Firefox 60.0 ESR

English Applications
#1

When doing “zypper lu” I saw only Firefox 52.8 ESR was available, instead of 60.0 ESR.
For some reason I ended up doing “zypper up” anyways, and keep seeing a message from the Mozilla repository telling “the following packages are available but will not be installed” just before accepting and installing.

Unfortunately I’m not in front of openSUSE box right now; all I can say and hope it’s enough is, I have currently the Mozilla repository enabled:

2 | mozilla                   | mozilla                                 | Si         | (r ) Si          | Si         |   99      | rpm-md | http://download.opensuse.org/repositories/mozilla/openSUSE_Leap_42.3/

But I thought Firefox ESR was already in openSUSE’s repositories.

Why is 60.0 ESR not available?
Thanks beforehand.

#2

I don’t know the answer. But it is my impression that Mozilla released 52.8 ESR and 60.0 ESR at about the same time. So the 52.8 ESR is still an up-to-date release.

I seem to recall that there was a reason to go with the ESR releases rather than the mainline firefox releases. And presumably that same reason applies for staying with the 52.x series for as long as possible.

In any case, Leap 15.0 will be out soon, and it looks as if that will be using the mainline firefox versions. So I can wait another two weeks.

#3 
zypper up

does not do vendor changes the official LEAP version is 52.8 from the update repo
I’m not sure if mozilla will kill the 52 branch or keep supporting it seeing how it was the last build that supports npapi plugins and old style addons also it was the last one that can be build without sse2 support for 32bit cpu’s and for windows users the last one that can be installed on XP
if you want Firefox 60 ESR or not use the versions tab from yast to install it or use the version number (or --from repo switch) to install it from zypper
I’d say opensuse’s future releases will depend on mozilla’s decisions to keep 52.x or not

#4

I just read ESR will still last until circa August with 52.9, and after that they’ll drop the 52 series IIRC.

Also, in the IRC channel some days ago I saw it was mentioned that Leap supposedly has switched to ESR for good from now on, so Leap 15 will ship with 60.0 ESR (or still the 52 series? No longer sure…).

Thanks for your comments.

#5

It is: <https://software.opensuse.org/package/MozillaFirefox>.

And, it seems that a new 52.8.0 ESR patch is available for Leap 42.3; from the “Build Results” I’m not absolutely clear if this patch has been released or not:
<https://build.opensuse.org/package/show/openSUSE%3ALeap%3A42.3%3AUpdate/patchinfo.8076> (The “official update” URL at the left hand end of the Leap 42.3 entry.)

  • CVE-2018-5183: Backport critical security fixes in Skia
  • CVE-2018-5154: Use-after-free with SVG animations and clip paths
  • CVE-2018-5155: Use-after-free with SVG animations and text paths
  • CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files
  • CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer
  • CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
  • CVE-2018-5168: Lightweight themes can be installed without user interaction
  • CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension
  • CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8

For Leap 42.3, it’s in the openSUSE “Mozilla” « experimental packages » repository and, please take a look at the “Build results” at the right hand side of the Web-Page of the 2nd URL:
<http://download.opensuse.org/repositories/mozilla/openSUSE_Leap_42.3/x86_64/MozillaFirefox-60.0-4.2.x86_64.rpm>
<https://build.opensuse.org/package/show/mozilla/firefox60> (The “mozilla” URL at the left hand end of the 1st ‘60.0’ entry.)

#6

Firefox 60 is in the Update-Test Repo and someone in IRC has said, it will delivered to the Update Repo on Friday, May 18th.
http://download.opensuse.org/update/leap/42.3-test/

#7

When they make that jump in ESRs, Mozilla has always overlapped the two versions for awhile. Both are current and supported, for now.

#8

I feel that, I may have to correct myself: the openSUSE Leap 42.3 “Mozilla” (experimental) repository may very well be the “vanilla” Firefox – not the ESR version …

#9

Please be aware that, today’s (just now) openSUSE Leap 42.3 patch “openSUSE-2018-468” installs Mozilla Firefox 60.0 ESR.

Please also be aware that, there’s an incompatibility with the libstdc++6-gcc6 package which the KDE Plasma 5 System Tray “Updates” widget cannot resolve …
I had to use the YaST “Online Update” dialogue to resolve the issue:


remove |libstdc++6-gcc6|6.2.1+r239768-6.19|x86_64|
install|libstdc++6|7.3.1+r258812-10.1|x86_64|
#10

Interesting. So we are moving to 60 before Leap 15 comes out. Now I will have to see what that does to my extensions.

#11

Be aware it definitely wipes any hardening preferences :wink:

#12

I’m only using “flashblock” and “noscript”. I may just remove “flashblock” and switch to having firefox itself block flash (prompt before it allows).

I’m not sure if I should just remove “noscript”, or remove the reinstall after the upgrade. I’ve seen mixed reports on the “noscript” for newer firefox.

#13

Look at uMatrix according to this link:

“The recommendation for NoScript has been changed to uMatrix. This is because NoScript at the time of this writing has re-written their code to support Firefox Quantum, but many of the major security features that made it stand out are no longer present. Also, the new interface is harder to use for managing specific scripts and temporary permissions.”

https://vikingvpn.com/cybersecurity-wiki/browser-security/guide-hardening-mozilla-firefox-for-privacy-and-security

#14

I’m currently using Firefox 60 from the Mozilla repo and didn’t see this (I updated via zypper up and resolved the libstdc++6-gcc6 dependency with zypper which existed with FF59 too)
if I remember correctly the main reasons to switch from the release to ESR 52 haven’t changed ie the lack of npapi support and the new incompatible profile format
if we’re moving to 60 ESR I don’t understand why we just simply don’t move to the current release build like we had before Mozilla decided to kill off plugins and xpcom addons?

#15

… it does lousy things with a lot of extensions.

But, check in your Software Manager, both 52 & 60 are still there and supported, you can set to just stay with 52 in oS 42.3

For the record, I am (so far) staying with 52 in oS 15.0

#16

that’s the reason I installed Basilisk (based on beta ESR 52.9) along side Firefox as you can’t have both Firefox ESR and Release on a same machine (because of profile incompatibility)
http://www.basilisk-browser.org/
Basilisk uses a different dir for it’s profile and a simple copy/paste from a firefox profile will keep your addons/favorites/logons etc you can also use Firefox sync to sync up both browsers
you can also have both browsers running at the same time something that is impossible with Firefox ESR and release (on windows anyhow)

#17

I guess I am now on firefox 60.0 ESR (with Leap 42.3).

I can see why people complained about firefox quantum. But I think I will get used to it.

#18

For the record, due to the openSUSE Leap 42.3 patch “openSUSE-2018-468”, I’m writing this in a Firefox Quantum ESR 60.0 (64-Bit) browser window under KDE Plasma 5 on an openSUSE Leap 42.3 system – with no issues affecting normal usage noted to date.

The only extension that I have is “Ghostery”; the only Plugins I have are as follows (two are ‘standard’):

  • Cisco’s OpenH264-Videocodec;
  • Google’s Widevine Content Decryption Module;
  • Adobe’s Shockwave Flash.

Mozilla’s explanation is AFAICS acceptable: <https://support.mozilla.org/en-US/kb/npapi-plugins?as=u&utm_source=inproduct>

Only one thing was annoying: the clutter on “empty” page:

  • Pocket;
  • Links to Facebook & Co.;
  • News from sources I prefer to ignore – if I want to read about the pending Royal Marriage then, I prefer do so while browsing the Boulevard Press (printed copy) either in the Doctor’s waiting room or my local automobile service centre … >:)

Thankfully, the Mozilla folks have provided means to eliminate the “not wanted here” visual clutter …

#19

It seems that “freshplayerplugin” does not work with quantum. I have had to revert to the NPAPI version of flash.

On the plus side, the NPAPI version now works properly. I switched to “freshplayerplugin” because otherwise flash was not working properly. Specifically, I could not use flash in the browser while listening to music with Amarok. One of the two shut the other out. So I switched to freshplayerplugin to avoid that. And now with the NPAPI version, I can listen to music while flash is also being used.

#20

So finally installed Firefox 60.0 ESR.

I think I kind of had some high hopes for this release, but I feel like somehow disappointed… In part due to the same points @dcurtisfra mentioned.
Though I set “privacy.trackingprotection.enabled” parameter to true and “extensions.pocket.enabled” to false.
Also, I use Ublock Origin and HTTPS Everywhere extensions.
If I may ask, how do you eliminate the “not wanted visual clutter”?

I had heard about Basilisk browser from this thread, but also about Pale Moon before posting there. Both seem to be from same vendor, but I tried Pale Moon first, albeit always the portable version instead of installing.
I configured Pale Moon as per the suggested settings in the same thread page and also installed Ublock Origin -HTTPS Everywhere is not compatible…-. In general browsing felt a bit better than Firefox 52.x, and now even more than 60.0. Now I’m in doubt whether switching to Pale Moon for good…