[Tails-dev] What to do with Firefox 17.0.11ESR?

Delete this message

Reply to this message
Autore: intrigeri
Data:  
To: tails-dev
Oggetto: [Tails-dev] What to do with Firefox 17.0.11ESR?
Hi,

a few data points to start with:

  * An unscheduled bonus Firefox ESR release is in the oven at
    Mozilla. It will be called 17.0.11ESR and the vulnerability that
    it will fix must be quite serious (else, *they* would not bother
    putting out a bonus release). I don't know when this release will
    be officially out. Either today or Tuesday, I guess.


  * Our next release is scheduled for December 11, with a freeze on
    November 30. That is, 3 weeks after .


  * I have imported the (tentative) source code for ESR11 into our
    Iceweasel Git repo, built, tested and uploaded packages. Build an
    ISO from feature/torbrowser-17.0.11esr in the main Tails repo and
    you can test that stuff. (Of course, we should be careful that
    Mozilla does not replace the tarball with another one between now
    and their release. It rarely happens, but it happens.)


So, the question is: do we want to prepare a bonus Tails 0.21.1 and
put it out next week? Are we in a position to do it?

Assuming the packages list does not change too much, and someone
verifies that the content of the ISO hasn't unexpected differences
with 0.21, perhaps we could run only the Iceweasel -related parts of
the test suite.

Who can prepare and upload the ISO?
Who can do the other release steps? (announces, APT blah, etc.)
Who can spend how much time "running" the manual test suite?

Personally, my time is already pretty much over-committed until the
end of the month (incremental updates + FF24 + RM'ing 0.22), so
I can't do more than helping a bit someone who would want to act as
the release manager for this bonus release.

One advantage of releasing 0.21.1 now is that I would sneak in the
latest incremental updates code, which would make 0.21.1 a very good
basis for alpha-testing the current state of this feature.

In the past, IIRC it happened once that we could not afford putting
out a release as fast as we could have wished, and we had documented
how to manually update the relevant packages inside a running Tails.
Worst case, I guess we could just issue a security advisory that
documents these steps.

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc