Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 07:28:00PM -0500, David Ehle wrote: This is not a rant, its cutting through the horse crap. If what I am suggesting is already policy then why are we having this discussion? Why was there ever an unsecure version of Mozilla in Woody? Nobody took the initiative to creat

Re: On Mozilla-* updates

> > Did you realize before this rant that this is already the policy, and has > been documented in the Security Team FAQ for several years now? This is not a rant, its cutting through the horse crap. If what I am suggesting is already policy then why are we having this discussion? Why was there

Re: On Mozilla-* updates

Adeodato Simó wrote: "Publish to distributions" is effectively the same as making it completely public, so they won't. Wrong. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contac

Re: On Mozilla-* updates

Thomas Bushnell BSG wrote: > Alexander Sack <[EMAIL PROTECTED]> writes: > > >>Matt Zimmerman wrote: >> >>>I'm guessing that you're not going to volunteer on the manpower side, and I >>>don't think that it would be a good way to spend resources even if we had >>>them. You're welcome to attempt to

Re: On Mozilla-* updates

Thomas Bushnell BSG wrote: It would be very nice if Mozilla would publish to distributions like ours a description of the security problem, and then a separate patch for that specific problem. 1. You to be going to

Re: On Mozilla-* updates

* Thomas Bushnell BSG [Tue, 02 Aug 2005 16:07:08 -0700]: > It would be very nice if Mozilla would publish to distributions like > ours a description of the security problem, and then a separate patch > for that specific problem. "Publish to distributions" is effectively the same as making it

Re: On Mozilla-* updates

Matt Zimmerman wrote: To organize their development processes such that patches can be backported with a reasonable amount of effort. I wrote a response, but deleted it, because I simply don't understand what you mean. Please be concrete, very very concrete. I'm in Los Angeles, California,

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 03:25:23PM -0700, Matt Zimmerman wrote: Can Mozilla 1.7.11 even be *built* on woody, much less upgrade seamlessly from Mozilla 1.0.0? For the purposes of this discussion I think we can ignore woody--that ship sailed a *long* time ago. I'd like to see us fix sarge before

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 01:11:59AM +0200, Frank Wein wrote: > Matt Zimmerman wrote: > >On Wed, Aug 03, 2005 at 12:08:10AM +0200, Ben Bucksch wrote: > >>BTW: Where are you located physically? Maybe you can meet with > >>mozilla.orgians in person. I think you'll like Daniel Veditz in > >>particular

Re: On Mozilla-* updates

Matt Zimmerman wrote: On Wed, Aug 03, 2005 at 12:08:10AM +0200, Ben Bucksch wrote: BTW: Where are you located physically? Maybe you can meet with mozilla.orgians in person. I think you'll like Daniel Veditz in particular. And Mozilla Foundation needs more of the SPI spirit than the OSAF spirit

Re: On Mozilla-* updates

John Hardcastle <[EMAIL PROTECTED]> writes: > I agree with David's suggestion to just put the latest releases from > Mozilla into Debian Stable. This is what volatile is for. Indeed, it was the very first and best example of why we want volatile. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED]

Re: On Mozilla-* updates

Alexander Sack <[EMAIL PROTECTED]> writes: > Matt Zimmerman wrote: >> >> I'm guessing that you're not going to volunteer on the manpower side, and I >> don't think that it would be a good way to spend resources even if we had >> them. You're welcome to attempt to convince the Mozilla project to

Re: On Mozilla-* updates

I agree with David's suggestion to just put the latest releases from Mozilla into Debian Stable. I installed Mozilla 1.7.11 yesterday and it is working fine. Mozilla IS my main app. I'm using Debian/GNU Linux from Knoppix 3.7 that I remastered and ugraded to Debian Stable. I'm running with ker

Re: On Mozilla-* updates

Matt Zimmerman wrote: > > I'm guessing that you're not going to volunteer on the manpower side, and I > don't think that it would be a good way to spend resources even if we had > them. You're welcome to attempt to convince the Mozilla project to change > the way that they work for the benefit of

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 12:08:10AM +0200, Ben Bucksch wrote: > Matt Zimmerman wrote: > >You're welcome to attempt to convince the Mozilla project to change > >the way that they work for the benefit of distribution security teams. > > > I don't even know what exactly you do want the Mozilla project

Re: On Mozilla-* updates

Matt Zimmerman wrote: I'm guessing that you're not going to volunteer on the manpower side Actually, he did, in the previous posting. Which is admirable, because this is a dauntingly huge task (and he seems semi-aware of it) - in the area of a few hours *per week*, on average. mozilla.org (an

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 04:39:21PM -0500, David Ehle wrote: > The solution to this problem is simple. We change the meaning of stable > to "stable except for such cases as security demands upgrading versions > rather than backporting patches." > > We can dilly dally about it all we want but this i

Re: On Mozilla-* updates

The solution to this problem is simple. We change the meaning of stable to "stable except for such cases as security demands upgrading versions rather than backporting patches." And then leave the old insecure version of the package in place as . We can dilly dally about it all we want but this

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 09:04:01PM +0100, antgel wrote: > Matt Zimmerman wrote: > > Have you been following this discussion? That is exactly what we have been > > killing ourselves doing for the past few years. It is a _losing battle_. > > I've been following a fair bit of the discussion, but i

