Project

General

Profile

Packaging request #1981

[iceweasel]: Needs upgrade

lukeshu - about 1 year ago - . Updated 8 months ago.

Status:
open
Priority:
wish
Assignee:
% Done:

0%


Description

Firefox 62.0 is out. Iceweasel needs updated to that from 61.0.2

History

#1

Updated by nRoof about 1 year ago

Just a reminder: Firefox 62.0.2 is available.

#2

Updated by nRoof about 1 year ago

Firefox 62.0.3 has been released with a few critical security fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/

#3

Updated by pankerini about 1 year ago

Firefox 63 has been released already.

#4

Updated by grizzlyuser about 1 year ago

Firefox 63.0.1 is available: https://www.mozilla.org/en-US/firefox/notes/
According to release notes, it seems not to have security fixes, but 63.0 has lots of them, including critical ones.

#5

Updated by grizzlyuser about 1 year ago

A new version 63.0.3 of Firefox is available https://www.mozilla.org/en-US/firefox/notes/

#6

Updated by grizzlyuser 11 months ago

A new version 64.0 of Firefox is available [1].
Arch already built it [2].

It includes various security fixes, some of which are critical [3].
Although some people here might think "nah, I have JavaScript disabled all the time, so won't be affected", bug reports for some of the issues fixed are not public. So it's not clear (at least for me) whether they are related to JS, or to anything other. And even if they are all JS-specific, Iceweasel ships with JS enabled by default, so those users who didn't disable it, can be seriously vulnerable anyway.

[1] https://www.mozilla.org/en-US/firefox/notes/
[2] https://www.archlinux.org/packages/extra/x86_64/firefox/
[3] https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/

#7

Updated by dllud 10 months ago

Just one more friendly nudge: Firefox 65 has been released and is already on Arch.
Again, it comes with the usual set of security fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/

#8

Updated by bill-auger 10 months ago

  • Priority changed from bug to wish
  • Subject changed from [iceweasel] Needs updated to 62.0 to [iceweasel]: Needs upgrade

iceweasel v65 for x86_64 is in [libre-testing]

#9

Updated by bill-auger 10 months ago

  • Assignee changed from lukeshu to oaken-source
#10

Updated by grizzlyuser 10 months ago

Thank you for doing this hard work of updating the package!

A few issues I noticed when tried to use v65 from libre-testing (with brand new profile after I deleted ~/.mozilla folder):
1. Default start page has a section Top Sites, where YouTube, Facebook, Twitter, and Amazon are listed by default among the other sites. I'm almost certain they serve non-free JavaScript code. Not totally sure what's Parabola stance on this matter. However, I personally don't care much, because even if their JS is 100% free and harmless now (all of which is highly doubtful), nobody guarantees it will be that way the next visit of the website. So I chose to disable JS altogether on almost all websites I visit. In that mode, at least YouTube is totally broken.
2. Browsing through Preferences, I noticed some new functionality in 'Preferences' - 'General' - 'Browsing' section: 'Recommend extensions as you browse', which is enabled by default. Description for it on Mozilla website seems satisfactory, but it's not clear to me whether it can recommend non-free extensions that way.
3. 'Preferences' - 'Search' seems to not work. Nothing happens when I click 'Search' link. It looks like no default search engines are available, because if I enter some text into the address bar, and hit Enter, it tries to either open a website with that domain name (if that's one word), or do nothing (if that's multiple words separated by space).

BTW, if that can help with the fix, # 1 and # 3 are not reproducible in Abrowser 64.0 in freshly updated Trisquel.

Ahh, I wish one day we have some unified fork of Firefox that all FSDG-compliant distros (like Parabola, Trisquel, PureOS, etc.) can use and contribute to. Without duplication of effort and with faster development cycle to deliver security patches in timely fashion.

#11

Updated by bill-auger 10 months ago

grizzlyuser wrote:

1. Default start page has a section Top Sites, where YouTube, Facebook, Twitter, and Amazon are listed by default . Not totally sure what's Parabola stance on this matter.

we usually remove all trademarks regardless of if they are functional - in this case we have removed those same buttons before - mozilla keeps re-arranging (aka breaking) things constantly - these just found a way to pop back out again

grizzlyuser wrote:

2. 'Recommend extensions as you browse', which is enabled by default. it's not clear to me whether it can recommend non-free extensions that way.

we probably need to disable that feature - many such reccomendations would be non-free and the FSDG does not permit actively recommending any non-free software

grizzlyuser wrote:

Ahh, I wish one day we have some unified fork of Firefox that all FSDG-compliant distros (like Parabola, Trisquel, PureOS, etc.) can use and contribute to. Without duplication of effort and with faster development cycle to deliver security patches in timely fashion.

indeed that is a great idea that is being considered

https://lists.parabola.nu/pipermail/dev/2018-December/007072.html

#12

Updated by grizzlyuser 8 months ago

I'm able to reproduce all three issues mentioned in https://labs.parabola.nu/issues/1981#note-10 using the iceweasel 1:66.0.2-1.parabola1 x86_64 from [libre].

Issue 3 works fine when I downgrade to iceweasel 1:65.0.2-1.parabola2 x86_64. Also tried to test earlier versions to determine on which build issue 3 had been fixed, but they didn't start due to missing libvpx.so.5.

All three work fine under freshly updated Trisquel 8.0 in abrowser 66.0.2+build1-0ubuntu0.16.04.1+8.0trisquel61.

#13

Updated by CommodoreCrunch 8 months ago

The broken search appears to be due to a syntax issue in the libre-searchengines patch. I haven't taken the time to rebuild iceweasel to test this theory, because it's very much an overnight job on my machine, but a few different locales stood out as ones that were recently modified and show up in red highlight when I open the patched list.json in vim. Those locales are cs, ja-JP-macos, and ja. The search engine list had some duplicate entries that ended up outside of the "visibleDefaultEngines" block where they presumably should be.

If I'm correct on the cause and I haven't missed anything, this would be the fixed patch: https://gitlab.com/snippets/1840768

And here's a plaintext link for those who don't want to allow GitLab's JS: https://gitlab.com/snippets/1840768/raw

If no one else does, I'll try building with it overnight.

#14

Updated by oaken-source 8 months ago

well spotted! I have applied your updated patch to the iceweasel build, and queued rebuilds.

Also available in: Atom PDF