Saturday, December 11, 2021

New Firefox ESR is late in Debian

Firefox 78 ESR reached its end of life on 2 November - five weeks ago - but the new version, Firefox 91 ESR has not arrived in Debian Stable (or indeed testing, which I am using now). That means that a number of issues that are fixed in 91 ESR will not be fixed in Firefox 78 ESR, leaving users exposed to vulnerabilities until 91 ESR arrives.

Although none of these vulnerabilities has been exploited to expose users to attack, being weeks overdue for security updates is not a good place to be.

If this makes you nervous, I will detail how to update to the latest version below.

The story has gone round the internet with an added does of FUD. It is an example of how one web site runs a story they read on another web site which read the story on a blog somewhere and nobody bothers to fact check it.

The story first appeared on BaronHK's Rants, a blog by... somebody. techrights.org reprinted it, and then Phoronix and The Register covered it.

The story notes the open vulnerabilities (which is true), but the blog and the re-runs all claim that Debian won't be able to push Firefox 91 ESR to Stable because Stable isn't up to date enough. This claim comes from a bug report linked to in the blog where a post on 8 November says:

Firefox-ESR 91.3 doesn't use OpenGL GLX anymore. Instead it uses EGL by default. EGL requires at least mesa version 21.x. Debian stable (bullseye) ships with mesa version 20.3.5 For the nvidia users the following bug report might be important...

Nobody at Phoronix or The Register thought to check the progress of the bug report before running the story. If they had, they would have noticed that the bug was closed on 7 December and the problem was nothing to do with the above and was in fact in Cubed (an audio component, apparently).

So, baseless FUD from a random blog gets spread around the internet.

Debian of course has to make sure that the new Firefox ESR release doesn't have bugs. If you are nervous about using Firefox 78 ESR in Debian, here is one way to get the latest version (there are other ways).

Add the Ubuntuzilla repository and key to your Debian sources, update and install either the latest ESR, or the latest Mozilla build, Firefox 95, which is what I did (I am running Testing after all). 

Note that you will have to uninstall firefox-esr first (which will automatically install the Epiphany browser). You can then install from Ubuntuzilla. If you don't, you will get this error message:

dpkg-divert: error: 'diversion of /usr/bin/firefox to /usr/bin/firefox.ubuntu by
 firefox-mozilla-build' clashes with 'diversion of /usr/bin/firefox to /usr/bin/
firefox.real by firefox-esr'
dpkg: error processing archive /var/cache/apt/archives/firefox-mozilla-build_95.
0-0ubuntu1_amd64.deb (--unpack):
 new firefox-mozilla-build package pre-installation script subprocess returned e
rror exit status 2
dpkg-divert: error: mismatch on divert-to
  when removing 'diversion of /usr/bin/firefox to /usr/bin/firefox.ubuntu by fir
efox-mozilla-build'
  found 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
dpkg: error while cleaning up:
 new firefox-mozilla-build package post-removal script subprocess returned error
 exit status 2
Errors were encountered while processing:
 /var/cache/apt/archives/firefox-mozilla-build_95.0-0ubuntu1_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

Installing anything from Ubuntu on Debian is normally a bad idea, as it can cause instabilities, but in this case it is fine, because the repository is just for the latest Firefox builds from Mozilla.

Update: some information from a Debian developer about the delay.

Work on this is nearing completion.

Please note that Mozilla is constantly updating to newer rustc and LLVM versions. That means that preparing a new major ESR release for Debian requires not just the packaging of the firefox-esr and thunderbird updates, but also some very complex toolchain components. Those components are usually already in unstable/testing, but for stable, oldstable, and LTS, the toolchain must be backported first.

lists.debian.org

Debian also supports additional hardware architectures and the toolchain components sometimes require specific work in order to support those additional architectures. In fact, that was the case with this current update that is underway. 

...

It is lamentable that it has taken this long, but that is not an indication of a lack of effort on the part of the people in Debian working on this.

lists.debian.org

From Piorunz at the mailing lists, here is an alternative method to update Firefox ESR, preserving the user profile until Firefox ESR is updated in Debian.

lists.debian,org

Piorunz also points out that Mesa is not the problem in a post on Phoronix:

Works perfectly fine with Debian Stable and Mesa 20.3.5, because Firefox 91 ESR detects Mesa version and adjust acelleration settings accordingly: 

Code: X11_EGL available by default

blocklisted by env: 

Blocklisted by gfxInfo

Phoronix




 












No comments:

Post a Comment