Firefox 1.03?

Shawn Christopher schristopheraz at gmail.com
Sun Apr 24 18:42:24 UTC 2005 

Daniel Robitaille wrote:

>On Sun, 2005-24-04 at 15:37 +0800, zer0halo wrote:
>  
>
>>It seems to me that it would be much less confusing for the user if
>>Ubuntu were to simply release a security update for Hoary called
>>firefox 1.0.3. Even if the security issues for Firefox 1.0.3 were
>>fixed in the Ubuntu 1.0.2 release, how is the user supposed to know
>>that? All the user (like me) knows is that mozilla releases a 1.0.3
>>security update to fix important vulnerabilities, so for all I know,
>>my ubuntu 1.0.2. still has those vulnerabilities. My inclination is to
>>ditch the Ubuntu version and just download and use the bin distributed
>>by mozilla. But obviously that's not the best solution. Plus even if
>>ubuntu-1.0.2. is secure, how do I convince my IT manager of that?
>>Really, it shouldn't be difficult for Ubuntu to release 1.0.3. as a
>>security patch for Hoary.
>>    
>>
>
>One note: it's not just a Ubuntu thing:  all Linux distributions out
>there (Red Hat, Fedora, Mandrake, etc) will generally not update a piece
>of software to a higher version number, but instead will backport the
>security patches in the version they are "frozen" to in their release
>distributions.   In this case  maybe that Firefox 1.0.3 release contains
>only security fixes compared to 1.0.2, but that's not always the case,
>and sometime applications contains functionality differences between
>versions; and these differences suddenly appearing in someone's
>installed system go against the philosophy that once a distro is
>released, it is done and all its functionalities should be fixed
>forever.
>
>
>As for the problem here, it is essentially a commitment vs trust
>problem.
>
>1) Ubuntu has committed itself to provides security fixes to all the
>applications they support in main (including Firefox) for 18 months
>(http://www.ubuntulinux.org/ubuntu/)
>
>
>2) Users (and IT managers!) are putting their trust in that commitment
>from the Ubuntu developpers.
>
>If you trust them then you have to assume that, if you make sure you do
>regular system updates, the version of Firefox you have installed (with
>the version number  1.0.2, 1.0.3, or version 99.9 for what I care), will
>contain all the applicable security patches.  Most users have that
>trust, and do system updates and just don't think about the security
>issues; in my opinion that's the main user audience of Ubuntu by a large
>margin.
>
>
>If you don't trust them, then you go to mozilla.org and download the
>latest version of Firefox (which can be easily installed in 5 minutes)
>and be done with it.
>
>
>But if you don't trust them for something as visible as Firefox, then as
>an user or IT person, you have to start monitoring various security
>outlets (like CERT: http://www.us-cert.gov/cas/bulletins/index.html),
>and every week make sure the dozen of advisories related to applications
>installed in Ubuntu are applicable or not; most users (including me),
>don't really have the time for that.
>
>
>Personally if I ever find out that Ubuntu is breaking that 18-month
>security update commitment, then I'll have to look around for another
>Linux distro that has a stronger commitment, or start spending the time
>to do my own security assessments (which should be done anyway if
>security is paramount in your computing setting).  
>
>
>
>  
>
Daniel,
    Thanks for the clarification...however I think the big issue now is 
the fact of informing the community that this is happening. Is there a 
way to post on the front page of the Ubuntu site or put a news heading 
that this is happening. Just a basic "A few users have noticed that 
Firefox is at 1.0.3 because of security updates, however Ubuntu has 
Firefox 1.0.2. The reason this is the case is because instead of 
changing our versioning number we have backported the security update 
from 1.0.3 into Ubuntu Firefox 1.0.2.

    I hope this will help aliveiate the concerns that are being 
expressed by the community. Thank You.

_____________________________
Shawn Christopher
Project Manager: For The Record
http://www.spreadfirefox.com

More information about the ubuntu-users mailing list