It seems that less than two months after the release of sarge it is not possible anymore to support our Mozilla, Thunderbird, Firefox (and probably Galeon) packages.

It is very unfortunate that the Mozilla Foundation does not provide dedicated, isolated and clean patches for security problems that have been reported against their software packages which do not change the functionality. Instead they release new versions that usually fix tons of security problems and other stuff irrelevant for security updates.

As a result, trying to support such software in a stable Debian release that usually lasts more than one year can be indefinitely difficult and time consuming. It would require to grok the entire codebase and to be able to understand the impact of all problems and all patch hunks.

Using new upstream versions are bound to cause new problems so this is not a path we can safely go. Sooner or later new versions will change the behaviour of the program (so users will be confused), change the ABI (so binary plugins, language files etc won't work anymore), change the API (so sourceful plugins, language files etc won't work anymore), alter the dependencies to other packages (so the update will slurp in new packages or cannot be built on stable at all).

This has been the case already with Mozilla Firebird. Debian sarge includes version 1.0.4 and the first upstream update release, 1.0.5, has already been binary incompatible with the older release. The newer version, 1.0.6, seems to be fine at the moment, though, but newer versions can easily break again.

This is an utter disaster in terms of security.

In the long term we're on a lost track for such packages in a stable release. It seems that this situation has already started, less than two months after Debian released the current stable distribution.