They use Firefox ESR. But even that is incredibly hard work. This
already led to disaster at least once in Bullseye.
When Firefox 78 ESR had its EOL, the migration to Firefox 91 ESR
literally took months because of Rust dependencies. As a result,
Firefox in Debian was vulnerable for weeks.
Timeline:
2021-10-05 Firefox ESR 78.15.0 released (last release of 78)
Firefox ESR 91.2.0 released
2021-10-06 firefox-esr 78.15.0esr-1~deb11u1 in stable
2021-11-02 Firefox ESR 91.3.0 released
-> unfixed known vulnerabilities in 78 branch
2021-12-07 Firefox ESR 91.4.0 released
-> more unfixed known vulnerabilities in 78 branch
2021-12-16 Firefox ESR 91.4.1 released
-> even more unfixed known vulnerabilities in 78 branch
2021-12-19 firefox-esr 91.4.1esr-1~deb11u1 in stable
https://www.firefox.com/en-US/firefox/78.15.0/releasenotes/
https://www.firefox.com/en-US/firefox/91.2.0/releasenotes/
https://www.firefox.com/en-US/firefox/91.3.0/releasenotes/
https://www.firefox.com/en-US/firefox/91.4.0/releasenotes/
https://www.firefox.com/en-US/firefox/91.4.1/releasenotes/
https://tracker.debian.org/news/1264938/accepted-firefox-esr-78150esr-1deb11u1-source-into-stable-security-embargoed-stable-security/
https://tracker.debian.org/news/1287695/accepted-firefox-esr-9141esr-1deb11u1-source-into-stable-security-embargoed-stable-security/
Unfortunately, Chromium had unrelated issues with Debian patches at the
same time. The Chromium team addressed this by removing a lot of
patches and shipping a more upstream Chromium package.
https://www.phoronix.com/news/Web-Browser-Packages-Debian
Regards
Stephan
Attachment:
signature.asc
Description: This is a digitally signed message part