package update politics

[witek]

Regarding security holes I`m not sure if updating firefox 9 with 10 just after it had been released was right as later came two fix releases within two weeks or so. Maybe it would have been better to wait a month or so untill the firefox developers fix their bugs? It seems that all new firefox releases come with many bugs.

[gapan]

Regarding security holes I`m not sure if updating firefox 9 with 10 just after it had been released was right as later came two fix releases within two weeks or so. Maybe it would have been better to wait a month or so untill the firefox developers fix their bugs? It seems that all new firefox releases come with many bugs.

So it would have been better to keep known security holes for a month? What makes you think that holes in 10.0 were not also present in 9.0.x? And in any case, the firefox packages in salix were updated to 10.0.1 and 10.0.2 as soon as they were released.

[Shador]

If there are security updates they should be released as fast as possible. Look upon it like this:
If there's a security issue e.g. in Firefox 9 and Firefox 10 fixes it, then that issue is publicly known. That means it's likely that exploits for that issue exist or are being developed. But Security issues are not yet known in Firefox 10 at least as of it's release. There might be such issues, but as they're not known at that point it's much less likely that an exploit exists for them. For Firefox 9 in turn those exploits are a lot more likely to exist. So would you stay with Firefox 9, which is much more likely to be attacked?

Generally you're safe against publicly known security issues, if shortly after they become publicly know a new release fixes them and you promptly update to that release. Exploits for publicly known issues can only be used against outdated machines. Such issues are most commonly used, as they're usually used by less-experienced attackers. Professionals might use them as well but usually don't attack a majority of systems.
Of course there's always a danger of unknown security issues, which are commonly searched for by professionals. But you're a lot less likely to be attacked by those. Apart from that would you like to be exposed to both sets of security issues or only one?

[ElderDryas]

In a somewhat related topic....

A while ago (a week, two, three?...I forget) there was an exchange (IIRC on the ML) related to updating packages in the repos (bugs, security, cosmetic, etc). A e-meeting was suggested to lay out the guidelines.

Would it be possible for someone to report on the outcome of that meeting (i.e., lay out the guidlines)? It might help the rest of us to know the who/what/where/how individual packages get updated.

If this would just repeat something that is already published (say, on the website), please include where this is located (URL, etc.).

[Shador]

http://www.salixos.org/wiki/index.php/Salixmeetfeb2012
http://www.salixos.org/wiki/index.php/Meeting

[ElderDryas]

Thanks for the link(s). As I read it, this particular question was postponed until the "next" meeting (last topic) ?

[Shador]

Yes, but support of old respositories has been discussed, which also is part of the package update policies.

[witek]

Shador and Gapan, I understand your points. If you really track the security holes in firefox and update the package as soon as they`re fixed then I trust you.

[thenktor]

Regarding security holes I`m not sure if updating firefox 9 with 10 just after it had been released was right as later came two fix releases within two weeks or so. Maybe it would have been better to wait a month or so untill the firefox developers fix their bugs? It seems that all new firefox releases come with many bugs.

Rules of thumb:
* update soon, update often
* keep your browser to the latest version