Firefox in Breezy (1.0.8), and security support

Matt Zimmerman mdz at ubuntu.com
Wed Jun 7 19:43:46 BST 2006 

On Wed, Jun 07, 2006 at 03:54:43PM +0100, Ian Jackson wrote:
> options, I can think of at least the following options for Ubuntu:
>  - End support for Breezy.
>  - End security support for web browsing in Breezy with
>        some appropriately scary announcement.

These are not an option; we have made a commitment to continue to support
Ubuntu 5.10 for another year.

>  - Attempt to address only known vulnerabilities (inventing new fixes
>        as described above) and hope that this is sufficient.
>  - Provide a version of firefox 1.5.0.4 in breezy-security.

Whichever of these provides the most stability would be my preferred option.

>  - Ignore the problem completely, do nothing, and hope no-one notices.

Not an option.

>  - Try to form some kind of consortium with other distros to do
>        security support for some or all obsolete products
>        (perhaps just firefox 1.0.8, perhaps others too).

This is orthogonal to solving the immediate problem, but seems worthwhile.
security-group at mozilla.org might be a good place to reach others who are
working on the same problem.

>  - Persuade Mozilla to change their mind about ending security
>        support for 1.0.8.

Also orthogonal, but unlikely to succeed.  Can't hurt to ask, of course.

> If we are careful with review of the _packaging_ arrangements as
> opposed to the _code_ arrangements, we should be able to avoid too
> much damage, and careful testing will help too.  So I think we
> should be able to provide a reasonable user experience.
> 
> This model could also be used well into the future, especially
> considering the LTS requirement for Dapper.  If we know in advance
> that this is what our plan is, we can prepare, carefully test, and
> then finally deploy a future Firefox 2.0 into dapper-updates and
> dapper-security, before we are forced into the position of having to
> delay while we think of a way to deal with a pressing security
> problem.

We have already pushed new upstream versions of Firefox in similar
situations, and I'm open to doing so again if stability and quality are
preserved.

-- 
 - mdz

More information about the ubuntu-devel mailing list