First: thx for the answer Jesse!
Jesse Keating schrieb:
On Tuesday 08 August 2006 04:22, Thorsten Leemhuis wrote:
Firefox 1.5.0.5 was released on July 26, nearly two weeks ago now. It
contains very important security fixes AFAICS (an exploit is in the wild
AFAIK) but there is still no update for FC5 in sight. What the heck is
taking so long? This behavior brings Fedora in discredit because Firefox
is a very important package. And it's actually the second time already
that it takes so long -- firefox 1.5.0.4 was release as FC5 update on 15
Jun 2006, two weeks after the official release on mozilla.org.
Unfortunately we have basically one fellow at Red Hat to manage all the
mozilla / seamonkey / firefox / thunderbird updates. And he has to manage
them from RHEL2.1 all the way through development. He is REALLY overworked.
This is one of the cases were it would be really nice to have it in Extras so
that somebody else could donate some time to massage the build through. The
mozilla suite is very fickle, and tends to fall over if the slightest thing
changes. If the build doesn't just succeed it can be a long drawn out
process to get it built / tested / releases. Unfortunately we've been in
crunch time at work for not only the FC6 Test2 deadline, but the RHEL5 Beta1
deadline too. This meant that the other folks in the Desktop team did not
really have a spare cycle to try and process the firefox update.
Yes, it sucks. Yes, we could do better.
s/could/should/ IMHO.
How can the community help? If the
patch is in the wild, try to compile with the patch. If the compile fails,
fix it, and provide a working patch / srpm in the bug. That way just about
any package monkey (like me) could push it through the build system.
Well, as I wrote, the updated spec file is in CVS already for some days
now and it build and works fine here on FC5 x86_64.
Further: How could Red Hat help? *Red Hat should ask for help in
situations like this!* There are a lot of people around in
Extras/Fedora-land that are willing to help in situations like this, but
probably nobody is going to step up without a external trigger. We are
used to @redhat-maintainers that take care of their packages on their own.
Also you have to take into account that firefox.org doesn't care about Linux.
They produce "updates" that are first Windows precompiled binaries. Their
Linux stuff is still in CVS, not even tarball released yet, so we have to try
and take a CVS snapshot or troll through CVS logs to find the right patch.
They also don't seem to care about vendorsec, or if they do its a token
notice and nonsensical embargo dates. The last one I noticed was set to be
released in the middle of a global holiday (Easter). They really really suck
for trying to work out security updates, especially for Linux where they
aren't providing the binaries. They care about what they provide as
precompiled clients and nothing else (at least that's how it appears from the
outside). This is yet another reason why the security update can take longer
than expected and longer after it's public than expected. Not an excuse,
just another factor.
<unfair mode>
Well, that factor didn't stop Ubuntu from releasing a Firefox update
even slightly before mozilla.org did:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2006-July/000367.html
Tue Jul 25 09:49:50 BST 2006
</unfair mode>
BTW, I hope we get something like the comaintainership in Core in the
longer term (see
https://www.redhat.com/archives/fedora-extras-list/2006-July/msg00960.html
for the plans on co-maintainership in Extras -- I hope this can
influence Core in the longer term, too)
CU
thl
_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
_______________________________________________
fedora-advisory-board-readonly mailing list
fedora-advisory-board-readonly@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-advisory-board-readonly
