On Thu, 2006-07-27 at 12:43 -0600, Robin Laing wrote: > Dan wrote: > > John Wendel wrote: > > > >> Dan wrote: > >> > >>> list user wrote: > >>> > >>>> Hi all! > >>>> > >>>> I had Firefox-1.0.4 on my fc4 installation, and just did a "yum > >>>> update firefox". Upon success I now have 1.0.8. > >>>> > >>>> Visiting mozilla.org I see that the current version of firefox is > >>>> 1.5.0 which fixes certain security issues. > >>>> > >>>> I further note there are version numbers and release numbers. > >>>> > >>>> Could somebody shed some light on the relationship between fedora > >>>> versions vis a vis mozilla versions/releases? > >>>> > >>>> Don't like running things that may have security issues :( > >>>> > >>>> Thank you, > >>>> Mike Wright > >>>> > >>> 1.0.8 was released after 1.5.0 and probably contains the same > >>> security fixes. > >>> As for why 1.5.0 isn't in FC5, it has dependencies (don't remember > >>> what the big one was, GCC or GTK or something) that would require you > >>> to basically have to upgrade to FC5. > >>> -Dan > >>> > >> > >> Not true! I'm running 1.5.0.4 on an FC3 system. Works fine. > >> > >> Regards, > >> > >> John > >> > > Well I mean for them to package it with the packages for FC4. Otherwise > > they would have. > > -Dan > > > But Firefoxes site can package it and it runs on FC4. > > I think it has more to do with all the RH changes. I used to think that it was because some 1.0.x plugins wouldn't work in 1.5.x and that there was a policy of not doing major version updates within a release that would break things like this for existing users. However, given the discussion on fedora-devel-list about issuing an update of xorg 7.1 for FC5 (for which there are currently no proprietary nvivia or ATI drivers available), it seems that there is no policy in place that prevents major version updates being issued even if would cause issues for third-party add-ons. There was a discussion about mozilla/firefox vulnerabilities on fedora-security-list last month: http://www.redhat.com/archives/fedora-security-list/2006-June/msg00022.html Perhaps the package maintainer is still busy backporting fixes for RHEL? Paul.