On Tue, Aug 11, 2015 at 12:12 PM, Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > On Tue, Aug 11, 2015 at 12:41 PM, Gerald B. Cox <gbcox@xxxxxx> wrote: >> https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries > > Meanwhile, on OS X I was already given notification of Firefox being > updated to 40.0.0 just a bit ago. And while I see Firefox 40.0 in > koji, there are no Bodhi entries for it, so it's not in any repo. > > So I don't really buy any of the security arguments of either "no > bundled libraries" or the FF exception to it. The delay appears to be > packaging itself. Mozilla produces an OS X and Windows specific > packages, and they update themselves rather than going through the OS > update system. This doesn't happen on Linux, where it's expected > Firefox gets updated by the distro repo and packaging system. Yet I > see a Linux tar.bz2 for Firefox at downloads.mozilla.org so I wonder > why that binary doesn't just run unmodified anywhere and I'm waiting > for 40.0 to show up in Bodhi? IMO it would be really really neat if Fedora could deterministically rebuild whatever binary Mozilla distributes and have a binary identical package. /me stops daydreaming I think that, in general, Fedora is too slow about turning a security update submitted to stable via Bodhi into an actual available update. For high-profile things like Firefox, we're pretty good about getting karma, but even that depends on people manually installing an update that isn't actually available in updates-testing so they can give it karma. --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
