256: Linux Geek Buying Guide for Christmas

• Debian Stable is currently on Firefox ESR 78.15 released 2021-10-05
• Version 91.x came out 2021-10-28 and has had 2 releases so far

Mozilla release calendar: https://wiki.mozilla.org/Release_Management/Calendar

According to this Mozilla doc, there’s “(at least 12 weeks) overlap between the time of a new release and the end-of-life of the previous release”

So while Mozilla won’t consider Debian’s ESR EOL until ~Jan 05, it’s a pretty major leap behind the current ESR.

There’s also this: “Maintenance of each ESR through point releases is limited to high-risk/high-impact security vulnerabilities” so lagging point releases is lagging behind high-risk/high-impact security vulnerabilities.

As for Chromium… their download page states:

“Google does not offer old builds as they do not have up-to-date security fixes.”

The Debian Stable version is 90.0.4430.212 which was released May 8th, 2021 and there’s been several releases since then.

Worth noting… ungoogled-chromium is also version 90.0.4430.212.

The Chromium Docs - Chrome Release Cycle gets a bit above my head but i’m reading the dev builds as having no more releases after 6 weeks which’d put the Debian version several months behind on support.

Just to emphasize on this, here is Debian’s own recommendation:

https://wiki.debian.org/Chromium#Installation

As of 2021-10-14 19:19:07, Debian’s Chromium package in buster, bullseye and bookworm repository remains vulnerable to numerous CVEs as outlined in the Chromium Security Tracker. Consider using an alternative browser like Firefox, Brave or ungoogled-chromium.

Edit: As of now Firefox ESR 78.15, regardless of its lifespan, is vulnerable in all Debian branches except sid and testing.

https://security-tracker.debian.org/tracker/source-package/firefox-esr

I had question on the Yubikey is there a specific model that is best? That tech is relatively new to me and I collect all things techy. So I would like to know more from your prospective.
Thank you.

FYI, Debian just upgraded to 11.2 point release which upgrades Firefox ESR to 91.4.1.

As a Debian guy here I just wanted to give the perspective that Debian’s release schedule is famously slow and only until relatively recently have we started having multiple released of browsers per month, let alone in a year.

Does no one else remember how FF changed its naming scheme to follow Chromium’s inflated build numbers? Basically, after v38 everything exploded, and we would have multiple versions released per a year. It is a fast moving target, and you have to wonder how anyone who packages it for as many architectures as Debian ever gets it done.

Thanks, everyone! Some great ideas for pressies from back in the festive season for many

Sorry I’m so far behind on podcasts, but just my reflections on browser updates, particularly with Debian Stable, as it’s been my workhorse for 8-9 years now, can’t even remember(!)

As far as I know Firefox ESR (default browser under Debian Stable) tracks normal Firefox but then “freezes” in a sense for several months during which only security updates are backported, not feature updates. I think this works fine for organisations, especially given that even a few years back feature updates on browsers sometimes broke things, though that’s not heard about much these days. Every several months or-so, Firefox ESR gets a large jump in version numbers when it moves forward several months on the normal Firefox numbering, so although numbering can look “very behind” that’s actually by design, and Debian inherits the same.

The issue of timely updates to browsers, especially nowadays with financial transactions, especially, is of course crucial, I agree; and they, like all security updates, really should be implemented as fast as possible. I generally find security updates on Debian Stable to be very fast. With the larger Firefox-ESR “jump” every few months, I am guessing because of the size of the job, there may well be a lag of some days, during which I definitely think use of Flatpak Firefox is preferable. That being said, once the normal repo FIrefox-ESR has reached the same latest version-point, I trust its security more than Flatpak.

I think an important question is, besides the browser, are other security problems with underlying libraries slow to fix on Debian too? I’ve never noticed this myself, though reflections from community members would be very welcome of course

As a side-note, I also think that users of LibreWolf need to keep an eye on security patches, because although it tracks normal Firefox updates, there can sometimes be a lag of a day or so (I seem to notice) before updated LibreWolf builds become available.

It is true, Debian applies security updates quickly. They have a default repo called ‘security’ just for that.

However, even with firefox-esr it does not pin to one version and upgrades point releases all the time. Here is my list over the last few months.

