|| ||Jesse Keating <jkeating-AT-redhat.com>|
|| ||Re: [fab] rant: why does it take so long to prepare a firefox update
|| ||Tue, 8 Aug 2006 07:30:30 -0400|
On Tuesday 08 August 2006 04:22, Thorsten Leemhuis wrote:
> Firefox 220.127.116.11 was released on July 26, nearly two weeks ago now. It
> contains very important security fixes AFAICS (an exploit is in the wild
> AFAIK) but there is still no update for FC5 in sight. What the heck is
> taking so long? This behavior brings Fedora in discredit because Firefox
> is a very important package. And it's actually the second time already
> that it takes so long -- firefox 18.104.22.168 was release as FC5 update on 15
> Jun 2006, two weeks after the official release on mozilla.org.
Unfortunately we have basically one fellow at Red Hat to manage all the
mozilla / seamonkey / firefox / thunderbird updates. And he has to manage
them from RHEL2.1 all the way through development. He is REALLY overworked.
This is one of the cases were it would be really nice to have it in Extras so
that somebody else could donate some time to massage the build through. The
mozilla suite is very fickle, and tends to fall over if the slightest thing
changes. If the build doesn't just succeed it can be a long drawn out
process to get it built / tested / releases. Unfortunately we've been in
crunch time at work for not only the FC6 Test2 deadline, but the RHEL5 Beta1
deadline too. This meant that the other folks in the Desktop team did not
really have a spare cycle to try and process the firefox update.
Yes, it sucks. Yes, we could do better. How can the community help? If the
patch is in the wild, try to compile with the patch. If the compile fails,
fix it, and provide a working patch / srpm in the bug. That way just about
any package monkey (like me) could push it through the build system.
Also you have to take into account that firefox.org doesn't care about Linux.
They produce "updates" that are first Windows precompiled binaries. Their
Linux stuff is still in CVS, not even tarball released yet, so we have to try
and take a CVS snapshot or troll through CVS logs to find the right patch.
They also don't seem to care about vendorsec, or if they do its a token
notice and nonsensical embargo dates. The last one I noticed was set to be
released in the middle of a global holiday (Easter). They really really suck
for trying to work out security updates, especially for Linux where they
aren't providing the binaries. They care about what they provide as
precompiled clients and nothing else (at least that's how it appears from the
outside). This is yet another reason why the security update can take longer
than expected and longer after it's public than expected. Not an excuse,
just another factor.
Release Engineer: Fedora
fedora-advisory-board mailing list
fedora-advisory-board-readonly mailing list
to post comments)