[fab] rant: why does it take so long to prepare a firefox update for FC5?

Jesse Keating jkeating at redhat.com
Tue Aug 8 11:30:30 UTC 2006 

On Tuesday 08 August 2006 04:22, Thorsten Leemhuis wrote:
> Firefox 1.5.0.5 was released on July 26, nearly two weeks ago now. It
> contains very important security fixes AFAICS (an exploit is in the wild
> AFAIK) but there is still no update for FC5 in sight. What the heck is
> taking so long? This behavior brings Fedora in discredit because Firefox
> is a very important package. And it's actually the second time already
> that it takes so long -- firefox 1.5.0.4 was release as FC5 update on 15
> Jun 2006, two weeks after the official release on mozilla.org.

Unfortunately we have basically one fellow at Red Hat to manage all the 
mozilla / seamonkey / firefox / thunderbird updates.  And he has to manage 
them from RHEL2.1 all the way through development.  He is REALLY overworked.  
This is one of the cases were it would be really nice to have it in Extras so 
that somebody else could donate some time to massage the build through.  The 
mozilla suite is very fickle, and tends to fall over if the slightest thing 
changes.  If the build doesn't just succeed it can be a long drawn out 
process to get it built / tested / releases.  Unfortunately we've been in 
crunch time at work for not only the FC6 Test2 deadline, but the RHEL5 Beta1 
deadline too.  This meant that the other folks in the Desktop team did not 
really have a spare cycle to try and process the firefox update.

Yes, it sucks.  Yes, we could do better.  How can the community help?  If the 
patch is in the wild, try to compile with the patch.  If the compile fails, 
fix it, and provide a working patch / srpm in the bug.  That way just about 
any package monkey (like me) could push it through the build system.

Also you have to take into account that firefox.org doesn't care about Linux.  
They produce "updates" that are first Windows precompiled binaries.  Their 
Linux stuff is still in CVS, not even tarball released yet, so we have to try 
and take a CVS snapshot or troll through CVS logs to find the right patch.  
They also don't seem to care about vendorsec, or if they do its a token 
notice and nonsensical embargo dates.  The last one I noticed was set to be 
released in the middle of a global holiday (Easter).  They really really suck 
for trying to work out security updates, especially for Linux where they 
aren't providing the binaries.  They care about what they provide as 
precompiled clients and nothing else (at least that's how it appears from the 
outside).  This is yet another reason why the security update can take longer 
than expected and longer after it's public than expected.  Not an excuse, 
just another factor.

-- 
Jesse Keating
Release Engineer: Fedora
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-advisory-board/attachments/20060808/8c2a8b5c/attachment.sig>

More information about the fedora-advisory-board mailing list