Bonum Certa Men Certa

Firefox ESR 91 Creating Massive Headache for Debian 11 (GNU/Linux)

Guest post by Ryan, reprinted with permission from the original

D

ebian and Mozilla go way back, with endless troubles created by an incompetent upstream for Firefox, which is getting worse by the hour.



Debian tries to produce a stable OS that doesn’t change very much (although you can use backports and Flatpaks to strategically update packages), and this is very important for people who are happy with the way their computer works and don’t want to be on a bug treadmill, like Fedora.



However, you may have noticed that Firefox 78 ESR hasn’t been supported upstream now for over a week and has missed the latest round of security updates from Mozilla, and that Firefox 91.3 ESR is still stuck in the pipes, being packaged only in Experimental and Debian Unstable.



When I went to look at the reasons why, it appears that there are new problems related to Rust, build failures on various supported CPU architectures, and it also demands a newer version of Mesa3d than Debian 11 has, even though the entire OS is barely over a month old (and will be supported for five years).



Mozilla decided to migrate away from GLX and make EGL mandatory, _and_ blacklist the version of Mesa (20.3.5) which ships with Debian 11, demanding at least Mesa 21.



Mesa 21 would otherwise be fine as a Backport package, but now Debian has to choose between backporting a critical component of the OS directly into “Stable” updates (the OpenGL/Vulkan stack and Direct Rendering Interface drivers and libdrm), as well as newer Nvidia proprietary drivers in non-Free for the people who haven’t disembarked that clown car yet in favor of Intel and AMD cards that are truly supported on GNU/Linux, or forcing Firefox ESR 91 to use GLX again by overriding a default preference, which kicks the can down the road 1 year and creates the same problem again later, at which time Mozilla may have removed the GLX code anyway.



And reverting to GLX makes it impossible for users to enable Wayland and WebRender Compositing without knowing that they also need to set Firefox back to EGL and bring in a Backported Mesa package when one arrives.



In the mean time, there are 6 CVEs that are unpatched in Firefox 78.15, and one of those CVE numbers contains bugs (the details of which are still hidden by Mozilla) corresponding to four memory safety issues (which are often crash with potential arbitrary code execution). So really, at least 10 unpatched security issues, and maybe more (because not all patched issues get a CVE even though they may have security implications).



However Debian solves this problem will set more bad precedents and probably the least incorrect way to solve for it, assuming it’s even worth anything to keep Mozilla’s lawyers happy and use the official “branding”, which Mozilla is pissing down the drain these days anyway, is to bring in newer Mesa builds, which undermines the “feature freeze” that keeps Debian Stable running so well.



It’s definitely well past time to “IceWeasel” Firefox again and do whatever they need to do to keep it running securely without compromising the rest of the operating system.

Recent Techrights' Posts

What's Very Vexing to GAFAM, EPO and Others Is That It's Incredibly Hard to Censor Us (and Nobody Ever Successfully Did That Before)
resist, do not capitulate
Receiving SLAPPs and Collecting Them Like Trophies (the SLAPPs Always Fail)
People who file lawsuits bring even more attention to themselves (or to embarrassing statements about them)
Year of GNU/Linux on the Laptop?
It's not happening only in Lenovo
What People Must Understand About the Open Source Initiative (OSI)
some facts about the Open Source Initiative (OSI)
More Copyright Lawsuits Against LLM Slop Providers and Suppliers of LLM Slopfarms Would Benefit Society
It's not just bad for the Web and for society; it's also legally dangerous
 
Links 27/04/2025: Death of Nest Thermostats, Death of Metaverse
Links for the day
Links 27/04/2025: Projects Workflow and Discovering Technology
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, April 26, 2025
IRC logs for Saturday, April 26, 2025
Microsoft Isn't on the Map in USSR
To them, it's either Google or Yandex
In Central America Windows Became a Small Force
These are countries where Windows used to have well over 95% of the "market"
Site May be Even Faster Now
It basically takes less than a tenth of a second to serve the page
Many of the Scandals Are Interconnected (Overlapping People and Corporations)
We're only getting started
Links 26/04/2025: General Assassinated in the Town of Balashikha, US Promoting Seafloor Mining
Links for the day
Links 26/04/2025: Facebook Layoffs Again, Remembering What's Real, and Say No to Mass Surveillance
Links for the day
Links 26/04/2025: NOAA Budget Cuts and "Dog Days Ahead"
Links for the day
In defence of JD Vance, death of Pope Francis
Reprinted with permission from Daniel Pocock
Three Years in Prison for Disney Employee’s ‘Menu Hacking’: The Economic Fallout of Digital Menus
Reprinted with permission from Ryan Farmer
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, April 25, 2025
IRC logs for Friday, April 25, 2025
Links 25/04/2025: Slop Fatigue and Patent Judges Flocking to Fake, Unconstitutional and Illegal Kangaroo Court (UPC, Captured 'Justice')
Links for the day
Gemini Links 25/04/2025: Night Manager and Devuan in Hosting
Links for the day
Approaching 10,000 Articles/Pages Since Going Static
Trying to silence or derail the site was always a dumb strategy
Windows Falls to New Lows in Nicaragua, Now Below a Quarter (It Used to be Almost 100%)
Another all-time low for Windows
Microsoft is Shedding Off Loads of Staff and That Can be Dangerous Too
Working for Microsoft is a choice; nobody forces you to do it
Richard Stallman and the Unix Philosophy
When asked about systemd people must remember that RMS speaks as an active Board member of the FSF and also the founder of the FSF
The Cost (to Linux) of LLM Slop
Slop 'artists' like Fagioli are far from harmless
Links 25/04/2025: Ubisoft Spyware, Hegseth Fails at Tech on Every Level
Links for the day
Gemini Links 25/04/2025: Food Forest Update and Facebook Destroying the Net
Links for the day
Get Rid of Back Doors, Don't Obsess Over Bounties and Other Corporate PR Stunts (or Needless Reboot Rituals)
Security as a term has mostly lost its meaning due to repeated misuse for many years
Serial Sloppers Are Killing the Web (They Probably Don't Care, Either)
Slop is a disease on the Web
Streaming Apps Are “Investor Fraud” That Kills the Planet
Reprinted with permission from Ryan Farmer
Things Get Increasingly Nasty at Microsoft Ahead of the Fake Results and May's Mass Layoffs Wave
They try to get people to 'resign' so that they won't count as layoffs and the company's 'wellbeing' will seem better
IBM's Debt Ballooned by 8.5 Billion Dollars in Just 3 Months!
Hallmark of a company in a state of disarray, trying to spend its way out of trouble
Big Trouble in GNOME
even GNOME people admit the CoC went wrong
Slopping the Trough: Disney Plus Loses Billions and the Decline of Physical Media in America
Reprinted with permission from Ryan Farmer
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, April 24, 2025
IRC logs for Thursday, April 24, 2025