Firefox – DEB or TAR: What's the difference?

Asked by Jens on 2020-01-20

Hi team,

I want to get a current version of Firefox, but as I'm still running Trusty (KDE) the latest version available is v66.
Now I thought maybe I could use the latest (stable) tarball from Mozilla (v72), but all over the web is demanded to strictly use the distro's package. My next thought was to use the latest Debian (Jessie) version (v68 ESR).

So my question now:
Can I safely install/use the latest Mozilla tarball or should I better use this Debian package?
And what is the difference between those two installations?

Greetings,
Jens

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu firefox Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
2020-01-21
Last query:
2020-01-21
Last reply:
2020-01-21
Manfred Hampl (m-hampl) said : #1

Support for Ubuntu trusty as desktop operating system has ended nine months ago, see https://wiki.ubuntu.com/Releases
This is the reason that there is no current version of Firefox for trusty in the Ubuntu repositories any more.

The recommended solution is upgrading to a supported Ubuntu release.
Everything else is done on your own responsibility, and you cannot expect any support.

Jens (i-m-jens-3) said : #2

Oh yes, I already know that, thank you. But I'm so very satisfied with Trusty that I prefer to continue using it until the end of the ESM (or of couse sooner if things should turn out to be too messy).

So I don't need support for a "Trusty issue". But for being able to better assess my risk I would like to know, what precisely is the difference of the Ubuntu package compared to the (mentioned) Debian package and/or the Mozilla tarball? What might possibly go wrong with the tarball (despite the dependencies)?
(By the way this issue would be a nice exercise for getting deeper into Ubuntu.)

We cannot support Trusty. Please update. You can be "very satisfied" with Windows XP but Microsoft will not support your OS. It';s the same thing here. We can only support live releases, not old ones which are now end of life.
Please upgrade to a newer release for continued support. You are also at risk from security issues as your packages will never get updated. It is very unwise to stay on an old OS that is unsupported.

Thanks

Jens (i-m-jens-3) said : #4

Please excuse me for insisting to ask, but obviously I wasn't able to express my intention more precisely.

The story about Trusty is just the *frame* of my case. I really do ***NOT*** need any help on a special Trusty issue and I know about my general security risk continuing using Trusty.
I just wanted to understand the differences on those mentioned Firefox packages – regardless of the actual Ubuntu version – but in general context of Ubuntu's development/maintenance branch of Firefox.

Or in another context:
What would be my risk, if I would install the Mozilla tarball or the Debian package of the latest Firefox on – let's say – Kubuntu 18.04 LTS – but in this case *without* using the snaps?

What are the specialities on the Ubuntu packages?

Well, if this should be the wrong site to ask on this particular topic, maybe you could tell me where else I could ask or read?

BTW, isn't the "ESM" subscription for maintaining security updates on Trusty until 2022 or did I misunderstood this point?

Thank you for your patience.

Best Manfred Hampl (m-hampl) said : #5

I try to sort out the two different issues in this question:

1. Ubuntu trusty is not supported any more as desktop operating system. ESM offers continued support for a limited number of packages that you usually find on SERVER systems, see https://wiki.ubuntu.com/SecurityTeam/ESM/14.04#A14.04_Infrastructure_ESM_Packages
If you haven't enrolled your system for ESM, then you will not even get updates for these server packages.
If there is a security problem in a package not in the list (and e.g. Firefox isn't), then this problem will not be solved, and your system stays vulnerable against related attacks.

2. Open system software usually is provided in form of source files, and these usually are put together into an archive ("tarball"). If you want to install software from a tarball (or from a git repository), you have to build the executable files from the source. This can be a lengthy and cumbersome process (find out the prerequisites that are needed for compiling, install these prerequisites, execute the build process, compile time might be several hours, ...).
Ubuntu does this for you and creates a *.deb file with the executables, such that the Ubuntu package management system can install that package without the need for a compilation process, and with automatic installation of the dependencies that are needed for running the software.

The package management systems of Debian and Ubuntu are similar, but the available packages aren't identical. So installing a package for Debian on Ubuntu may work in some cases, but also can fail miserably.

Nowadays there are additional forms for delivering executable packages: snaps and flatpack. These are supposed to contain everything needed to run the software and should run on any suitable operating system without the need for ciompilation.

Summary: The risk is not in using tarballs, but the risk is using an unsupported and unmaintained operating system release.

Jens (i-m-jens-3) said : #6

AH!!! That's exactly what I needed to know. This helped a lot.
Thank you very much :))

I think I'll try the tarballs then – for a while – as this should close potential security issues on such software. In the worst-case scenario I'll have to install the latest Ubuntu anyway. Additionally I don't need to worry about my local data as they are safe and sound.

It'll be a good exercise in Linux/Ubuntu so I'm fine. Thanks for worrying :)

Jens (i-m-jens-3) said : #7

Thanks Manfred Hampl, that solved my question.