Firefox bullshit

[Head_on_a_Stick]

Iis there some way to upgrade my system EXCEPT FOR FIREFOX?

Try pinning it, see apt_preferences(5) for the method.

Disclaimer: untested, I would *never* run an outdated browser.

[Caitlin]

@Head_on_a_Stick: So I would create a file

Code: Select all

/etc/apt/preferences

and in it put

Code: Select all

Package: firefox*
Pin: *
Pin-Priority: -5

And then do an update, an upgrade, and a distroy-upgrade [just kidding about that last one] as usual?

Caitlin

[Head_on_a_Stick]

-5 seems a bit strange, -1 would do.

Anyway, try it and see, I run stable (+backports) on the family laptop and I don't want to play with the preferences.

[Bulkley]

I just want to keep what I've got for the time being.

When I want to keep a package I do

Code: Select all

sudo apt-mark hold <package-name>

Check here.

That's not all you need to do in this case. Study the link on pinning that Head_on_a_Stick posted above.

Other options: There are other browsers available that are based on older versions of Firefox. Waterfox and Pale Moon are very good. You could install one and import your Firefox settings and bookmarks. You might be more comfortable with one of these. Admittedly, Firefox Quantum is a not always welcome change.

[VentGrey]

Removing add-ons unquestioningly also creates security problems.

(1) But this is not Debian's fault, there is nothing EXPLICITLY stated that removes user's add-ons, Debian devs never said/wrote any code that could be translated to "Hey, let's remove all user's add ons"
and if we have to call names then the ones to blame here are the Mozilla devs with their "Quantum" release, which removed some essential components used by popular/useful extensions, if you want to go up one level and blame someone then you should blame your extension devs because they did not upgrade their extensions to work with Quantum, but then again, blaming devs here is a faulty argument.

firstly: Doing apt-get upgrade on a stable system should not leave a system in a less secure state ***WITHOUT INFORMING THE USER***.

The source of information was there a long time ago, as another user said earlier, that upgrade WAS in fact announced.
If your complain is that synaptic or whatever you used to upgrade your system did not inform you that's another story, if you need to see changes before an upgrade there is always

Code: Select all

apt-listchanges 

to read the latest changelog that the maintainers write, again, the Firefox upgrade was indeed announced, in this case it is the user's fault for not reading the distro's news or announcements, and just as a matter of fact, the extensions you install/write are your responsability to maintain or replace in any case, even if upstream releases an update. So that "security downgrade" should be fixed by you, not debian devs.

No one should need to research every package update in stable. To insist that is to be stupid and/or disingenuous.

In that case Debian devs shouldn't research every user they have, it is equally stupid to maintain an EOL version for 1 or 2 users that won't affect debian if they leave out of millions our there who do search
alternatives, to claim that the user shouldn't know what is he/she using and what changes it could present over the course of time it's just as stupid.

1) Continue with the current version and take the responsibility for patching the vulns.

CVE's are not the only concern on EOL versions, there could be some other issues like compat versions between extensions, dependencies & even web standards (Look at promises on Palemoon).

I do not blame Debian for not pursuing this path.

me neither.

Update the version and during the upgrade inform the user that their system will be left in a vulnerable state until action is taken.

Again, that "vulnerable" state you're talking about is very relative in your case, if you claim to browse with all those extensions & proxies then YES, you are in a higher security level and extensions not working could decrease it, unfortunately not all users browse that way, in face if we put ourselves in their shoes then we could add a fancy dialog informing them that they have a much secure browser.

As I said earlier, informing or making "special cases" for one or two users are and will never be worth it.

Unfortunately, option two was chosen but no notification given. This is a failure of the Debian maintainer's making. The bug that bw123 linked to only reinforces this.

Also the user's fault for not reading in this case, besides the maintainers fix issues when they can, and they mostly package & patch, if there are still doubts please return to (1).

I'd really expect this in something like Arch, or Fedora, but not Debian. Well, not until now...I guess I do now.

These aren't the Arch or the Fedora Forums, If you don't like the way Debian works you can always switch distros.

[debiman]

or if it has enough security holes to supply a cheese factory for some time.

you have no idea about the cheese manufacturing process.
this is how it's really done!

[MagicPoulp]

You did not think enough about how useful are your add-ons. You chose to use add-ons that are not maintained with browser's updates. You should change your way of working to use newest stable packages.

Firefox Quantum is much faster and better.

You can install a new browser in a local folder by downloading it manually. I did it myself to have a Firefox dev edition. So you can have the old firefox you want locally. But long term it is bad due to security holes. Firefox updates itself at startup. So you will have to deactivate updates.