firefox 1.0.5?

Dick Davies rasputnik at hellooperator.net
Fri Jul 15 09:55:22 UTC 2005 

* Oliver Grawert <ogra at ubuntu.com> [0714 10:14]:
> hi,
> Am Freitag, den 15.07.2005, 10:27 +0200 schrieb Henning Kilset Pedersen:
> > But the fact of the matter remains - Ubuntu Hoary users are exposed to
> > several well-known security holes in the Firefox browser - a large and
> > important part of their desktop computing experience - as long as
> > firefox is not upgraded to the latest version.
> > 
> > There will be new security holes in new versions, you can take that for
> > granted. But at least those security holes are not well-known,
> > well-publicized problems. The current ones not fixed in 1.0.2, on the
> > other hand, are by now very well known.

> thats a wrong assumption, all firefox security fixes got backported to
> the hoary version, so security wise your browser is as safe as every
> other 1.0.4 version out there.

But my question was why 1.0.5 isn't in yet. The holes in 1.0.4 are now public
knowledge.

I can live with a browser called 1.0.2, whether that baffles me or not,
so long as my browser isn't full of holes.

The reason I ask about the version disparity is that it seems to be that 
backporting fixes to 1.0.2 is a lot more work than simply bumping the package
to the latest version, especially when the upstream developers support for 
older versions is 'upgrade' (since firefox is a relatively small app I have no
problem with that approach personally).
The extra delay incurred can only increase the vulnerability window for users.


If more recent firefoxes cause incompatibility problems (I don't know of any
examples of that, but I'll take your words for it) that should be resolved by
pinning versions, not by letting users limp along with software that by its 
nature is exposed to all sorts of scripting attacks daily.

This isn't a criticism, it's an observation - ubuntu brought out a zlib fix
last week before openbsd did, it's not like there is a general security update
issue. So I don't see why firefox should be different?

-- 
'Everybody I know who is right always agrees with ME.'
		-- Rev Lady Mal
Rasputin :: Jack of All Trades - Master of Nuns
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050715/c8f326aa/attachment.sig>

More information about the ubuntu-users mailing list