I'm sure when I read through this thread the first time, I saw an
argument "Get the mozilla people onto our wavelength", but I can't find
it now.
On Sun, Jul 31, 2005 at 10:01:15PM +0200, Martin Pitt wrote:
> It was not an easy decision since usually we follow the same strict
> "minimal patches" b
On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote:
> Hello.
>
> As it is being currently discussed on debian-security [1], security team
> has hard times supporting mozilla family of packages, because of
> unfriendly upstream policy - they don't want to isolate security fixes
In article <[EMAIL PROTECTED]> you wrote:
> I am a Debian developer. I am not interested in solutions which are
> developed outside of Debian.
Correct: We still have no solution in Debian, not even a DSA warning the
user.
Gruss
Bernd
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject
On Aug 05, Marc Haber <[EMAIL PROTECTED]> wrote:
> It will keep them from using a vulnerable version of the software, and
> will probably encourage them to get a fixed version from outside
> Debian proper (e.g. volatile).
I am a Debian developer. I am not interested in solutions which are
develope
On Fri, Aug 05, 2005 at 08:22:43AM +0200, Marc Haber wrote:
> On Mon, 1 Aug 2005 11:37:11 +0200, [EMAIL PROTECTED] (Marco d'Itri) wrote:
> >On Aug 01, "W. Borgert" <[EMAIL PROTECTED]> wrote:
> >> On Sun, Jul 31, 2005 at 10:07:10PM +, Roland Rosenfeld wrote:
> >> > But how do you push the users
On Mon, 1 Aug 2005 11:37:11 +0200, [EMAIL PROTECTED] (Marco d'Itri) wrote:
>On Aug 01, "W. Borgert" <[EMAIL PROTECTED]> wrote:
>> On Sun, Jul 31, 2005 at 10:07:10PM +, Roland Rosenfeld wrote:
>> > But how do you push the users to remove the package from their
>> > systems? In reality they will
On Mon, Aug 01, 2005 at 06:06:27AM -0400, Yaroslav Halchenko wrote:
> On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote:
> > (1) keep vulnerable packages in stable,
> > (2) remove affected packages from distribution,
> > (3) allow new upstream into stable.
> My 1 cent would be a
On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote:
> (1) keep vulnerable packages in stable,
> (2) remove affected packages from distribution,
> (3) allow new upstream into stable.
My 1 cent would be a merge of (2) and (3)... it is more of the
formalization so we woudln't need
On Aug 01, "W. Borgert" <[EMAIL PROTECTED]> wrote:
> On Sun, Jul 31, 2005 at 10:07:10PM +, Roland Rosenfeld wrote:
> > But how do you push the users to remove the package from their
> > systems? In reality they will keep the broken version installed and
> > so you have (1) again :-(
> Empty p
Hi!
Nikita V. Youshchenko [2005-08-01 10:34 +0400]:
> Since such cases should be very rare, they may be handled manually (so
> infrastructure changes are not needed). For the same reason, I don't think
> that stability risks are high.
Agreed. The whole point of backporting patches is to minimiz
On Sun, Jul 31, 2005 at 10:07:10PM +, Roland Rosenfeld wrote:
> But how do you push the users to remove the package from their
> systems? In reality they will keep the broken version installed and
> so you have (1) again :-(
Empty package with a higher version number?
Cheers, WB
--
To UNS
> On Sun, 2005-07-31 at 23:10 +0400, Nikita V. Youshchenko wrote:
> > (3) allow new upstream into stable.
>
> But, how would be the proposed process for this software?
>
> I mean, should they also have some kind of grace period after uploading
> to unstable? Would it enter stable after unstable? O
On Sun, 2005-07-31 at 23:10 +0400, Nikita V. Youshchenko wrote:
> (3) allow new upstream into stable.
But, how would be the proposed process for this software?
I mean, should they also have some kind of grace period after uploading
to unstable? Would it enter stable after unstable? Or after testi
W. Borgert <[EMAIL PROTECTED]> wrote:
>> (1) keep vulnerable packages in stable,
>> (2) remove affected packages from distribution,
>> (3) allow new upstream into stable.
> I'ld "vote" for (2), maybe with the goal of creating pressure
> towards upstream to take security more serious.
But how do
Hi,
* W. Borgert <[EMAIL PROTECTED]> [2005-07-31 23:24]:
> On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote:
> > (1) keep vulnerable packages in stable,
> > (2) remove affected packages from distribution,
> > (3) allow new upstream into stable.
> ...
> > What do you think on th
On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote:
> (1) keep vulnerable packages in stable,
> (2) remove affected packages from distribution,
> (3) allow new upstream into stable.
...
> What do you think on this?
I'ld "vote" for (2), maybe with the goal of creating pressure
to
Hi!
Nikita V. Youshchenko [2005-07-31 23:10 +0400]:
> So options seem to be:
>
> (1) keep vulnerable packages in stable,
> (2) remove affected packages from distribution,
> (3) allow new upstream into stable.
We recently had the same problem in Ubuntu. Adam Conrad and me both
spend literally wee
"Nikita V. Youshchenko" <[EMAIL PROTECTED]> writes:
> Maybe in rare cases like this one, when these seems to be no other way to
> keep important package set secure, we should allow new upstream into
> Debain Stable?
In this rare cases I agree otherwise the users will continue to use
vulnerable
Hello.
As it is being currently discussed on debian-security [1], security team
has hard times supporting mozilla family of packages, because of
unfriendly upstream policy - they don't want to isolate security fixes
from a large changesets of new upstream releases. And given the huge size
of t
19 matches
Mail list logo