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 09:56:12PM +0200, Petter Reinholdtsen wrote: > > [Noah Meyerhans] > >> How about actually maintaining them? > > > > That's exactly what I think we should do. > > Is this "we" as in you, or "we" as in someone else? "We" as in "all of us who have been suggesting that we all

Re: On Mozilla-* updates

[Noah Meyerhans] >> How about actually maintaining them? > > That's exactly what I think we should do. Is this "we" as in you, or "we" as in someone else? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 08:15:22PM +0100, antgel wrote: > Matt Zimmerman wrote: > > the issue is that they often don't apply to versions which are a few > > months old. > > Not automatically, but perhaps if we had a dedicated team of a few people > who can code, we could manually mould them to the

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 10:09:13AM -0700, Thomas Bushnell BSG wrote: > >> > IMHO, sloopy security support (by uploading new upstream versions) is > >> > better than no security support. > >> > >> Are you prepared to make sure all the packages that depend on mozilla > >> will have packages ready to

Re: On Mozilla-* updates

Willi Mann <[EMAIL PROTECTED]> writes: > [Thomas, I'm not sure if you are on the debian-security list, so I'm CCing > you] > >> Are you prepared to make sure all the packages that depend on mozilla >> will have packages ready to enter at once? > > This would only be necessary in case of an API/AB

Re: On Mozilla-* updates

Noah Meyerhans <[EMAIL PROTECTED]> writes: > On Mon, Aug 01, 2005 at 04:57:31PM -0700, Thomas Bushnell BSG wrote: >> > IMHO, sloopy security support (by uploading new upstream versions) is >> > better than no security support. >> >> Are you prepared to make sure all the packages that depend on mo

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 02:29:51PM +0200, Moritz Muehlenhoff wrote: > If the isolated patches were pulled from Mozilla Bugzilla by Matt Zimmermann > (who appears to be Debian's Mozilla security delegate) and published as part > of a DSA this would point to the core of each vulnerability and make e

Re: On Mozilla-* updates

[Thomas, I'm not sure if you are on the debian-security list, so I'm CCing you] Are you prepared to make sure all the packages that depend on mozilla will have packages ready to enter at once? This would only be necessary in case of an API/ABI change, right? The mozilla people have shown to c

Re: On Mozilla-* updates

In gmane.linux.debian.devel.security, you wrote: > Looking at how 1.0.5 was binary-incompatible with 1.0.4 I can only > assert that the community has failed already. Although I'm not sure how an "accidential API change" can slip through any kind of Mozilla QA, it has at least been corrected in 1.0

Re: On Mozilla-* updates

In gmane.linux.debian.devel.security, you wrote: >> Mozilla *appears* to have no interest in supply patches which >> *only* fix security holes to distributors. Their line is more >> "upgrade to the newest version". Whilst the new versions do >> fix the holes, they traditionally also break t

Re: On Mozilla-* updates

Joey, Working from the following assumptions: * it possible to include Mozilla in Debian stable, * extracting security patches from upstream is not practical, and ignoring the interesting, but extraneous threads, What exactly breaks if the update to v1.06 is applied, as upstream recommends?

Re: On Mozilla-* updates

it seems that less than two months after the release of sarge it is not possible to support Mozilla, Thunderbird, Firefox (and probably Galeon) packages anymore. (in terms of fixing security related problems) Unfortunately the Mozilla Foundation does not provide dedicated and clean patches for

Re: Importance of browser security

Ben Bucksch wrote: Stefano Salvi wrote: I prefer to have no X on the server and administer it from command line or Web interfaces (command line is better). Let's say 1. You use Mozilla from sarge ... CUT ... Description of an exploit That's what's at stake here. I don't care, if a M

Importance of browser security (was: On Mozilla-* updates)

Stefano Salvi wrote: I prefer to have no X on the server and administer it from command line or Web interfaces (command line is better). Let's say 1. You use Mozilla from sarge 2. Somebody cracks you through known holes in that old Mozilla, either a mass exploit or an enemy of you sp

Re: On Mozilla-* updates

* Stefano Salvi <[EMAIL PROTECTED]> [2005-08-02 09:38 +0200]: > Nicolas Rachinsky wrote: > >The desktop used to administrate a server needs less security? Weakest > >link? > I prefer to have no X on the server and administer it from command line > or Web interfaces (command line is better). > I th

Re: On Mozilla-* updates

Nicolas Rachinsky wrote: * Stefano Salvi <[EMAIL PROTECTED]> [2005-08-02 09:16 +0200]: It's shure that a server must have a higher security score than a desktop system, but it also needs different functionalities. The desktop used to administrate a server needs less security? Weakest link? I

Re: On Mozilla-* updates

* Stefano Salvi <[EMAIL PROTECTED]> [2005-08-02 09:16 +0200]: > It's shure that a server must have a higher security score than a > desktop system, but it also needs different functionalities. The desktop used to administrate a server needs less security? Weakest link? Nicolas -- To UNSUBSCRI

Re: On Mozilla-* updates

Michael Stone wrote: On Mon, Aug 01, 2005 at 09:29:24AM +0200, Stefano Salvi wrote: I think that two kinds of people are interested in Debian: - Ones who want Security - Ones who want Stability I can't even understand this statement. What kind of person is interested in "stability" which wil