It would appear that Firefox 3.0 falls out of support at the end of the month and after 3.0.19 there will be no more security fixes. Does anyone know what is happening with 11.1 and firefox 3.0. Are 11.1 users going to be left without any security fixes for firefox?
Not from Mozilla.
No, they won’t (“backport” is the magic word here).
It’s also possible they may label Firefox as a non-critical app and ask that users move to 3.5 (RHEL did something similar with FF2.0).
Is there a stable backport of firefox 3.5 or 3.6 for opensuse 11.1 ?
I only know of MozillaFirefox-3.6.2-1.2.i586.rpm etc. in the repository Mozilla Index of /repositories/mozilla/openSUSE_11.1. For me 3.6.2 (not 3.6 or 3.5.8.x) from Mozilla /Mozilla legacy was the best alternative to firefox 3.0 (don’t like the old place of “Open a new tab”) or upgrading to openSuse 11.2 (what I intend to do if I will have a bit more time).
See: Firefox 3.6 suffers from unpatched “highly critical” vulnerability Firefox 3.6 suffers from unpatched “highly critical” vulnerability - openSUSE Forums and “Help” does not start: “file:///fakefile#index” is invalid “Help” does not start: “file:///fakefile#index” is invalid - openSUSE Forums](http://forums.opensuse.org/applications/435376-help-does-not-start-file-fakefile-index-invalid.html)
Is there a stable backport of firefox 3.5 or 3.6 for opensuse 11.1 ?
You don’t seem to understand what a backport is. A backport-version of an application will not contain new features and will have the same major-version number always, yet bugfixes are backported to this version.
OK, soorry for misunderstanding. So can i install a stable version of firefox 3.6 on 11.1 ?
Thanks ken_yap !
When i was on opensuse 10.3, i had stability problem, sudden crashes, when i had installed firefox 3.0 whereas firefox 2.0 (or 2.something) was the supported version for 10.3 . So i had to roll back to 2.0 .
So, does anyone have problems with firefox 3.5 or 3.6 on opensuse 11.1 ?
No bugs ?
No incompatibilities ?
Thanks for your help .
Unfortunately I don’t have any 11.1 systems to try them out on. But firefox by itself is pretty stable. The potential causes of instability are things like flash and other plugins.
Just after a 6 hour lunch may not be the best time to be reading and replying to this thread but:
From reading the replies it appears that the openSUSE support for firefox will take any fixes for later versions of firefox and rework (backport) them for 3.0. What happens if there is a vulnerability found in 3.0 but not in 3.5 or 3.6 and there is no fix to backport?
Given that the majority of these fixes are security fixes in an application that is completely exposed to the internet, how well tested are the backported fixes?
Given that openSUSE firefox 3.0 will become a separate branch of firefox it is possible that a vulnerability could be introduced which would not be detected in the normal manner. While it may also be less likely to be found by hackers continuing, to use 3.0 would seem to be a less secure option than using 3.5 or 3.6.
While I understand the logic of building a release, testing it shipping it and then not changing anything until the next release, I am not convinced that this is a good idea when applied to a product such as firefox. Backporting fixes must be more work and more risky than doing a general upgrade to firefox.
It would be nice if some of the major applications were packaged separately from the base O.S. Bundling an end of life firefox with 11.1 was always going to cause problems and I have had similar problems with other components such as UFRAW. The release cycles for components of openSUSE will never match the release cycle of openSUSE.
It looks like I will have to upgrade to firefox 3.5 or 3.6. I am not convinced that banks will consider 3.0 with backported fixes a secure browser. This is making my 11.1 system even more non-standard. I want to do an upgrade to either 11.2 or 11.3 but I am already worried that the upgrade will fail given all the additions and changes that have been applied.
As I said, it might be possible that the devs will simply decide that 3.0 is too much effort to support and push an update to 3. to keep users going until end of life for 11.1.
Part of the story is the rapid pace of Firefox development. When 11.1 was released in Dec 2008, 3.0 was mainstream. 3.5 was released June 2009, according to Wikipedia. So it’s asking a bit too much for the 11.1 developers to get a time machine and release a browser from the future.
I am not expecting time machines but bundling major applications with totally different life cycles with the O.S. may not be a good idea. We are very close to Mozilla dropping 3.0 support and I do not understand if there would be any delay between an official Mozilla fix release and the backport release. I have no idea how well such backports will be tested. Unless the openSUSE team are working alongside the Mozilla team, I would think that there will be a significant delay in releasing the backported fix.
Being so close to the end of support for 3.0 I believe that there should be a very clear statement from openSUSE on how 3.0 will be managed. This should include any additional delay caused by the backport process, the level of testing that will be done and what happens if there is a vulnerability without a fix to backport
Firefox will be widely used for internet banking and e-commerce. Consideration needs to be given to the attitude of the banks to a backported firefox 3.0. It is possible that a bank could declare the backported browser insecure and make the user responsible for any fraud. It is of course possible that someone from openSUSE has verified that the banks have no problem with the backport process but if they have I have not seen any evidence of it.
For a desktop system the web browser is probably the most vulnerable component. No avoidable risks should be taken with security just to meet a policy that says we will not change releases of applications between openSUSE releases
Given that people should probably be working on the first backports as I write this, the expected delay (if any) between the Mozilla fix and the backport should be known. How it is going to be tested should be known. The level of resources required should also be known and in place. It should therefor already be known if the effort is to large to justify.
You’re assuming there will be a backport. That’s only one option. As I said there may not be a backport, they may simply push out an update to 3.6, that’s another option. There’s no hard rule that they will not change the software version, but that’s a strong preference. It’s mainly for daemons which are critical not to break like web and mail servers. For a desktop, it is just an inconvenience if the browser doesn’t look to the user exactly like before.
That’s the reasoning that RHEL (an Enterprise distro) took. They will not upgrade PHP beyond 5.1 on RHEL4 but they happily discarded FF2.0 in favour of FF3.0. They may do another move to 3.6, who knows.
Why not file a query at bugzilla.novell.com? You won’t get any answers here, we are not devs.
I will have a go a bugzilla. I suspect that I am going to have to install 3.6 from the mozilla repository before I get a reply but we will see.