Preparing to unpack .../19-firefox-esr_78.9.0esr-1_amd64.deb ...
Leaving 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
Unpacking firefox-esr (78.9.0esr-1) over (78.9.0esr-1~deb10u1) ...
Setting up firefox-esr (78.9.0esr-1) ...
Preparing to unpack .../1-firefox-esr_78.10.0esr-1~deb10u1_amd64.deb ...
Leaving 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
Unpacking firefox-esr (78.10.0esr-1~deb10u1) over (78.9.0esr-1) ...
Setting up firefox-esr (78.10.0esr-1~deb10u1) ...
Preparing to unpack .../2-firefox-esr_78.10.0esr-1_amd64.deb ...
Leaving 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
Unpacking firefox-esr (78.10.0esr-1) over (78.10.0esr-1~deb10u1) ...
Setting up firefox-esr (78.10.0esr-1) ...
Preparing to unpack .../042-firefox-esr_78.8.0esr-1_amd64.deb ...
Leaving 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
Unpacking firefox-esr (78.8.0esr-1) over (78.8.0esr-1~deb10u1) ...
Setting up firefox-esr (78.8.0esr-1) ...
Preparing to unpack .../01-firefox-esr_78.9.0esr-1~deb10u1_amd64.deb ...
Leaving 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
Unpacking firefox-esr (78.9.0esr-1~deb10u1) over (78.8.0esr-1) ...
Setting up firefox-esr (78.9.0esr-1~deb10u1) ...
Selecting previously unselected package firefox-esr.
Preparing to unpack .../0428-firefox-esr_78.7.0esr-1~deb10u1_amd64.deb ...
Adding 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
Unpacking firefox-esr (78.7.0esr-1~deb10u1) ...
Setting up firefox-esr (78.7.0esr-1~deb10u1) ...
update-alternatives: using /usr/bin/firefox-esr to provide /usr/bin/x-www-browser (x-www-browser) in auto mode
update-alternatives: using /usr/bin/firefox-esr to provide /usr/bin/gnome-www-browser (gnome-www-browser) in auto mode
Preparing to unpack .../02-firefox-esr_78.7.0esr-1_amd64.deb ...
Leaving 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
Unpacking firefox-esr (78.7.0esr-1) over (78.7.0esr-1~deb10u1) ...
Setting up firefox-esr (78.7.0esr-1) ...
Preparing to unpack .../04-firefox-esr_78.8.0esr-1~deb10u1_amd64.deb ...
Leaving 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
Unpacking firefox-esr (78.8.0esr-1~deb10u1) over (78.7.0esr-1) ...
Setting up firefox-esr (78.8.0esr-1~deb10u1) ...
Preparing to unpack .../042-firefox-esr_91.5.0esr-1_amd64.deb ...
Leaving 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
Unpacking firefox-esr (91.5.0esr-1) over (91.4.0esr-1) ...
Setting up firefox-esr (91.5.0esr-1) ...
Preparing to unpack .../05-firefox-esr_91.4.0esr-1_amd64.deb ...
Leaving 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
Unpacking firefox-esr (91.4.0esr-1) over (78.15.0esr-1~deb10u1) ...
Setting up firefox-esr (91.4.0esr-1) ...

So while firefox-esr is not the ‘latest version’ it does release versions with security updates. This is explained on Mozilla’s versions page. To quote:

Extended Support Release (ESR) receives major updates on average every 42 weeks with minor updates such as crash fixes, security fixes and policy updates as needed, but at least every four weeks.

The problem wasn’t the regularity of security updates. It was how long it took from the point Mozilla released them to when they’d show up on Debian Stable.

Sort of like shipping 2 people a package every 10 days but one person lives in the same city and the other lives internationally. Both would receive packages regularly but 1 person would have old contents.

I did a quick Debian Stable VM test w/ fresh install of Firefox-ESR just now and it’s running version 91.5.0 (latest ESR) which was released 2022-01-11 by Mozilla so if you’re running Firefox ESR on Stable today you have the latest ESR version and security from Mozilla.

When I last posted above it was Dec 21st, same test, the ESR version was 78.15.0 which was ~2 months beyond the point Mozilla dropped security for 78.x so if you were running Firefox ESR on Stable in Dec you were no longer supported whether you were getting security updates or not.

