firefox 1.0.5?

Dick Davies rasputnik at hellooperator.net
Fri Jul 15 10:49:56 UTC 2005


* James Livingston <jrl at ids.org.au> [0721 11:21]:
> On Fri, 2005-07-15 at 10:55 +0100, Dick Davies wrote:
> > But my question was why 1.0.5 isn't in yet. The holes in 1.0.4 are now public
> > knowledge.
> > 
> > I can live with a browser called 1.0.2, whether that baffles me or not,
> > so long as my browser isn't full of holes.
 
> It takes time to check to ensure that a) the backported patch actually
> fixes the flaw b) doesn't open up any new security holes and c) doesn't
> break functionality in any way.

a) has already been tested by the people who release the software surely?
and b) and c) are impossible with finite resources.

This makes it sound like ubuntu audits all its code before installing, and I
can't believe that. If a developer says 'version 0.8 of fooapp is released, 
it fixes these bugs in 0.7', do you not trust them? You're using their code
after all.

> > If more recent firefoxes cause incompatibility problems (I don't know of any
> > examples of that, but I'll take your words for it) that should be resolved by
> > pinning versions, not by letting users limp along with software that by its 
> > nature is exposed to all sorts of scripting attacks daily.
> 
> Just imagine if they quickly created a 1.0.5 package and released it
> ASAP; sure the security flaw is (probably) fixed, but there could be
> side-effects. What happens if 1.0.5 breaks other applications that use
> Gecko, such as Liferea, DevHelp, et cetera? (there are quite a few of
> them)

OK, let's not imagine. Are there any examples where this has happened?

A fast update (which has already been tested by the firefox
team, incidentally) *might* cause problems.
A slower (tested) update *definitely* leaves the user vulnerable to known, serious
security holes.

As you say, there are a lot of apps that depend on firefox, so until it's bumped
they are all vulnerable.

> If Firefox was given special treatment, because it's a "core
> application", what else should be considered the same? The entire set of
> main Gnome (and KDE) applications? things like Epiphany (the Gnome web
> browser, also Gecko based)? half the things in main? If we go down that
> road, I know things *will* break, and there will be major problems.

I'm not talking abouth special treatment, this is just the one I've noticed
and been alarmed by.
 
We aren't talking about nighly builds here, this is an official release.
I think the fears of potential incompatibility are outweighed by the risks of
keeping *known* bugs around.

The list at:

http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

are already major problems.

In my book, *potentially* not having liferea work exactly the same is just not
that big a deal by comparison.

-- 
'The heroes claimed that they did care about people getting shot,
so they crashed their cars into them instead.'
		-- DNA, on 'Starsky and Hutch'
Rasputin :: Jack of All Trades - Master of Nuns
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050715/391b04a4/attachment.pgp>


More information about the ubuntu-users mailing list