What's the deal with Firefox security patches on Ubuntu 9.10?
UbuntuThis forum is for the discussion of Ubuntu Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What's the deal with Firefox security patches on Ubuntu 9.10?
It's starting to feel like Ubuntu 9.10 users have been left out in the cold, or at least forced to fend for themselves. I'm referring to the publicly-known vulnerabilities present in Firefox 3.5.9 (the version currently in use by Ubuntu 9.10). Ubuntu 10.04 (which uses Firefox 3.6.x instead of 3.5.x) users received their package updates June 29th, yet Ubuntu 9.10 seems to have been placed on the back burner. So basically, my questions are: Does anyone know what's going on? What's taking so long? Has security support for Firefox been terminated for Ubuntu 9.10?
PS: I can sort of understand how Ubuntu isn't able to provide Firefox patches for Ubuntu 9.04, as it uses Firefox 3.0.x (which isn't supported upstream anymore) and the distro release is so close to EOL. But, surely Ubuntu 9.10 doesn't need to be treated the same way, given that the 3.5.x branch it uses is still supported upstream and the distro release won't reach EOL until Q2 2011.
Seems Ubuntu have over-stretched themselves for the last several releases. Once they start getting within sight of the next release going public, everything starts getting "dropped". Trying to meet (unrealistic) announced targets means too few people looking after the current release.
And not just security fixes either.
My (perhaps somewhat jaundiced) observations only of course ....
Seems Ubuntu have over-stretched themselves for the last several releases. Once they start getting within sight of the next release going public, everything starts getting "dropped". Trying to meet (unrealistic) announced targets means too few people looking after the current release.
And not just security fixes either.
My (perhaps somewhat jaundiced) observations only of course ....
It seems to me like they are looking after the current release (10.04) well, but are giving second-class treatment to their previous (yet supposedly still-supported) release (9.10) – at least as Firefox is concerned. I did some googling and found this from June 1st:
Quote:
We are going to release Firefox 3.6.4 as a minor update to the 3.6
series in Lucid. This will also be rolled out to Hardy, Jaunty and
Karmic (along with xulrunner 1.9.2.4). The update for Lucid is quite
trivial, but the update in Hardy, Jaunty and Karmic is not quite as simple.
So it seems their intention was/is to bump Firefox on 9.10 from 3.5.x to 3.6.x.
I looked into that, and found this and this, which makes it seem like Ubuntu basically decided to hold back on Firefox 3.5.10 for Ubuntu 9.10 while they work out the kinks in their transition to 3.6.x. This is just my impression after having given these links a quick read, of course. I wonder if something was/is preventing them from releasing Firefox 3.5.10 packages for Ubuntu 9.10 in the meantime, though. That would seem like the safest route to me, as it would keep users protected from the publicly-known vulnerabilities, while giving Ubuntu more time to make a better transition.
To be clear on one point: Ubuntu is not a "rolling release" distro. "Backporting" newer applications to old Ubuntu releases is a very low priority for the Ubuntu team. (They wouldn't be doing it at all, except that, in this case, Firefox is such a critical application.) It is generally expected that users who desire the latest software will use the current Ubuntu release (10.04 at the moment) and/or obtain the application in question from a 3rd party source (see my links above). Ubuntu is not "leaving 9.10 users out in the cold" because in fact it is very easy to upgrade to 10.04.
Why wait for someone else to do it for you? You can get the latest Firefox yourself any time you want to!
I'm well aware of that, but it's beside the point.
Quote:
To be clear on one point: Ubuntu is not a "rolling release" distro. "Backporting" newer applications to old Ubuntu releases is a very low priority for the Ubuntu team. (They wouldn't be doing it at all, except that, in this case, Firefox is such a critical application.)
It is generally expected that users who desire the latest software will use the current Ubuntu release (10.04 at the moment) and/or obtain the application in question from a 3rd party source (see my links above).
Right, but this isn't about running the latest software – it's about security patches.
Quote:
Ubuntu is not "leaving 9.10 users out in the cold" because in fact it is very easy to upgrade to 10.04.
By that logic, they should just stop supporting all their releases after six months. What would be the point of running a supposedly-supported distro release if you're forced to upgrade to a newer version in order to get support? Might as well just use Debian unstable for the rest of your life.
Hi win32sux, you make several good points and I think we all can agree that Mozilla's new support cycle will affect how all of the major Linux distros deal with backports and security patches going forward.
I shared the Mozilla and Ubuntuzilla links in my previous post in case any readers of this thread were curious how to get the latest Firefox (rather than speculating why not).
ps and I do use Debian Unstable, nothing wrong with that. Still waiting on 3.6 myself.
Hi win32sux, you make several good points and I think we all can agree that Mozilla's new support cycle will affect how all of the major Linux distros deal with backports and security patches going forward.
Agreed.
Quote:
I shared the Mozilla and Ubuntuzilla links in my previous post in case any readers of this thread were curious how to get the latest Firefox (rather than speculating why not).
OIC, thanks.
Quote:
ps and I do use Debian Unstable, nothing wrong with that. Still waiting on 3.6 myself.
I didn't mean to imply there was something wrong with using Debian unstable.
I use Ubuntu 9.04, 9.10 and 10.04 LTS, and I can confirm that yesterday Firefox was updated to 3.6.7 on all of them. The USN hasn't been issued yet, so I don't know the full details of this, but it's great news IMO.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.