[fab] rant: why does it take so long to prepare a firefox update for FC5?

Tue Aug 8 15:25:24 UTC 2006

First: thx for the answer Jesse!

Jesse Keating schrieb:
> On Tuesday 08 August 2006 04:22, Thorsten Leemhuis wrote:
>> Firefox 1.5.0.5 was released on July 26, nearly two weeks ago now. It
>> contains very important security fixes AFAICS (an exploit is in the wild
>> AFAIK) but there is still no update for FC5 in sight. What the heck is
>> taking so long? This behavior brings Fedora in discredit because Firefox
>> is a very important package. And it's actually the second time already
>> that it takes so long -- firefox 1.5.0.4 was release as FC5 update on 15
>> Jun 2006, two weeks after the official release on mozilla.org.
> 
> Unfortunately we have basically one fellow at Red Hat to manage all the 
> mozilla / seamonkey / firefox / thunderbird updates.  And he has to manage 
> them from RHEL2.1 all the way through development.  He is REALLY overworked.  
> This is one of the cases were it would be really nice to have it in Extras so 
> that somebody else could donate some time to massage the build through.  The 
> mozilla suite is very fickle, and tends to fall over if the slightest thing 
> changes.  If the build doesn't just succeed it can be a long drawn out 
> process to get it built / tested / releases.  Unfortunately we've been in 
> crunch time at work for not only the FC6 Test2 deadline, but the RHEL5 Beta1 
> deadline too.  This meant that the other folks in the Desktop team did not 
> really have a spare cycle to try and process the firefox update.
> 
> Yes, it sucks.  Yes, we could do better.

s/could/should/ IMHO.

>  How can the community help?  If the 
> patch is in the wild, try to compile with the patch.  If the compile fails, 
> fix it, and provide a working patch / srpm in the bug.  That way just about 
> any package monkey (like me) could push it through the build system.

Well, as I wrote, the updated spec file is in CVS already for some days 
now and it build and works fine here on FC5 x86_64.

Further: How could Red Hat help? *Red Hat should ask for help in 
situations like this!* There are a lot of people around in 
Extras/Fedora-land that are willing to help in situations like this, but 
probably nobody is going to step up without a external trigger. We are 
used to @redhat-maintainers that take care of their packages on their own.

> Also you have to take into account that firefox.org doesn't care about Linux.  
> They produce "updates" that are first Windows precompiled binaries.  Their 
> Linux stuff is still in CVS, not even tarball released yet, so we have to try 
> and take a CVS snapshot or troll through CVS logs to find the right patch.  
> They also don't seem to care about vendorsec, or if they do its a token 
> notice and nonsensical embargo dates.  The last one I noticed was set to be 
> released in the middle of a global holiday (Easter).  They really really suck 
> for trying to work out security updates, especially for Linux where they 
> aren't providing the binaries.  They care about what they provide as 
> precompiled clients and nothing else (at least that's how it appears from the 
> outside).  This is yet another reason why the security update can take longer 
> than expected and longer after it's public than expected.  Not an excuse, 
> just another factor.

<unfair mode>
Well, that factor didn't stop Ubuntu from releasing a Firefox update 
even slightly before mozilla.org did:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2006-July/000367.html
Tue Jul 25 09:49:50 BST 2006
</unfair mode>

BTW, I hope we get something like the comaintainership in Core in the 
longer term (see
https://www.redhat.com/archives/fedora-extras-list/2006-July/msg00960.html
for the plans on co-maintainership in Extras -- I hope this can 
influence Core in the longer term, too)

CU
thl