firefox 1.0.5?

[James Livingston]

On Fri, 2005-07-15 at 11:49 +0100, Dick Davies wrote:
> * James Livingston <jrl at ids.org.au> [0721 11:21]:
> > It takes time to check to ensure that a) the backported patch actually
> > fixes the flaw b) doesn't open up any new security holes and c) doesn't
> > break functionality in any way.
> 
> a) has already been tested by the people who release the software surely?
> and b) and c) are impossible with finite resources.
>
> This makes it sound like ubuntu audits all its code before installing, and I
> can't believe that. If a developer says 'version 0.8 of fooapp is released, 
> it fixes these bugs in 0.7', do you not trust them? You're using their code
> after all.


a) has been tested with the official Firefox release, with the rest of
the version there. Distro-supplied versions are not identical to the
official release - what if one of the other non-security changes in
1.0.5 touches the same code as the security fix, or if one of the
differences between the Ubuntu version and the official version affects
the patch?

If either of those two cases are true, then the patch has not been in
exactly the same environment. If this were are non-security update, then
it wouldn't be such a big deal - but as we are discussion security
fixes, you want to be sure it works, and doesn't make more problems.

> > Just imagine if they quickly created a 1.0.5 package and released it
> > ASAP; sure the security flaw is (probably) fixed, but there could be
> > side-effects. What happens if 1.0.5 breaks other applications that use
> > Gecko, such as Liferea, DevHelp, et cetera? (there are quite a few of
> > them)
> 
> OK, let's not imagine. Are there any examples where this has happened?

I don't know of any like that, but that may (or may not) be due to the
fact that they do the testing required to ensure that it doesn't happen.
We'd have to ask one of the people who actually does the backporting and
testing to find out whether it has caught any potential problems.

How about the International Domain Name homograph spoofing flaw that was
in versions before 1.0.2
(http://www.mozilla.org/security/announce/mfsa2005-29.html). The "fix"
was to disable IDN in 1.0.2 - which I believe caused quite a few people
issues and resulted in a huge debate.

To use Windows as another example, I know that several security fixes
have broken things; and sysadmins had to decide to either leave the hole
open or breaking some applications.

> We aren't talking about nighly builds here, this is an official release.
> I think the fears of potential incompatibility are outweighed by the risks of
> keeping *known* bugs around.
>
> In my book, *potentially* not having liferea work exactly the same is just not
> that big a deal by comparison.

It's the old trade-off of security versus functionality. The balance
between the risks of potential exploitation versus the risks of
potentially breaking applications is debatable, and something that
people will never agree upon. You draw the line in one place, I draw it
in a different place and other people will draw it where they think is
best - the question is where should the Ubuntu developers draw it?


Cheers,

James "Doc" Livingston 
-- 
In God we Trust. All others must submit an X.509 certificate.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050715/46d50553/attachment.sig>