Am Donnerstag, 27. April 2006 15:36 schrieb houghi:
On Thu, Apr 27, 2006 at 03:09:50PM +0200, David Wright wrote:
Am Mittwoch, 26. April 2006 14:24 schrieb houghi:
On Wed, Apr 26, 2006 at 01:10:33PM +0200, David Wright wrote:
For example, I've been a SUSE user for around 5 years, but I only joined the mailing lists in November/December last year. If I hadn't read the relevant mails on the lists, I'd probably be cursing SUSE and downloading .0.2 from the Mozilla site...
I read this and think: why would you go and download? I will just wait and let YOU take care of the solution.
Because Mozilla are saying 1.5.0.1 is unsafe and YOU won't download 1.5.0.2 because the fixes are backported into 1.5.0.1...
SUSE 10.0 has 1.0.8, not 1.5. So if you are using 1.5, then on 10.0 it does not matter and on 10.1RCx (or better on 10.1 once it is released) YOU will take care of the security patches as always.
This has always been the case. I fail to see the problem.
I am talking hyperthetically here, it doesn't matter which version of SUSE I am using and which version of the application I am using... If I am using package xyz 1.2.3 and the maintainer does a press release saying that xzy 1.2.3 contains serious security vulnerabilities and everybody should upgrade to 1.2.4, but SUSE backport the patches to 1.2.3, the average user who doesn't subscribe to the lists will assume that, even though the version of 1.2.3 they have from YOU has the vulnerabilities patched, that they are at risk and SUSE aren't doing a good job of keeping on top of the patching. I think maybe if the release notes for the package downloaded in YOU says version 1.2.3 - with security fixes from 1.2.4, or something similar in the help->about on a GUI app or --help page on a CLI tool... I think this policy needs to be cleary explained in a prominent place on the Wiki as well, for example, because I have seen similar questions popping up regularly on forums and newsgroups. I'm not trying to be negative here, but a clearer explanation is needed of the Novell/SUSE policy on backporting and it needs to be put somewhere where normal users who don't belong to the lists will find out about it. Maybe in cases like the Firefox example which started this thread, where a group like Mozilla put out an security warning press release for their product, where SUSE are backporting the fix, maybe their should be an announcement on the News page of the Wiki that the latest version through YOU has had said fixes applied to it. Dave -- "I got to go figure," the tenant said. "We all got to figure. There's some way to stop this. It's not like lightning or earthquakes. We've got a bad thing made by men, and by God that's something we can change." - The Grapes of Wrath, by John Steinbeck