* [gentoo-user] Package "www-client/firefox"
@ 2024-12-04 14:35 Dr Rainer Woitok
2024-12-04 16:32 ` Jay Faulkner
2024-12-04 23:25 ` Matt Jolly
0 siblings, 2 replies; 6+ messages in thread
From: Dr Rainer Woitok @ 2024-12-04 14:35 UTC (permalink / raw
To: Gentoo-User
Greetings,
Gentoo provides two flavours of Firefox, one in slot "esr" (Extended
Support Release) and one in slot "rapid" (new release every 16 weeks).
In an attempt to interpret the names of these two flavours I would ex-
pect "esr" to offer new features less frequently than "rapid", but as a
user I would prefer installing the flavour where in particular security
exposures are dealt with more responsibly, that is, where less security
specific bugs occur due to more intensive testing and where those bugs
occuring anyway are generally fixed more rapidly. So which slot should
I choose? Any opinions out there?
Sincerely,
Rainer
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] Package "www-client/firefox"
2024-12-04 14:35 [gentoo-user] Package "www-client/firefox" Dr Rainer Woitok
@ 2024-12-04 16:32 ` Jay Faulkner
2024-12-04 23:04 ` Alarig Le Lay
2024-12-04 23:25 ` Matt Jolly
1 sibling, 1 reply; 6+ messages in thread
From: Jay Faulkner @ 2024-12-04 16:32 UTC (permalink / raw
To: gentoo-user, Dr Rainer Woitok
[-- Attachment #1.1.1: Type: text/plain, Size: 1089 bytes --]
There is no truly correct answer to that question. Here's my $0.02: I
always want to run the latest release of a web browser -- otherwise
you're counting on folks to be able to identify every single patch
related to security and backport it -- even if people are trying. This
is why I run the rapid slot of Firefox.
--
Jay Faulkner
On 12/4/24 6:35 AM, Dr Rainer Woitok wrote:
> Greetings,
>
> Gentoo provides two flavours of Firefox, one in slot "esr" (Extended
> Support Release) and one in slot "rapid" (new release every 16 weeks).
> In an attempt to interpret the names of these two flavours I would ex-
> pect "esr" to offer new features less frequently than "rapid", but as a
> user I would prefer installing the flavour where in particular security
> exposures are dealt with more responsibly, that is, where less security
> specific bugs occur due to more intensive testing and where those bugs
> occuring anyway are generally fixed more rapidly. So which slot should
> I choose? Any opinions out there?
>
> Sincerely,
> Rainer
>
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] Package "www-client/firefox"
2024-12-04 16:32 ` Jay Faulkner
@ 2024-12-04 23:04 ` Alarig Le Lay
2024-12-04 23:19 ` Matt Jolly
0 siblings, 1 reply; 6+ messages in thread
From: Alarig Le Lay @ 2024-12-04 23:04 UTC (permalink / raw
To: gentoo-user
On Wed 04 Dec 2024 08:32:01 GMT, Jay Faulkner wrote:
> There is no truly correct answer to that question. Here's my $0.02: I
> always want to run the latest release of a web browser -- otherwise
> you're counting on folks to be able to identify every single patch
> related to security and backport it -- even if people are trying. This
> is why I run the rapid slot of Firefox.
The ESR is officially supported by Mozilla, so you don’t rely on only
one person (from Nebraska) here.
On my side, I don’t want the new bullshit features of Firefox to arrive
too soon, so I run ESR.
--
Alarig
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] Package "www-client/firefox"
2024-12-04 23:04 ` Alarig Le Lay
@ 2024-12-04 23:19 ` Matt Jolly
0 siblings, 0 replies; 6+ messages in thread
From: Matt Jolly @ 2024-12-04 23:19 UTC (permalink / raw
To: gentoo-user
Hi,
On 5/12/24 09:04, Alarig Le Lay wrote:
> The ESR is officially supported by Mozilla, so you don’t rely on only
> one person (from Nebraska) here.
Yes, there have _never_ been whole teams who have missed backporting
a seemingly innocuous security fix. That has never in the history of
the world happened.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] Package "www-client/firefox"
2024-12-04 14:35 [gentoo-user] Package "www-client/firefox" Dr Rainer Woitok
2024-12-04 16:32 ` Jay Faulkner
@ 2024-12-04 23:25 ` Matt Jolly
2024-12-04 23:59 ` Michael
1 sibling, 1 reply; 6+ messages in thread
From: Matt Jolly @ 2024-12-04 23:25 UTC (permalink / raw
To: gentoo-user
Hi Rainer,
On 5/12/24 00:35, Dr Rainer Woitok wrote:
> So which slot should I choose? Any opinions out there?
I can't speak for Firefox, but I do maintain Chromium which is similar
enough in terms of being a browser with a fast release cycle and several
channels.
I recommend keeping your browser as up-to-date as possible. The `rapid`
channel for Firefox may result in more frequent updates for you as
an end-user, but it always includes the latest fixes (and features)
That's not saying that ESR is likely to be vulnerable, but the fixes
going into ESR are going to be backported from the rapid and development
channels. A lot of work goes into ensuring that these backports are done
in a timely manner, but it's not beyondthe realm of possibility for one
to be missed, or announced and fixed in rapid but not in ESR leaving
those users vulnerable.
IMO if you're not an enterprise you should be running rapid. If you are
an enterprise you have your own requirements to think about, but you
should probably also be running rapid.
In Chromium terms, I often run the beta (or dev) channels, as I know
that security fixes for the stable channel are implemented in dev
and backported from there.
I hope that helps, I need to run and get breakfast.
Cheers,
Matt
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] Package "www-client/firefox"
2024-12-04 23:25 ` Matt Jolly
@ 2024-12-04 23:59 ` Michael
0 siblings, 0 replies; 6+ messages in thread
From: Michael @ 2024-12-04 23:59 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 2272 bytes --]
On Wednesday 4 December 2024 23:25:42 GMT Matt Jolly wrote:
> Hi Rainer,
>
> On 5/12/24 00:35, Dr Rainer Woitok wrote:
> > So which slot should I choose? Any opinions out there?
>
> I can't speak for Firefox, but I do maintain Chromium which is similar
> enough in terms of being a browser with a fast release cycle and several
> channels.
>
> I recommend keeping your browser as up-to-date as possible. The `rapid`
> channel for Firefox may result in more frequent updates for you as
> an end-user, but it always includes the latest fixes (and features)
>
> That's not saying that ESR is likely to be vulnerable, but the fixes
> going into ESR are going to be backported from the rapid and development
> channels. A lot of work goes into ensuring that these backports are done
> in a timely manner, but it's not beyondthe realm of possibility for one
> to be missed, or announced and fixed in rapid but not in ESR leaving
> those users vulnerable.
>
> IMO if you're not an enterprise you should be running rapid. If you are
> an enterprise you have your own requirements to think about, but you
> should probably also be running rapid.
>
> In Chromium terms, I often run the beta (or dev) channels, as I know
> that security fixes for the stable channel are implemented in dev
> and backported from there.
>
> I hope that helps, I need to run and get breakfast.
>
> Cheers,
>
> Matt
Thanks for your informed input. What would say is the time lag between some
vulnerability announced in a browser before backporting takes place? I've
been thinking the latest dev release may have patched some old(er)
vulnerability, while at the same time introducing one or two new zero-day
horrors.
Thinking about it, would you know how far out of kilter is Falkon with respect
to vulnerabilities? I noticed enotices mention Falkon is essentially out of
date and some websites may break, but couldn't decide if this meant it should
not be used unless you've a penchant for retro-software.
PS. As an alternative to Firefox the OP could consider the overlay for
Librewolf/librewolf-bin:
https://librewolf.net/
https://codeberg.org/librewolf/gentoo.git
Its releases are more frequent than the Firefox-ESR, but I don't know if they
are in sync with Firefox rapid.
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-12-05 0:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-04 14:35 [gentoo-user] Package "www-client/firefox" Dr Rainer Woitok
2024-12-04 16:32 ` Jay Faulkner
2024-12-04 23:04 ` Alarig Le Lay
2024-12-04 23:19 ` Matt Jolly
2024-12-04 23:25 ` Matt Jolly
2024-12-04 23:59 ` Michael
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox