and were fixed in new versions of mozilla - but what about the debian package? Are there any efforts for making mozilla secure or to backport the mozilla patches to debian? Due to depency with galeon new mozilla versions cannot be intergrated easily, but right now, the debian mozilla contains some seriuos security related bugs. So is mozilla the forgotten package? Considering how popular mozilla is, making it secure would be worth the effort - imho. I think it's a case of time and energy. I started updating the current woody packages to handle some of the reports, after mdz pointed me to a list. However it was very timeconsuming and very shortly after I started I stopped having to support graphical stable boxes; so it became a non issue for me. There are patches around for some (most?) of the holes, it just takes somebody with the patience to apply them and build fixed versions to share - then I'm sure we'd see a new stable release. So this is all in all a capacity problem? Doesn't have the debian security team enough ressource to port exisiting patches to debian packages? Why not enlarging the team? Keep smiling yanosz
Re: mozilla - the forgotten package?
On Tue, Mar 09, 2004 at 08:53:23PM +0100, Jan L?hr wrote: So this is all in all a capacity problem? Doesn't have the debian security team enough ressource to port exisiting patches to debian packages? Why not enlarging the team? You do not need to be a member of the security team to submit patches. Why don't you send some, and we'll release updated packages. noah pgpyHB23oLdGA.pgp Description: PGP signature
Re: mozilla - the forgotten package?
On Tue, Mar 09, 2004 at 08:53:23PM +0100, Jan L?hr wrote: So this is all in all a capacity problem? Doesn't have the debian security team enough ressource to port exisiting patches to debian packages? Why not enlarging the team? Anyone with the time and ability can work on a project like this without joining the security team. Mozilla in particular is a huge amount of work to bring up to date and so far no one has found it critical enough relative to the effort required. -- - mdz
Re: mozilla - the forgotten package?
Greetings, Am Dienstag, 9. März 2004 20:54 schrieb Noah Meyerhans: On Tue, Mar 09, 2004 at 08:53:23PM +0100, Jan L?hr wrote: So this is all in all a capacity problem? Doesn't have the debian security team enough ressource to port exisiting patches to debian packages? Why not enlarging the team? You do not need to be a member of the security team to submit patches. Why don't you send some, and we'll release updated packages. sorry, I'm not a good c++ coder. I'll think about it, when I'm able to do so. Keep smiling yanosz