Firefox-ESR on Debian Stable today:

So with that huge improvement, well done Debian! Well done DL!

Indeed Firefox-ESR on Debian Stable does update very regularly. I wonder if perhaps it was at the “big jump” a delay of a few days was (understandably) noticed by some users, prompting this concern. It was a few months ago now, so I guess my lag even on viewing the podcast is a little funny

Extra:

v91.6 is scheduled to release today which is the latest security update for Debian’s Firefox ESR (ESR point releases are the security updates). It’ll be interesting to see how soon it hits Stable.

Some house cleaning…

Back when I posted this I made an estimate of 78.x support till Jan 05 but I got it a bit muddled, support ends 3 cycles after a new “whole” version upgrade so Firefox 78.x left security support 2021-10-05 despite Debian Stable still shipping it in 2021-12-17 when I posted.

Strictly comparing my screenshots, Debian Stable missed over 2 months worth of security updates and had 3 months prior to make the jump to 91.

I don’t mean to bash on Debian but I think this thread illustrates how Debian users (me included) might not expect the ESR browser on Stable to be 2 months behind on security because it was no longer supported by Mozilla.

I tremendously respect the work of the Debian community but strictly from the perspective of keeping users informed, the ESR binary should have been replaced with a shim that launched a security warning before launch (or something similar) so users would know.

Yes, thanks for this. I’ll definitely be keeping a closer eye on how long between Mozilla updates for ESR and Debian filtering them through

Recently I have been extremely impressed with Fedora, not just 35 but several successive versions, I think going back to Fedora 31. It’s possible I might put it on one of my machines just for a secure up-to-date browser.

Update:

I have created a post in Linux applications about Debian Stable Firefox ESR status because I’m keeping a close eye on it myself and sharing my observations may benefit other users too.

A great conversation about Debian Firefox versioning continues here:

Unfortunately there are or were more like expat e.g. and now I see still not fixed. Most distributions patched the whole, either with a patched version or like Ubuntu (I think) with the newer upstream version.

https://security-tracker.debian.org/tracker/source-package/expat

If you use samba, good luck. Even sid is vulnerable.

https://security-tracker.debian.org/tracker/source-package/samba

Maybe I am seeing ghosts but I never experienced such a delay in security updates in Debian!

So I would revoke that Debian is pushing security updates or patches in a timely manner. At least not at the moment.

Thanks for this. It’s exactly what I was worried about. For high-profile projects like Firefox, many users might notice a lag in security updates. What if they’re lower-down, like in commonly used libraries, for example? I think there might be a broader issue here worth investigating, and maybe not just for Debian but for other distros too. For Firefox, Debian Stable implemented Firefox updates faster than both Fedora and CentOS stream, so they’re on the ball for some things, it seems.

I do love Debian and its approach. Once I finally get my head around LFS and BLFS I might look at helping out with some package maintenance too for Debian too. Looks like the folks there need it.

Definitely. I think we take it for granted but it is a whole amount of work to do security and to do it the right way.

Quick follow up on ESR…

I just checked and Debian Stable has at this moment the latest version of Firefox ESR which Mozilla released 2022-02-08. It’s morning for me in the UK so that means Debian got latest ESR into Stable within 1 day of Mozilla releasing it.

That’s fast by Arch standards. I think they had it in sid same-day so they’re cookin’ it with ESR.

image886×731 135 KB

I’m really glad about this too, though I am now actually thinking of checking security websites and how quickly various distributions fix issues more broadly, too. If there isn’t a centralised site for that, maybe there should be, for everyone’s benefit!

Update:
For centralised info on vulnerabilities, I am finding both of these interesting, though they still obviously need a fair bit of querying to find things in:

which draws upon

https://nvd.nist.gov/vuln/data-feeds#RSS

What’s very interesting in the first site is that it can be searched by vendor, product and CVE number, which can allow comparisons across different OSes such as different Linux distros. I’ve not had time to delve into these in detail yet, but glad to find they exist

On Fri 11 Feb 22 at ~17:10 UTC, looks like expat is still needing work for Debian Stable, but fixed in sid now. Samba’s mostly fixed in Stable now, it would appear, but less fixed in sid, it would appear. I wonder how these packages are looking in other distros? I’m not sure where to find the security info, for example for Fedora and CentOS Stream 9.