Bug#766249: iceweasel: wheezy force upgraded to 31.2.0esr-2~deb7u1
William Herrin
herrin at dirtside.com
Wed Oct 22 16:33:28 UTC 2014
On Tue, Oct 21, 2014 at 9:23 PM, Mike Hommey <mh at glandium.org> wrote:
> On Tue, Oct 21, 2014 at 08:18:14PM -0400, William Herrin wrote:
> > On Tue, Oct 21, 2014 at 6:42 PM, Mike Hommey <mh at glandium.org> wrote:
> > > On Tue, Oct 21, 2014 at 06:05:27PM -0400, William Herrin wrote:
> > > > https://www.debian.org/security/faq
> > > >
> > > > "The most important guideline when making a new package that fixes a
> > > > security problem is to make as few changes as possible. Our users
and
> > > > developers are relying on the exact behaviour of a release once it
is
> > > made,
> > > > so any change we make can possibly break someone's system."
>
> Wanna bet what Red Hat does? Spoiler alert: the same thing
> https://www.redhat.com/archives/rhsa-announce/2014-October/msg00026.html
Mike, you summarize my complaint: with iceweasel you've done the same lousy
job at versioning that Red Hat does. You can do better. To come close to
meeting the Debian patch guidelines, you must do better.
> Reality is that the choice is between not shipping a web browser, or
> shipping one that's secure.
Nonsense. I offered three credible alternatives to the current practice for
iceweasel in yesterday's email none of which requires significant
additional effort from you.
> It's impossible to ship a secure browser
> that stays at the same major version anymore[1].
Agreed. Nevertheless, your conclusion above does not follow from this fact.
There are better ways to handle the problem that blithely blowing away the
users' configuration, including better ways at the same level of effort.
Open your mind.
Regards,
Bill Herrin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20141022/05ca73d8/attachment.html>
More information about the pkg-mozilla-maintainers
mailing list