Re: Hard Rust requirements from May onward

To: debian-devel@lists.debian.org
Subject: Re: Hard Rust requirements from May onward
From: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Date: Tue, 04 Nov 2025 18:21:26 +0100
Message-id: <[🔎] 0c161519-1652-4f00-b6dd-d4b04e0359b7@app.fastmail.com>
In-reply-to: <[🔎] 176958a87623f8a3f169681d9b38ef2514ae0913.camel@posteo.de>
References: <20251031213541.GA73786@debian.org> <[🔎] 87frawljrt.fsf@ganneff.de> <[🔎] aQkl0qyIyJ5+y5lC@localhost> <[🔎] 8497977946464c9144055f3bda6eef73aa4ab95e.camel@debian.org> <[🔎] 176958a87623f8a3f169681d9b38ef2514ae0913.camel@posteo.de>

On Tue, Nov 4, 2025, at 3:25 PM, Stephan Verbücheln wrote:
> They use Firefox ESR. But even that is incredibly hard work. This
> already led to disaster at least once in Bullseye.
>
> When Firefox 78 ESR had its EOL, the migration to Firefox 91 ESR
> literally took months because of Rust dependencies. As a result,
> Firefox in Debian was vulnerable for weeks.

I was not involved back then, but the link you provided blames mesa, which at
the time had no Rust dependency yet (that was only introduced in 22, almost a
year later, not 21). of course that doesn't mean that there might have been a
Rust/rustc related reason as well..

starting with Trixie, newer rustc versions are provided via backports, so the
toolchain versions needed by browsers should be less problematic as they get
built and tested before the browsers need them, and the backports version can
be used to bootstrap the stable updates. the same would also be true for the
Linux kernel if that ever gains a hard dependency on rustc, although AFAICT
upstream is more conservative wrt minimum version requirements.

but IMHO this is less of a Rust issue, and more of a browser support issue -
the Rust aspect is just a symptom, not the cause.

I do have a lot of respect for the people maintaining both firefox(-esr) and
chromium in Debian - it's a hard job.

Fabian

> Timeline:
>
> 2021-10-05  Firefox ESR 78.15.0 released (last release of 78)
>             Firefox ESR 91.2.0 released
>
> 2021-10-06  firefox-esr 78.15.0esr-1~deb11u1 in stable
>
> 2021-11-02  Firefox ESR 91.3.0 released
>             -> unfixed known vulnerabilities in 78 branch
>
> 2021-12-07  Firefox ESR 91.4.0 released
>             -> more unfixed known vulnerabilities in 78 branch
>
> 2021-12-16  Firefox ESR 91.4.1 released
>             -> even more unfixed known vulnerabilities in 78 branch
>
> 2021-12-19  firefox-esr 91.4.1esr-1~deb11u1 in stable
>
>
> https://www.firefox.com/en-US/firefox/78.15.0/releasenotes/
> https://www.firefox.com/en-US/firefox/91.2.0/releasenotes/
> https://www.firefox.com/en-US/firefox/91.3.0/releasenotes/
> https://www.firefox.com/en-US/firefox/91.4.0/releasenotes/
> https://www.firefox.com/en-US/firefox/91.4.1/releasenotes/
>
> https://tracker.debian.org/news/1264938/accepted-firefox-esr-78150esr-1deb11u1-source-into-stable-security-embargoed-stable-security/
> https://tracker.debian.org/news/1287695/accepted-firefox-esr-9141esr-1deb11u1-source-into-stable-security-embargoed-stable-security/
>
>
> Unfortunately, Chromium had unrelated issues with Debian patches at the
> same time. The Chromium team addressed this by removing a lot of
> patches and shipping a more upstream Chromium package.
>
> https://www.phoronix.com/news/Web-Browser-Packages-Debian
>
> Regards
> Stephan
>
> Attachments:
> * signature.asc

Reply to:

References:
- Re: Hard Rust requirements from May onward
  - From: Joerg Jaspert <joerg@debian.org>
- Re: Hard Rust requirements from May onward
  - From: Adrian Bunk <bunk@debian.org>
- Re: Hard Rust requirements from May onward
  - From: Ansgar 🙀 <ansgar@debian.org>
- Re: Hard Rust requirements from May onward
  - From: Stephan Verbücheln <verbuecheln@posteo.de>

Prev by Date: Re: Finishing deprecation of isc-dhcp-client in ifupdown*
Next by Date: Re: Hard Rust requirements from May onward
Previous by thread: Re: Hard Rust requirements from May onward
Next by thread: Re: Hard Rust requirements from May onward
Index(es):
- Date
- Thread