LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Distributions

Debian, Iceweasel, and security

By Jake Edge
June 5, 2013

Debian's recent announcement that it would stop backporting security fixes into Iceweasel—Debian's version of Firefox—is not much of a surprise at some level. While the famously stable distribution is loath to change its software versions midstream, keeping an older version of Firefox up to date with the latest security fixes is a huge job. In addition, Mozilla has created the Extended Support Release (ESR) for its products which gives roughly one year of support for selected releases. One year is, of course, not long by Debian standards, but using the ESR releases may in fact result in more stability—at least from a security perspective.

It is not just Iceweasel that is affected by this change; all of the Debian-ized versions of Mozilla products—Icedove (Thunderbird) and Iceape (Seamonkey)—will be treated similarly. Actually, Iceape/Seamonkey is not truly a Mozilla product any more, as it has been a community-maintained project since 2005, but it shares much of its code with Firefox and Thunderbird. Seamonkey doesn't follow the same version scheme as Firefox and Thunderbird, but does seem to follow the Firefox release schedule. Most other distributions switched to using the ESRs for the Mozilla products some time ago, but Debian had continued trying to support whatever version was incorporated into its stable release.

The current ESR version is Firefox and Thunderbird 17, which was released in November 2012. It will continue to be supported until December 2013, when version 26 is released. In the meantime, the next ESR will be version 24, which is slated for September 2013. Mozilla releases are done every six weeks, and there is a two-cycle overlap where two ESRs are supported to allow time for the newest to stabilize.

The recently released Debian 7.0 ("wheezy") will carry version 17 of the Mozilla products. Toward the end of the year, it will move to version 24, which will force users to either forgo updates or to take a new version of the browser and mail client. That may come as a surprise to Debian users since the user interface and other aspects of the browser (e.g. add-ons) will suddenly change. In another year, presumably version 31 (or whatever the next ESR is) will be picked up for wheezy. In the perhaps unlikely scenario of a "jessie" (8.0) release in that time frame, it would start with version 24 as well.

Web browsers, and to a slightly lesser extent mail clients, are particularly sensitive bodies of code. Browsers are directly exposed to the Internet, thus subject to whatever tricks malicious attackers have up their sleeves. Mail clients should generally not be directly handling executable content from the web (e.g. JavaScript, Java applets)—by default, Thunderbird doesn't—but will render HTML and CSS, which can sometimes lead to security problems. Sadly, some users may require bouncing cows in their email as well as their browser, so they may override the default. HTML5 content is also quite JavaScript-dependent in many cases, so rendering email that contains it may also require rendering "active" content.

In any case, though, the core of the problem remains the same: a large, complex body of code that evolves quickly doesn't necessarily mesh well with a distribution intent on version stability. But Debian was the last major holdout that tried to continue taking fixes from later versions and backport them into the version in the stable distribution. It seems to be a question of a lack of developer time to do those (sometimes difficult) backports.

In fact, the current plan is to stop doing updates entirely for Iceweasel in the "oldstable" (Debian 6.0 or "squeeze") release if volunteers cannot be found. That Iceweasel is based on Firefox 3.5.16, which was released late in 2010 (before Mozilla started its six-week major-version-incrementing regimen). Given how far Mozilla has moved in the interim, there are likely to be many undiscovered security holes in that release because Mozilla and others have focused their testing and review on more relevant (to them) versions.

One could argue that there is an inherent flaw in the idea of maintaining software packages long after the upstream project has moved on. Large organizations with paid staff (e.g. the enterprise distribution vendors) may be able to handle the load, but smaller, volunteer-driven projects like Debian are sometimes going to struggle. Upstream projects with smaller code bases, slower moving development, and installation in a less hostile environment—an office suite or photo editing tool, say—may be more amenable to being maintained that way. Firefox and Thunderbird seem to just be a bit too far of a reach.

On the other hand, the Debian kernel is maintained throughout the life of the release. The wheezy kernel is 3.2, which Debian developer Ben Hutchings is maintaining as a stable kernel. It is not clear what will happen with the 2.6.32-based kernel in squeeze going forward.

Much of the reason that Debian created the non-branded versions of Firefox and Thunderbird stemmed from its insistence on backporting security fixes. Since that is changing, is there really any need for Iceweasel, Icedove, and Iceape? The Mozilla trademark guidelines do not allow modified versions of its products to carry names like Firefox—without written permission from Mozilla. It is too soon to say, and Debian may have other changes it puts into the Mozilla code base, but it seems at least possible that Debian may be distributing Firefox rather than Iceweasel in the not-too-distant future.

