256: Linux Geek Buying Guide for Christmas

I don’t mean to bash on Debian but I think this thread illustrates how Debian users (me included) might not expect the ESR browser on Stable to be 2 months behind on security because it was no longer supported by Mozilla.

I tremendously respect the work of the Debian community but strictly from the perspective of keeping users informed, the ESR binary should have been replaced with a shim that launched a security warning before launch (or something similar) so users would know.

1 Like

Yes, thanks for this. I’ll definitely be keeping a closer eye on how long between Mozilla updates for ESR and Debian filtering them through :slight_smile:

Recently I have been extremely impressed with Fedora, not just 35 but several successive versions, I think going back to Fedora 31. It’s possible I might put it on one of my machines just for a secure up-to-date browser.

Update:

I have created a post in Linux applications about Debian Stable Firefox ESR status because I’m keeping a close eye on it myself and sharing my observations may benefit other users too.

1 Like

A great conversation about Debian Firefox versioning continues here:

1 Like

Unfortunately there are or were more like expat e.g. and now I see still not fixed. Most distributions patched the whole, either with a patched version or like Ubuntu (I think) with the newer upstream version.

https://security-tracker.debian.org/tracker/source-package/expat

If you use samba, good luck. Even sid is vulnerable.

https://security-tracker.debian.org/tracker/source-package/samba

Maybe I am seeing ghosts but I never experienced such a delay in security updates in Debian!

So I would revoke that Debian is pushing security updates or patches in a timely manner. At least not at the moment.

1 Like

Thanks for this. It’s exactly what I was worried about. For high-profile projects like Firefox, many users might notice a lag in security updates. What if they’re lower-down, like in commonly used libraries, for example? I think there might be a broader issue here worth investigating, and maybe not just for Debian but for other distros too. For Firefox, Debian Stable implemented Firefox updates faster than both Fedora and CentOS stream, so they’re on the ball for some things, it seems.

I do love Debian and its approach. Once I finally get my head around LFS and BLFS I might look at helping out with some package maintenance too for Debian too. Looks like the folks there need it.

Definitely. I think we take it for granted but it is a whole amount of work to do security and to do it the right way.

1 Like

Quick follow up on ESR…

I just checked and Debian Stable has at this moment the latest version of Firefox ESR which Mozilla released 2022-02-08. It’s morning for me in the UK so that means Debian got latest ESR into Stable within 1 day of Mozilla releasing it.

That’s fast by Arch standards. I think they had it in sid same-day so they’re cookin’ it with ESR.

image

2 Likes

I’m really glad about this too, though I am now actually thinking of checking security websites and how quickly various distributions fix issues more broadly, too. If there isn’t a centralised site for that, maybe there should be, for everyone’s benefit!

Update:
For centralised info on vulnerabilities, I am finding both of these interesting, though they still obviously need a fair bit of querying to find things in:

which draws upon

https://nvd.nist.gov/vuln/data-feeds#RSS

What’s very interesting in the first site is that it can be searched by vendor, product and CVE number, which can allow comparisons across different OSes such as different Linux distros. I’ve not had time to delve into these in detail yet, but glad to find they exist :slight_smile:

On Fri 11 Feb 22 at ~17:10 UTC, looks like expat is still needing work for Debian Stable, but fixed in sid now. Samba’s mostly fixed in Stable now, it would appear, but less fixed in sid, it would appear. I wonder how these packages are looking in other distros? I’m not sure where to find the security info, for example for Fedora and CentOS Stream 9.