Ubuntu
firefox package

Ubuntu Wily (15.10 development): update to FF 40

Asked by Matt Ruffalo

Hi-

I've seen several mentions of recent vulnerabilities in Firefox (from the pdf.js viewer, as I recall), and these are fixed in 39.0.3+. I'm using the development version of Kubuntu 15.10, which is still on Firefox 38 as per https://lists.ubuntu.com/archives/wily-changes/2015-May/000296.html from May.

I see a few relevant messages in the August archives of the wily-changes mailing list, like https://lists.ubuntu.com/archives/wily-changes/2015-August/thread.html -- it looks like there's churn in the Firefox packages, and even if there are some patches that are in flux like debian/patches/libjpeg-turbo-arm64-fix.patch, I would still like to request a current version of Firefox in 15.10 to be accepted into normal wily updates so that we're not using a potentially vulnerable version.

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu firefox Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

1. As its name says the development version of Ubuntu is a development version - potentially instable, with bugs and frequent changes. It is not meant to be used on production systems. If you want to use it before its official publication, you do that in your own responsibility.

2. The ways of working in a development version is different from the stable versions. wily-updates is not used, but updated packages might stay in wily-proposed for a longer period.

3. As you can see from https://launchpad.net/ubuntu/+source/firefox/+publishinghistory the first version of firefox 40.* for wily has been published on 2015-08-07. So it must be caused by settings on your system if you have not upgraded to firefox 40.* yet.

Revision history for this message
Matt Ruffalo (mruffalo) said : 		#2

Thank you for your reply, but I am not particularly satisfied by your answer.

I accept instability and frequent bugs/changes in development versions of Kubuntu, which is why I have all of my systems configured to take btrfs snapshots of all available subvolumes on every boot. I am quite used to updates breaking my system and having to revert to a previous snapshot, then waiting a few days to upgrade packages again. In all of these cases, the bugs and instability that I am accustomed to are from packages being too *new* and untested, not too *old* and containing known security vulnerabilities that have been exploited in the wild. I accept the responsibility for installing updates that might potentially make my system inoperable, but this issue is about the *lack* of updates in a critical package.

I believe that the best way to find bugs and issues in beta software is to attempt to go "all in" and use it full-time as I am doing on my laptop; booting an ISO in a VM and poking around a bit will likely not expose any issues that will be found by real-world usage. As such, it seems counterproductive to delay security updates to critical packages, since this will unnecessarily deter people from doing thorough testing and make it more likely that large issues will make it into the release instead of being discovered earlier.

As you point out from https://launchpad.net/ubuntu/+source/firefox/+publishinghistory , versions of Firefox 40 are published for wily, but they are only in "proposed" and not "release". My system is not configured to pull updates from "proposed", and this matches the configuration of the daily live ISO images. I verified this by testing the current (2015-08-21) ISO images of Kubuntu 15.10 and Ubuntu 15.10 in a VM: both live images contain Firefox 38, and after installing Kubuntu to disk in the VM, the system was not configured for "proposed" updates.

I hope that it is simply a minor oversight for Firefox updates to not be published as "release" packages in wily, and will likely send an email to the maintainers unless a better answer is posted here.

Revision history for this message
Launchpad Janitor (janitor) said : 		#3

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Huygens (huygens-25) said : 		#4

I certainly agree with Matt.

I've setup a dual boot with the stable and dev version of Ubuntu. I'm working a lot with containers (LXC) and ansible, and both are evolving fast, so I need to test what's coming next on Ubuntu.

My machine is a dev machine, we are not talking production here, it is not a server but a desktop. I'm using the "stable" part for most of my activities, but I do from time to time "dev" tests in the dev part. In the dev part, I have the same SSH keys, user account, sensitive data, etc. as in the stable part. So if there are security vulnerability, I hope they are fixed almost as fast in the dev part as they are in the stable part. I can understand some delays in the dev version of Ubuntu, so that some bugs can be ironed out (you don't want to necessarily bump versions in those cases), but being stuck on FF 38 is strange.

So yes, I'm ready for the possible breakage or lost of data. But I'm not ready to get major security issues because I'm using a possibly out-dated browser in the next development tree of a major distribution.

PS: I'm might worry for nothing, as FF 38 is the "LTS" version from Mozilla (aka ESR), so the security fix in FF 40 should be backported to the 38 if they are applicable. My only worries is that it still seems to be 38.0 and not the latest 38.2.1 as of writing.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#5

Just a guess:

As shown in https://launchpad.net/ubuntu/+source/firefox/40.0.3+build1-0ubuntu1 there is still a problem in building the firefox 40.* packages for PowerPC. I assume that this is the reason that this package has not yet made into the release repository (also for the other architectures).

But you better ask the responsible developers.