Comments (13 posted)

Brief items

Distribution quote of the week

I wish we had a better system where some, but not all errors would latch and need acknowledgment, there would be correlation (between hosts and between messages, so if the router's down, you get a message about data centre A not being able to successfully complete $process, rather than a zillion individual messages), there would be merging of identical messages, so I get a message about $process being broken for the last $time period (or having a failure rate above $threshold), rather than a thousand mails because of some error.

Oh, and a pony. Don't forget the pony. Or an otter, I like otters.

-- Tollef Fog Heen

Comments (1 posted)

Distribution News

Debian GNU/Linux

A warning on debian-multimedia.org

The May "Bits from the Debian Project Leader" posting includes a notice that the debian-multimedia.org domain — once the site of a popular Debian package repository — has expired and been grabbed by an unknown entity. If any Debian users have references to that site in their APT configurations, now would be a good time to take them out. As Lucas Nussbaum says: "This is a good example of the importance of the use of cryptography to secure APT repositories (and of the importance of not blindly adding keys)."

Full Story (comments: 11)

Fedora

Fedora 19 for the Nexus 4

For those of you wanting to play with Fedora 19 in a different setting, there is now an installer for the Nexus 4 handset available. "So if you have an n4 and a bit of free space, you can play around with accelerated open-source gpu goodness." Good backups are recommended.

Comments (none posted)

Red Hat Enterprise Linux

RHEL 6.1 EUS Retirement Notice

Red Hat has retired Red Hat Enterprise Linux 6.1 Extended Update Support. "In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 6.1 was retired on May 31, 2013, and support is no longer provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Red Hat Enterprise Linux 6.1 EUS. In addition, technical support through Red Hat's Global Support Services is no longer provided."

Full Story (comments: none)

Other distributions

Arch Linux binaries move to /usr/bin requiring update intervention

Allan McRae cautions that the /usr/bin merge will require manual intervention for Arch Linux users. "The update merges all binaries into a unified /usr/bin directory. This step removes a distinction that has been meaningless for Arch systems and simplifies package maintenance for the development team. See this post for more explanation of the reasoning behind this change."

Comments (none posted)

Newsletters and articles of interest

Distribution newsletters

Comments (none posted)

Grover: Fedora for short-lifespan server instances

On his blog, Andy Grover has some thoughts on how to make Fedora more relevant for servers. Because of the 13-month supported lifespan of a Fedora release, administrators are typically wary of using it, but new deployment schemes make it more viable. "Let's come back to the odd fact that Fedora is both a precursor to RHEL, and yet almost never used in production as a server OS. I think this is going to change. In a world where instances are deployed constantly, instances are born and die but the herd lives on. Once everyone has their infrastructure encoded into a configuration management system, Fedora's short release cycle becomes much less of a burden. If I have service foo deployed on a Fedora X instance, I will never be upgrading that instance. Instead I'll be provisioning a new Fedora X+1 instance to run the foo service, start it, and throw the old instance in the proverbial bitbucket once the new one works."

Comments (27 posted)

Enea Linux turns 3.0, offers real-time and QoS features (LinuxGizmos)

LinuxGizmos looks at the 3.0 release of Enea Linux, an embedded Linux distribution compatible with Yocto Project 1.4 code. "Enea Linux 3.0 arrives with Yocto Project certification but not yet with the CGL certification Enea last year suggested would come in 2013. Version 3.0 moves up to Yocto Project v1.4 (“Dylan”), offering improvements including support for Linux kernel 3.8, decreased build-times, and Enea’s automated test framework, called Ptest. The latter integrates test suites from all open source projects whose applications are used in Yocto Project, enabling it to vastly increase the amount of tests that are performed on Yocto Project Linux packages, says Enea."

Comments (none posted)

Mozillux: A Nice Linux Distro With a Unique Software Set (LinuxInsider)

LinuxInsider covers Mozillux, a live DVD/USB Lubuntu-based distribution that hails from France. "As its name suggests, Mozillux promotes Mozilla software and is designed as a complete software suite. Many computer users are familiar with various Mozilla cross-platform applications such as browsers and email clients -- Firefox and Thunderbird, in particular. In similar fashion, the Mozillux OS is an ideal Linux distro for both beginners and intermediate users."

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Development>>

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds