The idea is that when a security bug is found, Mozilla writes a patch against the current Firefox version, but Debian must patch whatever version is the Debian Stable, so they must write a patch to the earlier version of the source. Since the code has changed in between, the patch is different, even if it fixes the same bug.
And the only version of Firefox I can see in Debian Stable's (and Testing's) package list is Firefox ESR 91. That's exactly the situation Canonical wants to avoid. The current version of Firefox is 104, and even the current version of Firefox ESR is 102.
This was a deal-breaker for me. I don't want a firefox packaged by mozilla themselves as a snap or deb, because I don't consider them trustworthy. At least when it's packaged by the distribution someone has reviewed the changes and can flag up and disable any nonsense that mozilla is adding.
I switched to debian instead. Debian packages firefox ESR, which means my config will be stable for longer.
I use Firefox ESR on desktop with Debian stable as well. I've never felt the need to update it, while several times, when reading about things that break in non-ESR releases, I was glad I didn't use non-ESR versions.
Ubuntu has decided to closely track Firefox releases because Mozilla doesn't provide security updates for older Firefox versions. I'm not sure what other software receives major version updates within the lifetime of an Ubuntu release (Chromium?), but it's not the norm.
Debian hasn't adapted this policy yet; they still declare a version of Firefox stable and backport patches to it. They've had to switch the name and logos from Firefox to Iceweasel because Mozilla does not allow anyone to independently provide updates and still use the Firefox trademark.
I find it very interesting that they are adopting a different release schedule for Firefox than the rest of Debian stable. People that care about fast release cycles probably really just care about few minor things being up to date, while administrators don't care about which programs/libraries make problems when updating as long as the total amount of breakages in a certain time isn't too high.
I've done that as well. These days I run on the beta channel. Haven't had a lot of crashes with either. With the beta channel, I tend to click the restart to update button once a week or so.
On Arch linux, I ended up installing the tar.gz from mozilla and I let the browser update itself. Arch packaging is kind of redundant for this. It just adds time and middlemen that I don't want anyway. If there's a critical security update, it just increases the amount of time it takes for that fix to get to you. Regardless of whether you use stable, beta, or nightly. It does add a bit of hassle for e.g. getting a menu item with the correct icon in Firefox. I do the same with a few other things that know how to self update.
That should work on Debian as well. But a .deb package from Mozilla is nice of course.
I'm happy with Firefox 3.5.16 in Debian stable. I have no problem visiting websites, and I don't have to sweat Vimperator breaking because of a browser rev.
I think that caring about the latest browser version is the domain of webdevs and teenagers.
Do you have https://wiki.debian.org/UnattendedUpgrades enabled? I'm just thinking if the work-around is an 'apt' command maybe it's not the Firefox app itself doing the upgrades.
I think you underestimate how widespread ESR Firefox is.
Debian ships Mozilla's ESR releases by default. I'm sure many shops that prefer stability over latest features also deploy ESR. Judging by how often it gets updated it seems to me Mozilla is pretty diligent at backporting fixes.
My wholly-not-representative-for-the-wider-web statistics say approx. 22% of Firefox UAs are ESR release.
What you're telling sounds wonderful. That definitely wasn't the case a few years ago and documentation still does not reflect this conceptual merge between -release and stable.
And also, as far as I can tell the newest Firefox version available on -stable OpenBSD right now is 82.0.3 which was released in November.
I started using Mozilla Firefox 1.04 many years ago. Everytime a new update was released I was so excited to install it, as the browser became better and better with each update. I remember when Firefox 2.0 was released and I could not wait for it to be available in the Debian package repository, because it was such a big improvement.
Now I absolutely HATE when a update is released, because either functionality is removed, appearance is changed or even more bloat has been added.
Firefox itself has become the problem it tried to solve.
56 will never get backported security fixes of any kind. For the record, neither will 57, as 58 is the current stable version. Mozilla does not apply security fixes to versions of Firefox other than the latest stable and the latest ESR.
Not true. It’s based on the long-term-support version of firefox, called ESR. The ESR branch typically eschews new features for stability but certainly receives any security bug fixes alongside evergreen firefox.
I don't know any distro that doesn't update browser packages in stable releases. Fedora, Ubuntu, Arch (ok, Arch is rolling release but still) and NixOS at least offer the lastest versions of Firefox and Chromium on its repository. Debian too, but I think they package Firefox ESR instead of Firefox release.
Oh interesting - hard to keep track of which version Firefox is up to these days. They should really swap to a system like Ubuntu's - using the date for the version number.
It was released over a month ago too. Has it had any effect on Firefox's market-share? Especially in enterprise? It's a pretty decent test bed for understanding how users react to these kinds of changes. If they just accept them and adapt when forced it shows that we can be more proactive in moving users to better yet incompatible software?
>With the exception of LTS releases, if you haven't got firefox 126 yet because you're on a "stable" package manager, I'd encourage you to promptly download firefox from mozilla.org (which will come with auto-updates) and uninstall your package managers insecure version.
Which distros have this problem? AFAIK debian-based distros (eg. debian, ubuntu) package firefox ESR which is kept up to date with security patches.
reply