Gentoo Archives: gentoo-dev

From: Duncan <1i5t5.duncan@×××.net>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] Re: [RFC] How do we handle stabilisations of not-exactly-maintained packages
Date: Wed, 21 Sep 2011 16:52:08
In Reply to: Re: [gentoo-dev] Re: [RFC] How do we handle stabilisations of not-exactly-maintained packages by Rich Freeman
Rich Freeman posted on Wed, 21 Sep 2011 12:10:27 -0400 as excerpted:

> Plus at least with firefox the old versions don't suddenly stop > working/etc, assuming they still get upstream security notices.
That's the thing. AFAIK, they don't. FF4 is still getting them I believe, due to longer term commitments made there, but from FF5 onward, no. The upstream policy is that with rare urgent (0-day) exceptions like the recent bump for SSL certs invalidation that necessitate a mid-cycle bump, updates will be to the next major version. Thus, once a new major version is out, previous versions are already considered vulnerable by definition and no further notices are given. In fact, there has even been discussion of removing the numeric version info from the about box, etc. It would say something like either "You are running the latest version" or "Updates are available and you are urged to upgrade", that's it. However, from the coverage I've read, the current release manager, at least, decided that numeric version info would remain available. (Partly, that was due to already getting push- back on the 6-week-cycle and given that, someone having at least enough sanity not to push it all the way to binary current/not-current.) So yes, either current stable policy will need to change, or Gentoo might as well give up on a stable firefox. It's as if they're deliberately forcing the issue, strongly encouraging distros and their users to simply give up on distro versions entirely, and go direct-upstream-sourced pre- compiled binaries. I guess that's one way to solve the bundled library and patches vs. trademarks issues! =:^( (Of course, firefox is more or less being pushed into it since chrome with its extremely similar policies, is eating their lunch ATM, thus all these chrome-clone policy changes. Unfortunately, most of the world is still proprietary, and that's SOP in the proprietary world.) ... And I don't have a clue when the scheduled cutoff is, but ff4 won't be supported forever. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman