Issue: please fix the RSS feed on the wordpress site. #1030
Comments
|
Regarding Ubuntu: It is always the maintainer who is responsible for keeping his or her packages up to date. If you want to see a newer version in the repos, you will have to convince the package maintainers or find a sponsor. On another note, Ubuntu guarantees support only for packages from main, but not for packages from the universe repo, like firejail. Failing everything else, you could grab a new version from here: https://firejail.wordpress.com/download-2/ |
|
@SYN-cook interesting. But that raises the question, what happens to the universe package that has security misgivings in the future -- is everything up to the maintainer? Can the security team kill it if the maintainer is nowhere to be found? Hopefully un-maintained, internet-facing app 'x' doesn't come "pre-bundled" with your particular distro, otherwise you need to provide client training to manually update x? I actually got in contact with the firejail maintainer, Reiner Herrmann. He (gender assumption) informed me that he isn't even involved with Ubuntu directly as he manages packages for Debian and that his versions of firejail get "synced" at certain points for currently-supported Ubuntu distros through (to me) an unknown process, which I thought was weird. Zesty has the latest firejail...Xenial has 0.9.38-1. He then goes on to say he'll look into getting security updates on the Ubuntu security team's radar and have them incorporate the updates into the "official" repos. I'd still like @netblue30 to comment if firejail should even be in the repos -- if updates will not be provided -- for at least months. |
|
Well, it is the responsibility of Ubuntu to keep their distribution safe and updated. I could add that thanks to the efforts of Reiner Herrmann the Debian packages are always up to date. Universe packages are maintained by MOTU (Masters Of The Universe), and you can reach them by posting on launchpad or directly to their mailing list ubuntu-motu@lists.ubuntu.com. Regarding your other questions, I have found this. |
|
That packages in universe are not always well maintained/updated is a sad but well-known fact. Fortunately, Reiner's ppa is up-to-date. (I had the impression that this was not always the case in the past, though.) But how many Ubuntu Firejail users have added that ppa? |
|
The easiest way is to subscribe to the atom feed here on github: https://github.com/netblue30/firejail/releases.atom - I'll make sure there is a full description in the release notes going forward. Regarding Ubuntu: the package is in Universe repository, and is a community effort. Universe is set up without updates from Ubuntu proper on LTS branches. Most of the software in Ubuntu is like this. Keep in mind firejail is a very young project (under 3 years), you cannot compare it with the 20 year old SELinux, or the 20 year old OpenOffice. There will be more CVEs coming, my feeling is we are just getting started. The longest we managed to go so far without some sort of fixes was 3 months. I do keep a 0.9.38 LTS branch with security fixes targeting Ubuntu 16.04 users. It is not as convenient as a regular update, but this is all we can do at the moment. You just have to go on the download page ( https://sourceforge.net/projects/firejail/files/LTS/ ) and grab the latest i386 or amd64 package, and install it manually. There is also a PPA kept by @reinerh, although this one follows the current 0.9.44 branch. |
|
Don't get me wrong, I really do appreciate the project here, there's just some things I'd like to clarify.
It really is a shame universe is setup like this. There's many people on the LTS and see "no reason" to continually update to the latest point release. You also still have a lot of non-technical (no disrespect) people from Mint as well who still need to rely on the 16.04 branch because Mint 18.1 still follows Xenial. In my mind, if a 0-day will be "successful", it will come through universe, probably targeting vlc or another widely-used app. This makes me want to start distro-hopping again to something like Solus, because all this talk about about "supported until 2023" seems a bit misguided to me because we're internet-facing software users, and as such, we need the updates.
I was referring to the age of the package in the Xenial repo itself and was again wondering if you had any say about controlling updates to your package in the repo. My reasoning was, well if they're not going to issue any more updates, then what's the point of even having the broken version in the repo in the first place? (But still leave the PPA option open.) Many of us by now know this is a very manual process and I'm sure many wouldn't complain, but I can't speak for everyone. |
|
I just filed a bug to get the CVE patches applied in Ubuntu 16.04 (LTS): |
netblue30
added
the
information_old
|
Just a short note: the guys at SUSE are still looking in the code. There is no way we finish the week without another set of CVEs and a new release. |
RSS feeds are the only way I know about updates to this project. The ones at SF and github work, but there's no release notes. Plus, the Ubuntu maintainers can't be bothered updating this project in their own repos -- that's really a separate issue tbh that needs to be addressed badly.
Additional request: can @netblue30 start a twitter account solely for updates and critical info? Unfortunately @FireJail has been taken, lol (nsfw.)
The text was updated successfully, but these errors were encountered: