Firefox ESR 91 creating a massive headache for Debian 11 GNU/Linux.

Debian and Mozilla go way back, with endless troubles created by an incompetent upstream for Firefox, which is getting worse by the hour.

Debian tries to produce a stable OS that doesn’t change very much (although you can use backports and Flatpaks to strategically update packages), and this is very important for people who are happy with the way their computer works and don’t want to be on a bug treadmill, like Fedora.

However, you may have noticed that Firefox 78 ESR hasn’t been supported upstream now for over a week and has missed the latest round of security updates from Mozilla, and that Firefox 91.3 ESR is still stuck in the pipes, being packaged only in Experimental and Debian Unstable.

When I went to look at the reasons why, it appears that there are new problems related to Rust, build failures on various supported CPU architectures, and it also demands a newer version of Mesa3d than Debian 11 has, even though the entire OS is barely over a month old (and will be supported for five years).

Mozilla decided to migrate away from GLX and make EGL mandatory, _and_ blacklist the version of Mesa (20.3.5) which ships with Debian 11, demanding at least Mesa 21.

Mesa 21 would otherwise be fine as a Backport package, but now Debian has to choose between backporting a critical component of the OS directly into “Stable” updates (the OpenGL/Vulkan stack and Direct Rendering Interface drivers and libdrm), as well as newer Nvidia proprietary drivers in non-Free for the people who haven’t disembarked that clown car yet in favor of Intel and AMD cards that are truly supported on GNU/Linux, or forcing Firefox ESR 91 to use GLX again by overriding a default preference, which kicks the can down the road 1 year and creates the same problem again later, at which time Mozilla may have removed the GLX code anyway.

And reverting to GLX makes it impossible for users to enable Wayland and WebRender Compositing without knowing that they also need to set Firefox back to EGL and bring in a Backported Mesa package when one arrives.

In the mean time, there are 6 CVEs that are unpatched in Firefox 78.15, and one of those CVE numbers contains bugs (the details of which are still hidden by Mozilla) corresponding to four memory safety issues (which are often crash with potential arbitrary code execution). So really, at least 10 unpatched security issues, and maybe more (because not all patched issues get a CVE even though they may have security implications).

However Debian solves this problem will set more bad precedents and probably the least incorrect way to solve for it, assuming it’s even worth anything to keep Mozilla’s lawyers happy and use the official “branding”, which Mozilla is pissing down the drain these days anyway, is to bring in newer Mesa builds, which undermines the “feature freeze” that keeps Debian Stable running so well.

It’s definitely well past time to “IceWeasel” Firefox again and do whatever they need to do to keep it running securely without compromising the rest of the operating system.

5 responses to “Firefox ESR 91 creating a massive headache for Debian 11 GNU/Linux.”

  1. Overview

    – MOZ_X11_EGL was enabled in Firefox 94 for Mesa >=21 (arbitrary requirement). Otherwise GLX is used for WebRender and WebGL.
    – The experimental native Wayland backend (MOZ_ENABLE_WAYLAND) uses EGL and can be manually enabled on Wayland.

    Debian unstable has two packages.
    – firefox 94: This one uses EGL a) on experimental native Wayland or b) on Xwayland&X11 with Mesa >= 21. EGL also means Dmabuf WebGL and swap_buffers_with_damage. There was a Dmabuf fd leak.
    – firefox-esr 91. It’s the first ESR that has WebRender (OpenGL hardware rendering), it’s still using GLX for WebRender and WebGL.
    – both packages were affected by a cubeb bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1735905
    It seems to be related to LLVM incompatibilities. That’s why some users recommend building Mesa (or all packages) with the same LLVM version that Firefox is built with. Firefox constantly needs newer Rust&LLVM versions.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: