2 memory corruption bugs introduced to Firefox by Debian patches:
bugzilla.mozilla.org/show_bug.cgi?i
bugzilla.mozilla.org/show_bug.cgi?i
Freezing versions of most software for years, backporting a small subset of security fixes and applying broken / strange distribution-specific changes isn't great.
Conversation
A lot of distributions have these kinds of problems with their packaging but Debian remains the best example.
It's painful working with Debian due to all the distribution-specific broken extensions, hacks, meta-configuration and scripts. It's awful as an upstream maintainer too.
1
5
A lot of times people don't realize a ton of the scripts, configuration and odd bugs/extensions are something added downstream. It's also pretty awful having tons of people using ancient versions of your software. Even if you provide supported LTS branches, they won't ship it...
Replying to
They partially gave in for web browsers, but they still pretend fixing a tiny subset of security issues is adequate for other things. Most security bugs don't get a CVE and they only fix a subset of those, eventually. It's certainly not limited to Debian.
1
1
5
Android seems to have finally realized they need to ship the kernel.org LTS releases at a much quicker pace as part of the monthly updates.
At least they were shipping a larger subset of CVE fixes monthly and the LTS versions via both quarterly and yearly releases.
6
This Tweet was deleted by the Tweet author. Learn more
Yes, it's a serious problem for the vast majority of packages including the Linux kernel in Debian stable.
The tweet right after the one that you're replying to already explains that they made a special case for certain browser packages, not in general:
Quote Tweet
They partially gave in for web browsers, but they still pretend fixing a tiny subset of security issues is adequate for other things. Most security bugs don't get a CVE and they only fix a subset of those, eventually. It's certainly not limited to Debian.
Show this thread
1
Show replies