Newbie questions about updates

Scott geekboy at angrykeyboarder.com
Wed Aug 23 08:20:36 UTC 2006


On Wed, 23 Aug 2006 09:17:43 +0200, Kristian Rink wrote:

> 
> Scott;
> 
> 
> Am Wed, 23 Aug 2006 00:03:26 -0700
> schrieb Scott <geekboy at angrykeyboarder.com>:
> 
>> Ubuntu (and Debian) always seem to be a bit behind on Firefox security
>> updates.  
> 
> kr at node428:~> dpkg -l|grep firefox
> 
> ii  firefox   	 1.5.dfsg+1.5.0.6-2   [...]
> 
> ... running an up-to-date Debian unstable.
> 
> 
> 
> 
>> I've seen it take 7-10 days after Mozilla releases the updated
>> versions (Firefox and Thunderbird) before Debian or Ubuntu make them
>> available.
> 
> 
> Fetching a binary update from an FTP or web download repository is one
> thing. Building a release from sources to fit into a distribution is
> another one. About that, the package maintainer needs to take some time
> investigating the sources of the new release (even if it's just a
> security / maintaineance update), possibly adjust patches applied to
> the previous version (note the FF version number printed above)

Why would they be concerned with the previous version when starting with a
new version from scratch, from fresh source code?

>, apply
> them to the new source, build the package and hopefully test whether it
> works with the rest of the distribution (or at least the most relevant
> pieces of it). This is something that simply takes some time.

> But you're always free to fetch binaries from mozilla.org and manually
> install them to /usr/local or /opt if you want to. ;)

I'm fully aware of this, thanks. ;-)

I play with betas and nightlies on occasion.

My problem is this (well there are a few).

It seems whenever the subject of Linux security comes up (among a
group of Linux users) they start pounding their chests and bragging how
wonderfully secure Linux is.  They cone across as if it's next simply not
vulnerable to anything, period (which is pure BS...or ignorance...or
both).

And yes I know it's far LESS vulnerable than Windows (although that is
*finally* changing somewhat), but that hardly makes it immune.

To those folks I'd suggest subscribing to any distro (or two's) security
announcement lists) and/or bugtraq, securina etc) plus the Kernel's own
announcement list.  That should put some things in perspective for them.

But I digress....

What really bugs me is when Ubuntu (or most any Linux distro) releases a
security update to a package (say, Firefox) they announce the
vulnerability (many days and sometimes even a few weeks) after it had
already been announced by the the original developers (e.g. Mozilla, PHP,
MySQL etc.) at the same time they release the package..

For the ignorant, this gives the impression that this just came about and
we "jumped right on it".  When in fact, that's not the case.

People who are REALLY worried about security in the case of Firefox could
point out that Windows and Mac users had been protected a while ago, while
Linux users were left vulnerable.

Yes, I KNOW I could download the binary immediately from Mozilla, but many
users (especially in Ubuntu's case) don't want to mess with any
installation program that doesn't end in ".deb".  Or even further, "a
program they could download from Synaptic [sic]"

And in my case (as stated previously), 9 out of 10 security issues would
affect me only if I jumped through a few hoops, opened my firewall and so
forth. So it's not that big a deal for me personally. But it's the
principle.








More information about the ubuntu-users mailing list