On Tuesday 08 August 2006 04:22, Thorsten Leemhuis wrote: > Firefox 1.5.0.5 was released on July 26, nearly two weeks ago now. It > contains very important security fixes AFAICS (an exploit is in the wild > AFAIK) but there is still no update for FC5 in sight. What the heck is > taking so long? This behavior brings Fedora in discredit because Firefox > is a very important package. And it's actually the second time already > that it takes so long -- firefox 1.5.0.4 was release as FC5 update on 15 > Jun 2006, two weeks after the official release on mozilla.org. Unfortunately we have basically one fellow at Red Hat to manage all the mozilla / seamonkey / firefox / thunderbird updates. And he has to manage them from RHEL2.1 all the way through development. He is REALLY overworked. This is one of the cases were it would be really nice to have it in Extras so that somebody else could donate some time to massage the build through. The mozilla suite is very fickle, and tends to fall over if the slightest thing changes. If the build doesn't just succeed it can be a long drawn out process to get it built / tested / releases. Unfortunately we've been in crunch time at work for not only the FC6 Test2 deadline, but the RHEL5 Beta1 deadline too. This meant that the other folks in the Desktop team did not really have a spare cycle to try and process the firefox update. Yes, it sucks. Yes, we could do better. How can the community help? If the patch is in the wild, try to compile with the patch. If the compile fails, fix it, and provide a working patch / srpm in the bug. That way just about any package monkey (like me) could push it through the build system. Also you have to take into account that firefox.org doesn't care about Linux. They produce "updates" that are first Windows precompiled binaries. Their Linux stuff is still in CVS, not even tarball released yet, so we have to try and take a CVS snapshot or troll through CVS logs to find the right patch. They also don't seem to care about vendorsec, or if they do its a token notice and nonsensical embargo dates. The last one I noticed was set to be released in the middle of a global holiday (Easter). They really really suck for trying to work out security updates, especially for Linux where they aren't providing the binaries. They care about what they provide as precompiled clients and nothing else (at least that's how it appears from the outside). This is yet another reason why the security update can take longer than expected and longer after it's public than expected. Not an excuse, just another factor. -- Jesse Keating Release Engineer: Fedora
Attachment:
pgpwoHlXrqiM9.pgp
Description: PGP signature
_______________________________________________ fedora-advisory-board mailing list fedora-advisory-board@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board
_______________________________________________ fedora-advisory-board-readonly mailing list fedora-advisory-board-readonly@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board-readonly
