Firefox ESR 91 creating a massive headache for Debian 11 GNU/Linux.

Debian and Mozilla go way back, with endless troubles created by an incompetent upstream for Firefox, which is getting worse by the hour.

Debian tries to produce a stable OS that doesn’t change very much (although you can use backports and Flatpaks to strategically update packages), and this is very important for people who are happy with the way their computer works and don’t want to be on a bug treadmill, like Fedora.

However, you may have noticed that Firefox 78 ESR hasn’t been supported upstream now for over a week and has missed the latest round of security updates from Mozilla, and that Firefox 91.3 ESR is still stuck in the pipes, being packaged only in Experimental and Debian Unstable.

When I went to look at the reasons why, it appears that there are new problems related to Rust, build failures on various supported CPU architectures, and it also demands a newer version of Mesa3d than Debian 11 has, even though the entire OS is barely over a month old (and will be supported for five years).

Mozilla decided to migrate away from GLX and make EGL mandatory, _and_ blacklist the version of Mesa (20.3.5) which ships with Debian 11, demanding at least Mesa 21.

Mesa 21 would otherwise be fine as a Backport package, but now Debian has to choose between backporting a critical component of the OS directly into “Stable” updates (the OpenGL/Vulkan stack and Direct Rendering Interface drivers and libdrm), as well as newer Nvidia proprietary drivers in non-Free for the people who haven’t disembarked that clown car yet in favor of Intel and AMD cards that are truly supported on GNU/Linux, or forcing Firefox ESR 91 to use GLX again by overriding a default preference, which kicks the can down the road 1 year and creates the same problem again later, at which time Mozilla may have removed the GLX code anyway.

And reverting to GLX makes it impossible for users to enable Wayland and WebRender Compositing without knowing that they also need to set Firefox back to EGL and bring in a Backported Mesa package when one arrives.

In the mean time, there are 6 CVEs that are unpatched in Firefox 78.15, and one of those CVE numbers contains bugs (the details of which are still hidden by Mozilla) corresponding to four memory safety issues (which are often crash with potential arbitrary code execution). So really, at least 10 unpatched security issues, and maybe more (because not all patched issues get a CVE even though they may have security implications).

However Debian solves this problem will set more bad precedents and probably the least incorrect way to solve for it, assuming it’s even worth anything to keep Mozilla’s lawyers happy and use the official “branding”, which Mozilla is pissing down the drain these days anyway, is to bring in newer Mesa builds, which undermines the “feature freeze” that keeps Debian Stable running so well.

It’s definitely well past time to “IceWeasel” Firefox again and do whatever they need to do to keep it running securely without compromising the rest of the operating system.