It's starting to feel like Ubuntu 9.10 users have been left out in the cold, or at least forced to fend for themselves. I'm referring to the publicly-known vulnerabilities present in Firefox 3.5.9 (the version currently in use by Ubuntu 9.10). Ubuntu 10.04 (which uses Firefox 3.6.x instead of 3.5.x) users received their package updates June 29th, yet Ubuntu 9.10 seems to have been placed on the back burner. So basically, my questions are: Does anyone know what's going on? What's taking so long? Has security support for Firefox been terminated for Ubuntu 9.10?

PS: I can sort of understand how Ubuntu isn't able to provide Firefox patches for Ubuntu 9.04, as it uses Firefox 3.0.x (which isn't supported upstream anymore) and the distro release is so close to EOL. But, surely Ubuntu 9.10 doesn't need to be treated the same way, given that the 3.5.x branch it uses is still supported upstream and the distro release won't reach EOL until Q2 2011.

Seems Ubuntu have over-stretched themselves for the last several releases. Once they start getting within sight of the next release going public, everything starts getting "dropped". Trying to meet (unrealistic) announced targets means too few people looking after the current release.
And not just security fixes either.

My (perhaps somewhat jaundiced) observations only of course ....

It seems to me like they are looking after the current release (10.04) well, but are giving second-class treatment to their previous (yet supposedly still-supported) release (9.10) – at least as Firefox is concerned. I did some googling and found this from June 1st:So it seems their intention was/is to bump Firefox on 9.10 from 3.5.x to 3.6.x.

I looked into that, and found this and this, which makes it seem like Ubuntu basically decided to hold back on Firefox 3.5.10 for Ubuntu 9.10 while they work out the kinks in their transition to 3.6.x. This is just my impression after having given these links a quick read, of course. I wonder if something was/is preventing them from releasing Firefox 3.5.10 packages for Ubuntu 9.10 in the meantime, though. That would seem like the safest route to me, as it would keep users protected from the publicly-known vulnerabilities, while giving Ubuntu more time to make a better transition.

Why wait for someone else to do it for you? You can get the latest Firefox yourself any time you want to!

http://firefox.com

or

http://ubuntuzilla.sourceforge.net

To be clear on one point: Ubuntu is not a "rolling release" distro. "Backporting" newer applications to old Ubuntu releases is a very low priority for the Ubuntu team. (They wouldn't be doing it at all, except that, in this case, Firefox is such a critical application.) It is generally expected that users who desire the latest software will use the current Ubuntu release (10.04 at the moment) and/or obtain the application in question from a 3rd party source (see my links above). Ubuntu is not "leaving 9.10 users out in the cold" because in fact it is very easy to upgrade to 10.04.

I'm well aware of that, but it's beside the point.

Ubuntu makes it clear that their non-LTS desktop releases are supported for 18 months.

Right, but this isn't about running the latest software – it's about security patches.

By that logic, they should just stop supporting all their releases after six months. What would be the point of running a supposedly-supported distro release if you're forced to upgrade to a newer version in order to get support? Might as well just use Debian unstable for the rest of your life.

Hi win32sux, you make several good points and I think we all can agree that Mozilla's new support cycle will affect how all of the major Linux distros deal with backports and security patches going forward.

I shared the Mozilla and Ubuntuzilla links in my previous post in case any readers of this thread were curious how to get the latest Firefox (rather than speculating why not).

ps and I do use Debian Unstable, nothing wrong with that. Still waiting on 3.6 myself.

Agreed.

OIC, thanks.

I didn't mean to imply there was something wrong with using Debian unstable.

I use Ubuntu 9.04, 9.10 and 10.04 LTS, and I can confirm that yesterday Firefox was updated to 3.6.7 on all of them. The USN hasn't been issued yet, so I don't know the full details of this, but it's great news IMO.