Bug#783274: iceweasel: stop tracking ESR in testing/unstable and make an iceweasel-esr package instead

[Christoph Anton Mitterer]

Source: iceweasel
Severity: wishlist


Hi.

For quite some time now, the Debian iceweasel package tracks the ESR version
in testing/unstable and the current version of FF is only available in
experimental or through "unoffical" repos.


I think many people run their desktop and or production servers on testing
or even unstable, but still, in order not having to use a completely outdated
FF one needs to use experimental, which is kinda annoying.

Sure, pulling it in from experimental is quite easy via apt_preferences,
but in experimental there is no security support (unlike testing).


I guess the main reason of tracking ESR is probably to have a "long-term-
supported" version in stable, but - wearing the security expert hat - assuming
that such versions are really still secure after perhaps more than 1 or 2 years
is probably an illusion.
Even when they're still supported by upstream, they simply receive far less
scrutiny (in terms of security audits/analysis) than the current versions.
Also often security holes are silently fixed, without being identified as such.

Long story short, I think it's at least somewhat questionable whether something
such dynamic as a browser can be really long-term-supported.


Anyway,... may I wish the following:
Let the iceweasel package track current versions of FF and add e.g. an
iceweasel-esr package, which tracks the ESR version.
Since you anyway provide the current versions really fast in experimental,
it shouldn't be too difficult to do the same for at least unstable.
Such package could either never enter testing, or (based on my security analysis
above) one could simply declare it unsupported in testing/stable after some
short time, and request people to use a versions from backports.


Cheers,
Chris.