Question: more than 2 weeks to compile a Web browser, is that normal? Because…
→ www.firefox.com/en-US/firefox/140.8.0/releasenotes (with release date)
2 Likes
If you want the newest of the new, install it from Mozilla Repo.
2 Likes
Bad idea…
I just did it with the ESR version and the profile used is different in the file system… Which I could change, but for a temporary solution, it bothers me a bit.
And this time, unlike LibreOffice, it is indeed a (very real) security issue:
www.mozilla.org/en-US/security/advisories/mfsa2026-15
1 Like
Leap 15.6 has gotten the Update, so maybe it is on its way.
Nobody here can say the time of getting it to the Repo.
@merinos Just be aware that CVE’s do get embargoed prior to public notification, so lots of fixes are underway before end users even know…
Likewise the process for the likes of Firefox, as can be seen from the output is from our Primary Sponsor SUSE, so they need to do there QA etc before release…
Do you think your system is vulnerable to the specific CVE’s?
You can check in more detail on the CVE’s at https://www.suse.com/security/cve/index.html
I actually don’t suppose it my task as just an ordinary user to look for and inspect and analyse CVEs and to proof updates of applications against!
I am not a professional Dev/Sys-Op working on this regularly and gaining money for it. I am an ordinary home user. Thus I don’t really suppose me responsible to this one.
But it’s quite obvious that updates for Mozilla Firefox and Thunderbird have some specific release date (package and release info publicly available at Mozilla) — and it often takes some 2 to 3 weeks to get them to openSUSE. Weeks — not days! And there currently often is a (significant) difference between Leap 15.6 (which is still valid and supported!) and Leap 16.0 (the official current version of Leap). Sometimes/often (like currently) Leap 15.6 is even more up-to-date than 16.0.
I am talking about the ESRs. And they offer (almost) always(!) security patches! — And then asking “Do you think you are personally affected?” is a (very) weak argument. I could even be personally affected not at all… (arguing in this way). So?
1 Like
The only one who is responsible for the usability and security of your privat system is you.
1 Like
I have been using S.u.S.E. for a quarter of a century and as far as I can remember, it usually takes a few days (after the official release) before Firefox is updated.
But not that many days, never.
And how can the end user know if the visited Web sites are not compromised?
Once again, there is a guy, a girl, a little green being or a teddy bear who is not at his or her workstation at SUSE.
But none of the maintainers is reading here.
You are using the wrong place.
2 Likes
What about offering a helping hand ?
@merinos @C7NhtpnK
If you want the really up-to-date version of Firefox, there is always the option to use the flatpak. That’s maintained by Mozilla, so it should be always as up-to-date as it gets.
I’ve been using the Firefox flatpak since quite a few months now and it works great.
There are more posibilities:
- download, unzip and start Mozilla(-ESR) in your user’s /home
- Install from the Mozilla Repo
- Or as you, install as flatpack
But asking here for the time of arriving in any repo does not make any sense.
There are better places.
4 Likes
That is considered not “the” answer!
With respect to legal/formal aspect: totally yes!
With respect to technical concerns: well, yes, but (very) limited! This is eventually related to “arbeitsteilige Gesellschaft” (sorry, don’t know the correct English expression). This is my point of view I don’t really want to discuss. When I obtain some kind of “product” (a physical or an intellectual one) I choose a proper provider/supplier (due to my concerns and needs) and then a proper “product” out of his/her offering. But it’s not up to me to inspect and analyse the “product” afterwards all the time. It could be/is my job that it is served with energy, money, updates, what-ever. But after I have chosen a provider/supplier and a product, I don’t work on it on a professional base in everyday life. “No one” does this for all the things he/her uses in everyday life. And Mozilla on openSUSE is just one example.
This was not directed to me. But as I am involved here: I actually do it when I have the skills. So, on some other projects.
No, but a browser without any declared security flaws, yes.
Firefox 140.8 ESR is in the Tumbleweed repository since 28.02.2026, so four days after it got released. I guess that’s a reasonable time considering testing and such.
That means the Tumbleweed maintainers did their job. If it is not yet in Leap that is something that cannot be influenced by openSUSE as it comes from SUSE’s enterprise products.
So, also because this is a user forum of the openSUSE community, there is (as mentioned by others) no point in complaining here about it.
An up-to-date software is (usually) a more secure software.
And there are recommendations in this thread what you as a user could do to update to a newer version.
So, also because this is a user forum of the openSUSE community, there is (as mentioned by others) no point in complaining here about it.
That’s a pretty condescending statement… or you think I’m a computer idiot.
Besides, we’re talking about Leap… and if I were to change my source, I would choose: snapcraft.io/firefox
which allows you to choose between the traditional version and the ESR version.
1 Like
I didn’t mean to insult anyone nor do I think you are a computer idiot… sorry if it came across like that.
I just wanted to point out that here is (probably) nobody in this forum who can influence which version of Firefox is coming when to the leap repositories.
Indeed! It’s about Leap. And there, it’s a “fact” that there is some major delay of some 2 to3 weeks (for Mozilla Firefox and Thunderbirds ESRs, almost always containing security patches).
Well, probably not! But one may state it. As it is obvious.
And up to that point, I am tired of “weak arguments” like
- “Use the Mozilla OBS!” (Instead of the standard repository)
- “Use the Flatpak!” (Instead of the openSUSE repository)
- “Well, now, it’s there!” (After some two or three weeks later — not days!)
when just pointing to the poor situation being obvious.
Of course, the alternatives mentioned above are thinkable and possible. But they are “weak arguments” in this discussion when clearly stating the situation.