mozilla security patches and prebuilt package

Alexander Sack asac at debian.org
Mon Oct 3 18:28:51 UTC 2005 

On Mon, Oct 03, 2005 at 07:06:53PM +0200, Martin Schulze wrote:
> Alexander Sack wrote:
> > > > You can get a prebuilt mozilla package from
> > > > http://people.debian.org/~asac/security/. The package version is
> > > > 1.7.8-1sarge3.
> 
> Could you tell me which version in sid fix the problems you've fixed
> in the security update?

Sure, 1.0.6-4 was a quick upload for MFSA-2005-59. 1.0.7-1 superseeded
this by taking the full upstream release.

> > 
> > Yes. Thanks for your work on this. If you want the .changes file
> > for tbird too, let me know.
> 
> Umh... What a question... I'd love if we don't have to update it
> but I doubt that we could stand it...
> 

Suggestions on how to improve the generated changelog entries and long
report format are welcome. For the next release I will adapt the
changelog format as eric requested. Lets see if that is better.

Anyway, there are still some issues to discuss on how we should deal
with security issues for thunderbird. 

Since thunderbird and firefox come from the same stable release
branch, mozilla devs take all patches from firefox and apply them to 
thunderbird too.

How should we deal with this? Is it ok, to apply changes that go
in for firefox to thunderbird too - even though the issues addressed
do not affect thunderbird directly?

All this is important, because mozilla documented that thunderbird is
only affected by MFSA-2005-59. MFSA-2005-57 and MFSA-2005-58
apparently don't affect thunderbird[1]. Anyway, please consider that 
forking the code-base could become a real pain in the ass for future 
security fixes, so keeping the patches would be sane IMO.

Another question is whether we should document MFSA-2005-57 and
MFSA-2005-58 (and the associated CANs) in the thunderbird Advisory.


[1] -
http://www.mozilla.org/projects/security/known-vulnerabilities.html

-- 
 GPG messages preferred.   |  .''`.  ** Debian GNU/Linux **
 Alexander Sack            | : :' :      The  universal
 asac at debian.org           | `. `'      Operating System
 http://www.asoftsite.org  |   `-    http://www.debian.org

More information about the pkg-mozilla-maintainers mailing list