Distro does security fix

From MozillaZine Knowledge Base
Jump to: navigation, search

Your Linux (OpenBSD, whatever) distributor adds a security patch to Firefox but does not bump the version number. The Firefox extensions page etc now refuse to let you in, insisting that you update your version of Firefox because your current version is "insecure".

Is your Firefox insecure?

In general, no.

When your Linux vendor or distribution releases a security update, the idea is to make the updated package as secure as possible without changing its behaviour any more than necessary.

Why didn't my vendor/distributor just update Firefox to the latest?

One important reason for using a vendor is stability. You may not want to be constantly changing what you do in order to track the latest, greatest, shiniest features in each piece of software you use.

If the vendor arbitrarily upgrades the software you're using, they may break one or more of your internal processes or procedures each time they do this. Since the vendor has absolutely no way of knowing what you are doing with your system, they cannot predict which changes are safe, and which are not. The only rational approach so far devised to this problem is to make the smallest possible functional change to the software when they update it.

In the case of security flaws, the vendor will apply just the patches required to fix the problem, and no more.

Another consideration is that a newer version of Firefox may require a newer version of a support library (say, libjpeg), and that newer support library may in turn require newer versions of other libraries, or break some other package which is dependent upon it. Arbitrarily updating may cause a massive cascade of updates hundreds of megabytes wide, which is difficult to manage and a bit of a roadblock to users on slow or byte-limited internet connections.

What can I do about it?

Much as I'm sure the idea will offend someone, there ought to be a way of bypassing the forced upgrade. If anyone knows of it, please post it here.

It is possible to use the user agent switcher extension to change your user agent string and get through the security check on the extensions page. (Obviously, you should only do this if you are sure that your version is really secure) 09:36, 29 August 2005 (PDT)

Perhaps a future version of Firefox might add a "security version" number to the UserAgent string to permit detection of secureness independently of version-specific behaviour.

You can use a different web browser (like Konqueror or the Mozilla Suite) to manually fetch the components you're interested in, then run up Firefox and install them from your local disk.

You can abandon your vendor's packaging system and install a new version of Firefox directly, either by installing a Mozilla tarball over the top of the files on your system or by rebuilding a source package from the vendor's development repository (Cooker, Unstable or the like) to suit your system. This is not recommended because when another security flaw comes along, your Firefox package will not be automatically updated.

You can install a new version of Firefox directly by unpacking a Mozilla tarball at a different disk location than where your distributor installed it (for instance under /usr/local/ which will place the new executable at /usr/local/firefox/firefox, or else at some place under hour home directory), then link the new executable from somewhere early in the $PATH (for instance from /usr/local/bin/firefox or from ~/bin/firefox). Then start the new version, go to Edit → Preferences → Advanced → Updates where you can enable auto-updates from the Mozilla site. (You may have to also reset up to four preferences with names starting app.update.url to their defaults in about:config.) — Note: It is not recommended to shuttle back and forth between two different applications which share a common profile (e.g. between Mozilla's version of Firefox and your distro's version of «Firefox», «IceWeasel» or whatever, unless you invoke them with different profiles by means of the -P command-line switch). — Tony 05:21, 21 October 2009 (UTC)