Debian's recent announcement that it would
stop backporting security fixes into Iceweasel—Debian's version of
Firefox—is not much of a surprise at some level. While the famously stable
distribution is loath to change its software versions midstream, keeping an
older version of Firefox up to date with the latest security fixes is a
huge job. In addition, Mozilla has created the Extended Support Release
(ESR) for its products which gives roughly one year of support for selected
releases. One year is, of course, not long by Debian standards, but using
the ESR releases may in fact result in more stability—at least from a
It is not just Iceweasel that is affected by this change; all of the
Debian-ized versions of Mozilla products—Icedove (Thunderbird) and Iceape
(Seamonkey)—will be treated similarly. Actually, Iceape/Seamonkey is not
truly a Mozilla product any more, as it has been a community-maintained
project since 2005, but it shares much of its code with Firefox and
Thunderbird. Seamonkey doesn't follow the same version scheme as Firefox
and Thunderbird, but does seem to follow the Firefox release schedule.
Most other distributions switched to using the ESRs for the Mozilla products
ago, but Debian had continued trying to support whatever version was
incorporated into its stable release.
The current ESR version is Firefox and Thunderbird 17, which was released
in November 2012. It will continue to be supported until December 2013,
when version 26 is released. In the meantime, the next ESR will be version
24, which is slated for September 2013. Mozilla releases are done every
six weeks, and there is a two-cycle overlap where two ESRs are supported to
allow time for the newest to stabilize.
The recently released Debian 7.0 ("wheezy") will carry version 17 of the
Mozilla products. Toward the end of the year, it will move to version 24,
which will force users to either forgo updates or to take a new version of
the browser and mail client. That may come as a surprise to Debian users
since the user interface and other aspects of the browser (e.g. add-ons)
will suddenly change.
In another year, presumably version 31 (or whatever the next ESR is) will
be picked up for wheezy. In the perhaps unlikely scenario of a "jessie"
(8.0) release in that time frame, it would start with version 24 as well.
Web browsers, and to a slightly lesser extent mail clients, are
particularly sensitive bodies of code. Browsers are directly exposed to
the Internet, thus subject to whatever tricks malicious attackers have up
sleeves. Mail clients should generally not be directly handling executable
Thunderbird doesn't—but will render HTML and CSS, which can sometimes lead
to security problems. Sadly, some users may require bouncing cows in their
email as well as their browser, so they may override the default. HTML5
email that contains it may also require rendering "active" content.
In any case, though, the core of the problem remains the same: a large,
complex body of code that evolves quickly doesn't necessarily mesh well
with a distribution intent on version stability. But Debian was the last
major holdout that tried to continue taking fixes from later versions and
backport them into the version in the stable distribution. It seems to
be a question of a lack of developer time to do those (sometimes difficult)
In fact, the current plan is to stop doing updates entirely for Iceweasel
"oldstable" (Debian 6.0 or "squeeze") release if volunteers cannot be
found. That Iceweasel is based on
Firefox 3.5.16, which was released late in 2010 (before Mozilla started its
six-week major-version-incrementing regimen). Given how far Mozilla has
moved in the interim, there are likely to be many undiscovered security
holes in that release because Mozilla and others have focused their
testing and review on more relevant (to them) versions.
One could argue that there is an inherent flaw in the idea of maintaining
software packages long after the upstream project has moved on. Large
organizations with paid staff (e.g. the enterprise distribution vendors)
may be able to handle the load, but smaller, volunteer-driven projects like
Debian are sometimes going to struggle. Upstream projects with smaller
code bases, slower moving development, and installation in a less hostile
environment—an office suite or photo editing tool, say—may be more amenable
to being maintained that way. Firefox and Thunderbird seem to just be a
bit too far of a reach.
On the other hand, the Debian kernel is maintained throughout the
life of the release. The wheezy kernel is 3.2, which Debian developer Ben
Hutchings is maintaining as a stable kernel. It is not clear what will
happen with the 2.6.32-based kernel in squeeze going forward.
Much of the reason that Debian created the non-branded versions of Firefox
and Thunderbird stemmed from its insistence on backporting security fixes.
Since that is changing, is there really any need for Iceweasel, Icedove,
and Iceape? The Mozilla
trademark guidelines do not allow modified versions of its products to
carry names like Firefox—without written permission from Mozilla. It
is too soon to say, and Debian may have other changes it puts into the
Mozilla code base, but it seems at least possible that Debian may be
distributing Firefox rather than Iceweasel in the not-too-distant future.
to post comments)