All of the Debian-shipped browsers (Chromium, Firefox ESR, Falkon, …) are having severe open security issues which the package maintainers apparently are not able to fix easily:
- Chromium is still at version 90.0.4430.212-1 which means it contains tons of security issues. The Debian Wiki recommends switching to a different browser. Those who have installed the browser previously and rely on automatic updates are left with an unpatched browser without even noticing. - Debian’s official web browser is Mozilla Firefox (the ESR version). The last update of Firefox ESR in Debian stable has been version 78.15.0. This version also has quite a few unpatched security issues and the 78.x ESR branch is not maintained by Mozilla anymore. They need to update to the 91.x ESR branch, which apparently causes big problems in the current stable Debian platform.
I know this is going to be somewhat controversial, but I think the solution is to take the task of updating browsers away from the distro and move toward universal packages supported the by developers.
Initially I was resistant to the idea of Firefox as a snap, but I can honestly say it has been a great experience so far. It auto updates and I’m always on the latest version of the day of release. As for performance I’ve only noticed maybe a half second delay when launching (I am running modern hardware though). And as a bonus I get an extra layer of security with it being sandboxed.
**Cringe ** Please don’t hate on me if you disagree. Just sharing my experience
I mean seriously, is this news to anyone? If you’re using Debian, you know your packages are going to be old because that’s the whole point of using it in the first place.
There’s a reason Debian is not recommended for Desktop usage.
If I have an internal/lan http(s) site, and it works with a debian stable version at release, I can fully expect that site to still work without issues with a fully updated system at the end of that release, as the web browser will not change majorly.
If I need an updated version of chromium/firefox, I have options:
Snap
Flatpak
Installing from testing/unstable repositories
Installing manually from upstream binaries
Building it myself
Use a forked browser (brave, librewolf, etc)
Install builds from a third party repository (Ubuntuzilla, etc)
Now I will say that these are really not ideal for normal-ish end users, but from a power user viewpoint, it is fine.
If package update delay is so great that it causes browser security issues, how is that not an issue for servers as well? I imagine servers are a more valuable target than an end user.
I thought the rule of thumb with Debian was to run the “Unstable” branch unless you have a specific issue; that its unstable is the equivalent of stable for any other distro.
And really, the real solution here is to get updated browsers in Debian backports, in which case, which makes is fairly easy for end users to get a more up to date browser.
I didn’t say it was bad, I said it was not recommended. Small but important distinction.
Debian is perfectly acceptable as a desktop OS if you know what you’re doing. And if you do, then “outdated” packages are not an issue for you.
But when new users are looking for a distribution to use, you will almost never hear Debian suggested because of the outdated packages.
It is the philosophy of Debian to not upgrade package version in a given release, and people wanting to use Debian know this.
That said, this is also a self-made issue by the browser vendors.
There was a time when software was using sensible versioning, and that is what Debian is still sticking to. Nowadays… Changed Application Icon? Better use a new major version for it.
So an updated version is in at least one of Debian’s branches?
Branch migration: unstable → testing → stable
The informational page on backports says that it is usually only bringing in packages from testing. So is a proper recent version of Firefox ESR or Chromium available in testing or unstable?
I was under the impression (potentially mistaken) that no one who daily drives Debian uses stable. Which is why when I read about this web browser issue, I assumed that this meant that not even unstable had up-to-date patches.
i use kali and yeah its out of data as far as the release version goes.
but its updated 5+ times a month for security and other features.
so while it is a full release behind its not out of date due to rolling updates.