So my Firefox was updated today today via the official openSUSE update applet. Upon restarting Firefox, I was greeted with the usual message:
“You’re now running Firefox x.x.xx
For security reasons, we recommend downloading the latest and greatest version.”
Which brings me to the question I always wanted to asked but never did - Why isn’t openSUSE pushing the latest and greatest versions of Firefox?
I understand not using the bleeding edge versions for stability/compatibility reasons, but atleast how about a version that’s a couple of revisions old, instead of an entire branch?
Is Mozilla wrong in assuming the latest and greatest version is best for security?
Does openSUSE believe in stability and compatibility first, over security?
Is Firefox such a critical component of the system that it’s not feasible to test and push the latest versions, for the fear of breaking many dependent components?
Or is there some policy of reserving branch changes for new versions of openSUSE? (11.1 - 3.0.4, 11.2 - 3.5, 11.3 - 3.6?) If so, why?
Just curious as to what’s the official answer, that’s all. Of course, also looking forward for discussions as to what’s your opinion and practice regarding using the latest version, or sticking with the official repo versions.
(Btw, yes I know I can manually update to the latest version or automate it by adding the necessary repos, and it’s as easy as eating pie, but that’s not my question. Also, I understand why things like the kernel, desktop environment/WM etc aren’t the latest versions… but why Firefox?)
Same reason as with other apps, the app version that was shipped with the distro release is the one that will continue to be updated. Whether this is too conservative wrt a web browser is debatable. Other distros are less reticent.
Note that the 3.5 series is still maintained by Mozilla and still receives security fixes. However as 3.0 is no longer maintained, on 11.1 the version of Firefox was bumped to 3.5. Probably something similar has to be done if/when 3.5 is retired during the lifetime of 11.2, or 3.6 during the lifetime of 11.3.
PS: I’m not a dev or anybody official, these just are my observations.
Many people add the Mozilla repo from the Build Service. It’s reliably stable and current. Otherwise, as Ken points out, the official repo keeps up to date with security patches.
Thanks for your answers, but my original question(s) still remain unanswered. I understand that the 3.5 branch is still being maintained by Mozilla, but it still doesn’t include some of the new security features/fixes found in the 3.6 branch, for example, protection from out-of-date plugins. Why does openSUSE think these features aren’t important enough to upgrade?
On Sat, 10 Jul 2010 04:36:01 +0000, dextermanas wrote:
> Why does openSUSE
> think these features aren’t important enough to upgrade?
Stability trumps features. The reason that no package is upgraded to the
next major/minor release is primarily for stability and ease of testing.
When most software goes through a major or minor release, there’s a need
to test for dependency breakage. Staying with the same version reduces
the amount of testing needed because the dependencies aren’t going to
change.
dextermanas wrote:
> -(btw, yes i know i can manually update to the latest version or
> automate it by adding the necessary repos, and it’s as easy as eating
> pie, but that’s not my question.
but that IS the question you asking!
it is simple for YOU to have the newest of the new firefox and at the
same time it is simple for the community to NOT push every user
(many of whom do NOT want to risk new bugs in new code) into having
the newest of the new by just not moving it into the basic repo…
doing it that way allows all users to have it the way they want…easy
as pie…
But Mozilla doesn’t think the risk is significant enough to either backport this feature to 3.5, or to deprecate 3.5 and force people to move to 3.6, so in due course when 4.0 comes out, 3.5 will go out of support. There is no such thing as zero-risk, it’s always a tradeoff against effort, and openSUSE devs have weighed the pros and cons and made a decision one way.
So the answer remains, obviously you disagree, but if is important enough to you, you can upgrade. As I said this is a grey area and value judgements differ.
Another thing to keep in mind latest does not always mean greatest, its been bugging me since 3.0 that mozilla treats each minor point update as the greatest.
Sure it might bring you security fixes but stability might be another issue
Also, I understand why things like the kernel, desktop environment/WM etc aren’t the latest versions… but why Firefox?)