Hello,
Yesterday I read about this nasty CVE-2024-4367 affecting PDF.js, which is used by Firefox. I then noticed that Firefox 126 (the first patched version) has yet to be shipped in openSUSE Tumbleweed. 
I am here to ask, why is this the case? Does openSUSE have a personalized version of Firefox? Why it lags behind weeks, what are the differences? Should I use an upstream package?
@LoGaIta99 It was submitted to factory/staging about 7 hours ago… https://build.opensuse.org/request/show/1175472
It is in progress. Tumbleweed users are expected to do a basic search:
https://bugzilla.opensuse.org/show_bug.cgi?id=1224056
And the OBS link posted by Malcolm…
I guess I miss-titled my post, given my closing questions. I was sure the maintainers knew about this CVE and they were working on the update as fast as possible, even if I am not familiar with bugzilla and OBS (I know both of them, but I don’t know how to navigate them, for the most part).
I was interested in why openSUSE Firefox package lags behind the Mozilla releases so often. It is my impression that this happens more than with other packages and I remember that on the wiki there are suggested Mozilla repositories. Are the packages in those repos any different than the ones in the main ones?
Because builds take time, because openQA takes time, because it takes time for the Maintainers to review things, and if something breaks in an update, they have to fix that. It’s not as simple as just throwing a tarball out there, and popping out an RPM in thirty seconds, everytime.
That’s right, but from my point of view it takes too much time. Firefox 126 was released on May 14th, I did zypper dup a few minutes ago and it’s still not listed. Six days and there were versions I was waiting 10 days and more. Maybe I am wrong, but from my point of view software which is using the internet in the way like browsers and mail clients do is security related and should have a higher priority. It makes a bad feeling when I see there are fixed security issues in the new version of FF and TB but no update available in Tumbleweed. Flatpak ist no alternative for me and using mozilla:Factory/Mozilla* is possible but an ugly solution.
@wmf42 So use the upstream released tarball as your user? The process takes time. Change your browser?
I like the Firefox, so I don’t want to change the browser. Using the tarball would be a solution but it’s outside of the Tumbleweed upgrade mechanism, that’s why I stay on the Tumbleweed package.
@wmf42 then your only other option is to use the Mozilla repo, but that still takes time…
That’s the way it is, but sometimes I wonder because I have Manjaro in a VM and mostly the Firefox there is much faster updated than on Tumbleweed. Is the Manjaro process as much shorter than the Tumbleweed process?
@wmf42 What testing/verification do they do or just build and dump to their repo? This is the way it is, development repo → factory → staging for openQA → release…
Manjaro is based on Arch; Arch does literally no testing. At best there is a ‘yep, works for me’ from the maintainer so the only thing that slows them down is how long it takes to do a build and upload it for distribution.
I don’t see why you seem to think this is some fire drill issue, looking at Fedora they also are only just releasing 126 to their release channels, it wasn’t deemed to go through any emergency release process.
openSUSE packages are maintained by volunteers who have real jobs to do as well, if there is a version released that you believe needs immediate attention you can submit a request yourself, or open a bug report.
@wmf42 So the update to 126 arrived in today’s snapshot…
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.