Bug#783274: iceweasel: stop tracking ESR in testing/unstable and make an iceweasel-esr package instead
Christoph Anton Mitterer
calestyo at scientia.net
Sat Apr 25 17:16:47 UTC 2015
On Sat, 2015-04-25 at 11:54 +0200, Sylvestre Ledru wrote:
> > Even when they're still supported by upstream, they simply receive far less
> > scrutiny (in terms of security audits/analysis) than the current versions.
> > Also often security holes are silently fixed, without being identified as such.
> >
> As Firefox release manager, I can tell you that this statement is incorrect.
> For every security bug, if the information is not present, the question
> "is ESR31 impacted?".
Sure, I but I didn't talk about this at all.
I referred to code that is changed/removed which may contain bugs that
contains perhaps security issues, which are never identified as such,
maybe not even as "normal" bug.
> And if you saw any security holes being silently fixed, this was not on
> purpose and it was a mistake.
No I haven't seen any particular cases, but this has happened to all
different kinds of software, libc (GHOST), the kernel and so on.
I don't think that Mozilla can make extensive security audits of every
line of code that is about to be changed/removed, so it's IMHO naive to
believe that FF would be safe from this situation, whereas mostly all
other software is not
Best wishes,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20150425/c4b938ae/attachment.bin>
More information about the pkg-mozilla-maintainers
mailing list