Firefox 1.03?

[Daniel Robitaille]

On Sun, 2005-24-04 at 15:37 +0800, zer0halo wrote:
> It seems to me that it would be much less confusing for the user if
> Ubuntu were to simply release a security update for Hoary called
> firefox 1.0.3. Even if the security issues for Firefox 1.0.3 were
> fixed in the Ubuntu 1.0.2 release, how is the user supposed to know
> that? All the user (like me) knows is that mozilla releases a 1.0.3
> security update to fix important vulnerabilities, so for all I know,
> my ubuntu 1.0.2. still has those vulnerabilities. My inclination is to
> ditch the Ubuntu version and just download and use the bin distributed
> by mozilla. But obviously that's not the best solution. Plus even if
> ubuntu-1.0.2. is secure, how do I convince my IT manager of that?
> Really, it shouldn't be difficult for Ubuntu to release 1.0.3. as a
> security patch for Hoary.

One note: it's not just a Ubuntu thing:  all Linux distributions out
there (Red Hat, Fedora, Mandrake, etc) will generally not update a piece
of software to a higher version number, but instead will backport the
security patches in the version they are "frozen" to in their release
distributions.   In this case  maybe that Firefox 1.0.3 release contains
only security fixes compared to 1.0.2, but that's not always the case,
and sometime applications contains functionality differences between
versions; and these differences suddenly appearing in someone's
installed system go against the philosophy that once a distro is
released, it is done and all its functionalities should be fixed
forever.


As for the problem here, it is essentially a commitment vs trust
problem.

1) Ubuntu has committed itself to provides security fixes to all the
applications they support in main (including Firefox) for 18 months
(http://www.ubuntulinux.org/ubuntu/)


2) Users (and IT managers!) are putting their trust in that commitment
from the Ubuntu developpers.

If you trust them then you have to assume that, if you make sure you do
regular system updates, the version of Firefox you have installed (with
the version number  1.0.2, 1.0.3, or version 99.9 for what I care), will
contain all the applicable security patches.  Most users have that
trust, and do system updates and just don't think about the security
issues; in my opinion that's the main user audience of Ubuntu by a large
margin.


If you don't trust them, then you go to mozilla.org and download the
latest version of Firefox (which can be easily installed in 5 minutes)
and be done with it.


But if you don't trust them for something as visible as Firefox, then as
an user or IT person, you have to start monitoring various security
outlets (like CERT: http://www.us-cert.gov/cas/bulletins/index.html),
and every week make sure the dozen of advisories related to applications
installed in Ubuntu are applicable or not; most users (including me),
don't really have the time for that.


Personally if I ever find out that Ubuntu is breaking that 18-month
security update commitment, then I'll have to look around for another
Linux distro that has a stronger commitment, or start spending the time
to do my own security assessments (which should be done anyway if
security is paramount in your computing setting).  



-- 
Daniel Robitaille
 GPG: http://robitaille.fastmail.fm/pubkey.asc (0x5C19F466)
 IM Jabber: robitaille at jabber.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050424/023c59b3/attachment.sig>