On Thu, 9 Dec 2021 19:35:47 +0100 Paul Gevers <elb...@debian.org> wrote:
Hi Piotr, Martin-Éric,
Please stop bashing Mike. He's doing a great job.
Hi Paul,
I am not bashing anyone. My post was simply a copy of my e-mail I sent
to Debian user group yesterday:
https://lists.debian.org/debian-user/2021/12/msg00242.html
My post also is here to raise awareness to this problem. I am worried. I
don't (didn't until now) know who is a maintainer of firefox-esr. From
what I gather here, it's Mike. I support him all the way, and I hope
firefox-esr can be updated quickly. I honestly think that Debian should
throw more resources at this problem, if it don't want to become a
laughing stock in the community:
https://www.phoronix.com/scan.php?page=news_item&px=Web-Browser-Packages-Debian
100+ posts and counting, all bashing on entire Debian project because of
this.
This bug was merely a procedure to raise awareness in case it was
missing and is part of the Release Team way of working. The required
action happened: the removal of the mipsel binary. All is good for the
migration at this moment.
That's good to hear. But didn't Mike just mentioned, that Firefox will
not migrate to Stable, due to Rust compiler problems?
There is work ongoing too for stable. Please remember we're all
volunteers and supporting a browser in Debian Stable is just not easy.
Of course, I support Debian volunteers and maintainers all the way!
I'd like to point out the notes about security support for browsers in
the Release Notes [1].
Link you posted, says, quote:
"The package debian-security-support helps to track the security support
status of installed packages. "
I installed this package, and run it:
check-support-status | grep firefox
(zero results)
Nowhere it says, that firefox-esr installed in my system is EOL and
vulnerable to several CVEs. This should be updated. I am happy to fill
bug against debian-security-support, do you want me to do that?
Also, same chapter of Release Notes you linked, goes on to say, that:
"For general web browser use we recommend Firefox or Chromium. They will
be kept up-to-date by rebuilding the current ESR releases for stable.
The same strategy will be applied for Thunderbird. "
Debian has failed to deliver on that. "Recommended" browser in Debian
Stable is EOL and vulnerable. And people are not aware of this as
Release Notes and debian-security-support is not showing the problem.
Release Notes should have been updated in November 2021, when
firefox-esr went EOL, to reflect this. Do Release Notes for Bullseye
receive "errata" updates? Shouldn't this be done right now?
Debian should throw more resources at flagship browser problem! I
sincerely hope this can be resolved quickly. We don't want people
blaming Debian for virus infections due to unpatched Firefox being
shipped in Stable.
Paul
[1]
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#limited-security-support
I don't know development process in Stable, but shouldn't firefox-esr
78.15.0esr-1~deb11u1 be removed from bullseye servers? It's vulnerable
and unusable in current state? Can it be removed at all? So people don't
fall for this false sense of security?
--
With kindest regards, Piotr.
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀⠀⠀
