Bug#766249: iceweasel: wheezy force upgraded to 31.2.0esr-2~deb7u1

Tue Oct 21 22:05:27 UTC 2014

https://www.debian.org/security/faq

"The most important guideline when making a new package that fixes a
security problem is to make as few changes as possible. Our users and
developers are relying on the exact behaviour of a release once it is made,
so any change we make can possibly break someone's system."

Like mine. In my various Debian deployments I rely on the truth of the
quoted statement. When package fails to follow that procedure, particularly
when that failure is in a very visible package, I am negatively impacted.
It's hard enough to convince the PHB's to use Debian over Red Hat without
it blowing up in my face because of a poorly conceived update.

I don't know what you did before iceweasel 24.8 and I don't care. Perhaps I
didn't notice because while I've run Debian servers for 15 years these past
few months are the first time in half a decade that I've given Debian on
the desktop a chance.

I understand that some upstream software managers behave so badly that your
hands can be tied at the Debian level. Certainly that's true of Firefox.
But in such a circumstance I beg you: do something other than push out the
new upstream version.

Here are some alternatives you might consider:

1. Introduce an iceweasel32 package and obsolete the old iceweasel package
at the point where you're no longer able to provide security updates to it.
The obsoleted package won't be removed until the sysadmin decides to remove
it.

2. Offer a high-priority dialog at install time if the version being
replaced is enough older to have compatibility problems, advising that the
version being installed is known to be incompatible. Offer an "abort
upgrade" option which will fail out of the package install.

3. Package firefox 32 and the previous Wheezy firefoxes in the same bundle.
On first run for a user following the update, prompt for which version to
execute advising that versions older than current are known to have
security flaws.

-Bill

On Tue, Oct 21, 2014 at 3:30 PM, Carsten Schoenert <c.schoenert at t-online.de>
wrote:

> Hello William,
>
> On Tue, Oct 21, 2014 at 02:44:34PM -0400, William Herrin wrote:
> > Subject: iceweasel: wheezy force upgraded to 31.2.0esr-2~deb7u1
> >
> > This is a major breach of protocol for debian security patches.
> > You DO NOT, DO NOT, DO NOT release major new upstream
> > versions in the middle of a stable release cycle. You certainly
> > do not release new versions which are significantly incompatible
> > with the old version.
>
> no it is not.
> Debian Wheezy was starting with version 10.0.12 for Iceweasel. Right at
> the release of Wheezy this version wasn't supported any longer by
> Mozilla. We did change the "major" version two times before the current
> version 31 in stable-security, ESR version 17 and 24.
>
> > $ rmadison iceweasel | grep security
> > iceweasel | 3.5.16-20            | squeeze-security  | source, amd64,
> armel, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc,
> s390, sparc
> > iceweasel | 17.0.10esr-1~deb7u1  | wheezy-security   | source, ia64,
> mips, mipsel
> > iceweasel | 24.5.0esr-1~deb7u1   | wheezy-security   | source, sparc
> > iceweasel | 24.8.0esr-1~deb7u1   | wheezy-security   | source
> > iceweasel | 24.8.1esr-1~deb7u1   | wheezy-security   | source, armhf,
> kfreebsd-amd64, kfreebsd-i386, s390
> > iceweasel | 31.2.0esr-2~deb7u1   | wheezy-security   | source, amd64,
> armel, i386, powerpc, s390x
>
> Now Mozilla started a new ESR version and the security team has decided
> to use this versions in the current stable-security repository. An they
> are right!
>
> Regards
> Carsten
>

-- 
William Herrin ................ herrin at dirtside.com  bill at herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
May I solve your unusual networking challenges?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20141021/6f0871f7/attachment.html>