[fab] rant: why does it take so long to prepare a firefox update for FC5?
Thorsten Leemhuis
fedora at leemhuis.info
Tue Aug 8 15:25:24 UTC 2006
First: thx for the answer Jesse!
Jesse Keating schrieb:
> On Tuesday 08 August 2006 04:22, Thorsten Leemhuis wrote:
>> Firefox 1.5.0.5 was released on July 26, nearly two weeks ago now. It
>> contains very important security fixes AFAICS (an exploit is in the wild
>> AFAIK) but there is still no update for FC5 in sight. What the heck is
>> taking so long? This behavior brings Fedora in discredit because Firefox
>> is a very important package. And it's actually the second time already
>> that it takes so long -- firefox 1.5.0.4 was release as FC5 update on 15
>> Jun 2006, two weeks after the official release on mozilla.org.
>
> Unfortunately we have basically one fellow at Red Hat to manage all the
> mozilla / seamonkey / firefox / thunderbird updates. And he has to manage
> them from RHEL2.1 all the way through development. He is REALLY overworked.
> This is one of the cases were it would be really nice to have it in Extras so
> that somebody else could donate some time to massage the build through. The
> mozilla suite is very fickle, and tends to fall over if the slightest thing
> changes. If the build doesn't just succeed it can be a long drawn out
> process to get it built / tested / releases. Unfortunately we've been in
> crunch time at work for not only the FC6 Test2 deadline, but the RHEL5 Beta1
> deadline too. This meant that the other folks in the Desktop team did not
> really have a spare cycle to try and process the firefox update.
>
> Yes, it sucks. Yes, we could do better.
s/could/should/ IMHO.
> How can the community help? If the
> patch is in the wild, try to compile with the patch. If the compile fails,
> fix it, and provide a working patch / srpm in the bug. That way just about
> any package monkey (like me) could push it through the build system.
Well, as I wrote, the updated spec file is in CVS already for some days
now and it build and works fine here on FC5 x86_64.
Further: How could Red Hat help? *Red Hat should ask for help in
situations like this!* There are a lot of people around in
Extras/Fedora-land that are willing to help in situations like this, but
probably nobody is going to step up without a external trigger. We are
used to @redhat-maintainers that take care of their packages on their own.
> Also you have to take into account that firefox.org doesn't care about Linux.
> They produce "updates" that are first Windows precompiled binaries. Their
> Linux stuff is still in CVS, not even tarball released yet, so we have to try
> and take a CVS snapshot or troll through CVS logs to find the right patch.
> They also don't seem to care about vendorsec, or if they do its a token
> notice and nonsensical embargo dates. The last one I noticed was set to be
> released in the middle of a global holiday (Easter). They really really suck
> for trying to work out security updates, especially for Linux where they
> aren't providing the binaries. They care about what they provide as
> precompiled clients and nothing else (at least that's how it appears from the
> outside). This is yet another reason why the security update can take longer
> than expected and longer after it's public than expected. Not an excuse,
> just another factor.
<unfair mode>
Well, that factor didn't stop Ubuntu from releasing a Firefox update
even slightly before mozilla.org did:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2006-July/000367.html
Tue Jul 25 09:49:50 BST 2006
</unfair mode>
BTW, I hope we get something like the comaintainership in Core in the
longer term (see
https://www.redhat.com/archives/fedora-extras-list/2006-July/msg00960.html
for the plans on co-maintainership in Extras -- I hope this can
influence Core in the longer term, too)
CU
thl
More information about the fedora-advisory-board
mailing list