Re: Firefox ESR EOL
On Fri, Dec 10, 2021 at 11:03:50AM +0100, Christian Britz wrote:
>
>
> On 2021-12-10 10:25 UTC+0100, Eric S Fraga wrote:
> > Indeed, and with absolutely no appreciation for the effort put in by all
> > of you Debian folk. Especially in having "stable" *mean* stable!
>
Indeed! For those who would rather have "lastest" instead of "stable",
there are many available solutions, both within and without Debian.
> I love Debian and I appreciate the work of the developers, but I don't
> like stability in the sense of leaving security holes unfixed constantly.
>
Please note that, as Jonathan pointed out in another message, the
firefox-esr/thunderbird packages specifically have a great deal of
complexity associated with them. On the whole, security vulnerabilities
in Debian are fixed quite quickly and usually by a group of people made
up mostly of volunteers.
> There surely must be a better solution or Debian should put packages
> like Chromium, Firefox and Thunderbird on the list of packages without
> security support.
>
That was the case in the past. In particular, when Mozilla was much
more hostile to downstream distributions concerning things like security
support, branding, and building "modified" packages (e.g., carrying
distribution-specific packages). The problem with that, of course, is
that Debian buster, the current oldstable distrubtion (still in fairly
active use), was initially released in July 2019. Firefox ESR 68 was
also released that same month, meaning that the initial buster release
would have contained at best Firefox 60 ESR (initially released May
2018).
If the security team was not making an effort to update to the lastest
ESR release, anyone using buster would have to choose between Firefox 60
ESR from the official repository, a current ESR from an external
provider, or a manual download (as has been discussed in this thread).
None of those seem to be good options.
I remember the "good old days" when the security team didn't support FF
in stable/oldstable. I remember having no choice but to install from
upstream binary tarballs. I'd rather not go back to that being the only
choice.
Rather, the fact the security is making the effort says a great deal
about Debian and those who are so committed to it that rather than just
look at this situation (the difficulty of integrating new FF ESR into
Debian stable/oldstable) and "nope", they dedicate themselves to solving
the problems so that Debian users can benefit from a properly supported
web browser.
All the hate in this thread is really very tiresome. I'm not directing
this specifically to you, Christian, rather speaking of the general tone
of this thread. Discussing alternatives for users who are concerned
about still being on FF 78 ESR and who would like options for running
the latest ESR is fine. But bashing on the people who have been working
literally for months on sorting out all of the issues (and there are
many) to bring the latest FF ESR into Debian stable/oldstable is not
productive. Nor is it productive to point at Debian and other distros
and say things like "they do it, how come Debian can't?" Each distro
has slightly different objectives, operating frameworks, etc. Debian's
goals are different from Ubuntu's goals, are different from Fedora's
goals, are different from Mozilla upstream's goals. Let's just accept
that (or work constructively to adjust the goals to better suit you) and
support the people doing the work.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: