Firefox 3.6 has been available for Linux from Mozilla since January. So where is the Fedora package for it? I still get the latest available package being 3.5.9 when I run "yum info firefox*".

Fedora 13 is coming next month; it will have the latest Firefox.

If you can't wait that long, you can upgrade to the Fedora 13 Alpha, or just go here: http://www.mozilla.com/en-US/firefox/personal.html

Well, you know how it is. Mozilla wants us to update immediately because of security issues. And really, we should expect that hackers will go after outdated version of Firefox as "low hanging fruit": their security flaws are publicized and therefore easy to take advantage of.

So if the package maintainers are not going to be prompt in updating the package to follow Mozilla's updates, the more responsible thing to do would be to not package it AT ALL, and have everyone download security updates straight from Mozilla.

You misunderstand how "stable release" distros like Fedora, Ubuntu, Debian. Red Hat, etc. handle updates.

If a security vulnerability is discovered, they "patch" the existing version in the repositories, rather than release a new version of the application.

For example, Red Hat, CentOS, Debian Stable, and Ubuntu long-term-suport all use Firefox 3.0. Why do so many choose these distros if they are really "low hanging fruit" as you claim?

Sounds like you might be happier with a "rolling release" distro, like Arch, if application version numbers are more important to you than a stable and secure system. Rolling release distros get the latest application versions as they become available, rather than being organized into periodic, time-based releases.

I have to admit I was unaware of this distinction. In fact, it takes me quite by surprise. Do I understand you correctly? Are you really saying that the same package containing the same 3.5.9 I downloaded months ago is now a different binary, containing patches discovered since Firefox 3.5.9 was released? Doesn't this defeat the purpose of having version numbers in the first place?

Whatever the answer to that question is, it still leads to another question: when these patches take place in the repositories, do they get included as a Security Update to download in Software Update?

If the answer to the latter is 'yes', then I should have the most uptodate patches already, except perhaps for the very latest (in FF 3.6.3 released just April 1st).

This article explains the concept far more eloquently than I can:

http://www.redhat.com/security/updat...g/?sc_cid=3093

1 members found this post helpful.

most of the time a backport is made for the BIG bug fixes .If it is only a very small fix then in the next version( fedora) it will be added .

BUT
you can always just let firefox do a auto update from the website .Then add a block in yum so that it is not installed too. That is what i did and do do .

That is a good article. Thanks for showing the link. But (and you knew there was a 'but' coming, didn't you it only asserts that all this 'backporting' takes place with Red Hat itself, not with Fedora, which is the "development branch" of Red Hat. So it would be completely consistent with that document for backporting to take place ONLY with RedHat releases, which are somewhat more rare -- and quite behind (the list of Fedora capabilities and features).

So do you know that the same backporting described in this article is taking place for every Fedora package too?

All reputable Linux distributions practice security backporting (with the exception of "rolling release" distros as I mentioned earlier). Why would anyone use an operating system that doesn't get security updates--it wouldn't make sense.

The Fedora community is very transparent. Drop by fedoraforums.org (or their mailing list) and share your concerns, get involved, hear what the developers have to say.

Also don't forget my link way back in post #2... if you want the latest Firefox, you can have it today, straight from Mozilla.

I haven't forgotten it. Thanks for all these replies, BTW. But to make a rational, or even semi-rational decision concerning whether or not it is worth the bother, I still need an answer to the as yet unanswered questions in this thread.

I am always leery (some would say too leery) of installing software that is NOT delivered via the packaging system: I do not know how much customization the package maintainer finds necessary for adapting the product to Fedora, and do not want to have to keep track of such issues myself. It would have been a mess, for example, if I had installed Sun Java myself instead of using the package, since the package maintainer knew about the Debian system (inherited by Fedora) of links in /etc/alternatives, and I did not.

It was already bad enough that I had to use an RPM package instead of yum

Yet people do it. Lots of people. They do it often. The most common such OS, of course, is Windoze

BTW: how am I supposed to know which distros are 'reputable'. They all CLAIM to be.

I would consider anything on the Distrowatch "major distros" page to be reputable for sure (Fedora is on the list): http://distrowatch.com/dwres.php?resource=major

If you want to learn more about Fedora development, visit their mailing list and forum, ask questions, help out, get involved.