On Fri, Dec 10, 2021 at 11:03:50AM +0100, Christian Britz wrote: > > > On 2021-12-10 10:25 UTC+0100, Eric S Fraga wrote: > > Indeed, and with absolutely no appreciation for the effort put in by all > > of you Debian folk. Especially in having "stable" *mean* stable! > Indeed! For those who would rather have "lastest" instead of "stable", there are many available solutions, both within and without Debian.
> I love Debian and I appreciate the work of the developers, but I don't > like stability in the sense of leaving security holes unfixed constantly. > Please note that, as Jonathan pointed out in another message, the firefox-esr/thunderbird packages specifically have a great deal of complexity associated with them. On the whole, security vulnerabilities in Debian are fixed quite quickly and usually by a group of people made up mostly of volunteers. > There surely must be a better solution or Debian should put packages > like Chromium, Firefox and Thunderbird on the list of packages without > security support. > That was the case in the past. In particular, when Mozilla was much more hostile to downstream distributions concerning things like security support, branding, and building "modified" packages (e.g., carrying distribution-specific packages). The problem with that, of course, is that Debian buster, the current oldstable distrubtion (still in fairly active use), was initially released in July 2019. Firefox ESR 68 was also released that same month, meaning that the initial buster release would have contained at best Firefox 60 ESR (initially released May 2018). If the security team was not making an effort to update to the lastest ESR release, anyone using buster would have to choose between Firefox 60 ESR from the official repository, a current ESR from an external provider, or a manual download (as has been discussed in this thread). None of those seem to be good options. I remember the "good old days" when the security team didn't support FF in stable/oldstable. I remember having no choice but to install from upstream binary tarballs. I'd rather not go back to that being the only choice. Rather, the fact the security is making the effort says a great deal about Debian and those who are so committed to it that rather than just look at this situation (the difficulty of integrating new FF ESR into Debian stable/oldstable) and "nope", they dedicate themselves to solving the problems so that Debian users can benefit from a properly supported web browser. All the hate in this thread is really very tiresome. I'm not directing this specifically to you, Christian, rather speaking of the general tone of this thread. Discussing alternatives for users who are concerned about still being on FF 78 ESR and who would like options for running the latest ESR is fine. But bashing on the people who have been working literally for months on sorting out all of the issues (and there are many) to bring the latest FF ESR into Debian stable/oldstable is not productive. Nor is it productive to point at Debian and other distros and say things like "they do it, how come Debian can't?" Each distro has slightly different objectives, operating frameworks, etc. Debian's goals are different from Ubuntu's goals, are different from Fedora's goals, are different from Mozilla upstream's goals. Let's just accept that (or work constructively to adjust the goals to better suit you) and support the people doing the work. Regards, -Roberto -- Roberto C. Sánchez