-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[19.09] firefox: mark as insecure and remove myself as maintainer #72126
Conversation
|
I have nothing against tracking ESR firefox by default, but by god, breaking the It seems to me that transitioning |
How does firefox handle your profile when downgrading to the ESR (69 -> 68)? This is a question regardless of the chosen solution. |
Last time I tried a firefox downgrade (as part of a system downgrade from unstable -> stable), it asked me to create a new profile, which was quite annoying. Maybe downgrading to ESR is better as firefox may support them? I'll test this later. |
Downgrading from firefox 69 to 68 ESR appears to work seemlessly. |
This should be mentioned in the release notes along with instructions on how to install firefox from the unstable channel. |
I think it's also important to mention someone could use the binary version of firefox. It's just the source based version of firefox in NixOS will only be esr on stable release. Don't really want someone to make the assumption, for whatever reason, NixOS will never have the latest firefox unless you use unstable. |
I think the goal of this PR was to try and shock the team in to choosing a different option of how to manage firefox on 19.09? |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
Wouldn't it be rather confusing to have |
Kind of, yes. We need to have the stable package discussion and what packages we are willing to maintain there and what updates are "allowed". The practice I proposed in the initial Firefox70 bump had been going on for a few releases without much pain. Now people consider it to be an issue (probably rightful?). IMO this is way broader then just Firefox. I also think that we do not have to be as strict on this as e.g. Debian as we have the proper tooling to do recompilation and thus can care a lot less about ABI stability. Of course it still must remain stable. But probably not stale. If someone has the required energy and time we should eventually have a RFC on the topic of stable releases and version stability that we "guarantee". Regarding the issue here: I'd really like RMs to chip on those topics regarding their release. We can provide them with all technical details regarding what will probably happen either way but they should be the people in charge of rolling the dice. Given that that happens in a reasonable amount of time and there is no need of rush… Personally I liked having a current stable Firefox on stable NixOS despite being a lot of work. While the ESR releases are available they aren't really what regular users expect in my experience. I have mixed feeling about the binary releases. They are less tailored for our systems but might just run well enough. Running those on my machine effectively means executing some random binary that someone from Mozilla produced without any (ongoing) proof (on our part) that we can reproduce them from the source. Using the source built version is IMO preferable. The The up- & downgrades should work fine within our Firefox releases. We are telling FFX to ignore / disable downgrade protections in our wrapper scripts. |
Isn't having, say, |
We could probably just override the dependencies and fix them up to the right versions before passing them to Firefox. My fear here is that somebody touching the "real" expression might not be aware of the override practice we have for firefox and unintentionally breaks the build there. That might not be as much of an issue for I certainly see specific packages/overrides as a way forward for the NixOS stable releases. On master we should just update the "real" expressions. This leads to a situation where we have to do some extra work during branch-off. Any thoughts? |
The set that needs overriding is quite large, so I'm for dropping the maintenance burden, as people have plenty other options:
Of course, if someone steps up to promise maintaining all the backports (and will keep the quality), I don't think anyone will mind. |
I am working on a version of that now. We / I might just have to do that for 19.09 and with 20.03 we should start with the non-esr removed by default. |
I have merged that approach into For 20.03 we should probably do this differently. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/firefox-crashes-when-opening-a-file-dialog-in-pantheon/5323/3 |
Motivation for this change
Incorporating feedback from #71714 this will mark Firefox on stable as insecure as it seems the consensus is that updating NSS/sqlite/… for Firefox isn't worth the costs.