firefox 1.0.5?

James Livingston jrl at ids.org.au
Fri Jul 15 10:21:25 UTC 2005 

On Fri, 2005-07-15 at 10:55 +0100, Dick Davies wrote:
> But my question was why 1.0.5 isn't in yet. The holes in 1.0.4 are now public
> knowledge.
> 
> I can live with a browser called 1.0.2, whether that baffles me or not,
> so long as my browser isn't full of holes.

It takes time to check to ensure that a) the backported patch actually
fixes the flaw b) doesn't open up any new security holes and c) doesn't
break functionality in any way.

> The reason I ask about the version disparity is that it seems to be that 
> backporting fixes to 1.0.2 is a lot more work than simply bumping the package
> to the latest version, especially when the upstream developers support for 
> older versions is 'upgrade' (since firefox is a relatively small app I have no
> problem with that approach personally).
> The extra delay incurred can only increase the vulnerability window for users.

The whole "when should distributers find out about the security patch?"
debate is something we don't need to get into. It isn't as simple as
downloading the source for 1.0.5 and rolling a new .deb; once again
there needs to be testing, and it would take more testing than for
backporting the patch.


> If more recent firefoxes cause incompatibility problems (I don't know of any
> examples of that, but I'll take your words for it) that should be resolved by
> pinning versions, not by letting users limp along with software that by its 
> nature is exposed to all sorts of scripting attacks daily.

Just imagine if they quickly created a 1.0.5 package and released it
ASAP; sure the security flaw is (probably) fixed, but there could be
side-effects. What happens if 1.0.5 breaks other applications that use
Gecko, such as Liferea, DevHelp, et cetera? (there are quite a few of
them)

You are going to yet *lots* of pissed-off people complaining that
Ubuntu's developers are idiots for not doing any testing. Taking time to
do this properly is the only way to ensure everything still works, and
that takes time.

> This isn't a criticism, it's an observation - ubuntu brought out a zlib fix
> last week before openbsd did, it's not like there is a general security update
> issue. So I don't see why firefox should be different?

Because new versions of Firefox contains things other than security
fixes, AKAIK the only new thing in the zlib release was the fix for the
security flaw.

If Firefox was given special treatment, because it's a "core
application", what else should be considered the same? The entire set of
main Gnome (and KDE) applications? things like Epiphany (the Gnome web
browser, also Gecko based)? half the things in main? If we go down that
road, I know things *will* break, and there will be major problems.

I can't really see how trying to do that kind of thing, will help at
all.


Cheers,

James "Doc" Livingston 
-- 
For every subject you can think of there are at least 3 web sites. The
owners of these web sites know each other and at least one of them hates
at least one of the others. 
    -- mnlooney's view of Skif's Internet Theorem
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050715/b7fc8f3f/attachment.sig>

More information about the ubuntu-users mailing list