Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Jesse Keating <jkeating <at> redhat.com>
Subject: Re: [fab] rant: why does it take so long to prepare a firefox update for FC5?
Newsgroups: gmane.linux.redhat.fedora.advisory-board
Date: Tuesday 8th August 2006 11:30:30 UTC (over 11 years ago)
On Tuesday 08 August 2006 04:22, Thorsten Leemhuis wrote:
> Firefox 1.5.0.5 was released on July 26, nearly two weeks ago now. It
> contains very important security fixes AFAICS (an exploit is in the wild
> AFAIK) but there is still no update for FC5 in sight. What the heck is
> taking so long? This behavior brings Fedora in discredit because Firefox
> is a very important package. And it's actually the second time already
> that it takes so long -- firefox 1.5.0.4 was release as FC5 update on 15
> Jun 2006, two weeks after the official release on mozilla.org.

Unfortunately we have basically one fellow at Red Hat to manage all the 
mozilla / seamonkey / firefox / thunderbird updates.  And he has to manage 
them from RHEL2.1 all the way through development.  He is REALLY
overworked.  
This is one of the cases were it would be really nice to have it in Extras
so 
that somebody else could donate some time to massage the build through. 
The 
mozilla suite is very fickle, and tends to fall over if the slightest thing

changes.  If the build doesn't just succeed it can be a long drawn out 
process to get it built / tested / releases.  Unfortunately we've been in 
crunch time at work for not only the FC6 Test2 deadline, but the RHEL5
Beta1 
deadline too.  This meant that the other folks in the Desktop team did not 
really have a spare cycle to try and process the firefox update.

Yes, it sucks.  Yes, we could do better.  How can the community help?  If
the 
patch is in the wild, try to compile with the patch.  If the compile fails,

fix it, and provide a working patch / srpm in the bug.  That way just about

any package monkey (like me) could push it through the build system.

Also you have to take into account that firefox.org doesn't care about
Linux.  
They produce "updates" that are first Windows precompiled binaries.  Their 
Linux stuff is still in CVS, not even tarball released yet, so we have to
try 
and take a CVS snapshot or troll through CVS logs to find the right patch. 

They also don't seem to care about vendorsec, or if they do its a token 
notice and nonsensical embargo dates.  The last one I noticed was set to be

released in the middle of a global holiday (Easter).  They really really
suck 
for trying to work out security updates, especially for Linux where they 
aren't providing the binaries.  They care about what they provide as 
precompiled clients and nothing else (at least that's how it appears from
the 
outside).  This is yet another reason why the security update can take
longer 
than expected and longer after it's public than expected.  Not an excuse, 
just another factor.

-- 
Jesse Keating
Release Engineer: Fedora
 
CD: 4ms