Debian Bug report logs - #1094957
firefox-esr: Message encourages user to download browser from Mozilla repository

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Leandro Cunha <[email protected]>

To: [email protected]

Subject: firefox-esr: Message encourages user to download browser from Mozilla repository

Date: Sat, 1 Feb 2025 17:39:43 -0300

[Message part 1 (text/plain, inline)]

Package: firefox-esr
X-Debbugs-Cc: [email protected]
Version: 128.6.0esr-4
Severity: normal

Dear Maintainer,

Showing a warning with the text "some of Firefox's security features
may offer less protection on your current operating system", with the
link below[1] recommending downloading from the Mozilla repository
claiming that this way I would have more protection? Firefox is
distributed in RPM, distributed in DEB and even Arch distributes it in
its official repositories like Debian. This information may encourage
users with less knowledge to follow what would be mentioned in the
link below. I believe that this message is also not true regarding the
security issue and I trust the work of those who have maintained it
for so many years. See screenshot.

This message is not relevant, but you can create a patch to remove it
and precisely to prevent more lay users from avoiding using Firefox
ESR (for example) offered by Debian.
This with the idea that such security problems would be fixed.

[1] https://support.mozilla.org/en-US/kb/install-firefox-linux

-- Package-specific info:


-- Addons package information

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.11-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8),
LANGUAGE=pt_BR:pt:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firefox-esr depends on:
ii  debianutils          5.21
ii  fontconfig           2.15.0-2
ii  libasound2t64        1.2.13-1+b1
ii  libatk1.0-0t64       2.55.0.1-1
ii  libc6                2.40-6
ii  libcairo-gobject2    1.18.2-2
ii  libcairo2            1.18.2-2
ii  libdbus-1-3          1.16.0-1
ii  libevent-2.1-7t64    2.1.12-stable-10+b1
ii  libffi8              3.4.6-1
ii  libfontconfig1       2.15.0-2
ii  libfreetype6         2.13.3+dfsg-1
ii  libgcc-s1            14.2.0-12
ii  libgdk-pixbuf-2.0-0  2.42.12+dfsg-2
ii  libglib2.0-0t64      2.82.4-2
ii  libgtk-3-0t64        3.24.43-5
ii  libnspr4             2:4.36-1
ii  libnss3              2:3.107-1
ii  libpango-1.0-0       1.56.1-1
ii  libstdc++6           14.2.0-12
ii  libvpx9              1.15.0-1
ii  libx11-6             2:1.8.10-2
ii  libx11-xcb1          2:1.8.10-2
ii  libxcb-shm0          1.17.0-2+b1
ii  libxcb1              1.17.0-2+b1
ii  libxcomposite1       1:0.4.6-1
ii  libxdamage1          1:1.1.6-1+b2
ii  libxext6             2:1.3.4-1+b3
ii  libxfixes3           1:6.0.0-2+b4
ii  libxrandr2           2:1.5.4-1+b3
ii  procps               2:4.0.4-7
ii  zlib1g               1:1.3.dfsg+really1.3.1-1+b1

Versions of packages firefox-esr recommends:
ii  libavcodec61  7:7.1-3+b2

Versions of packages firefox-esr suggests:
pn  fonts-lmodern          <none>
pn  fonts-stix | otf-stix  <none>
ii  libcanberra0           0.30-17+b1
ii  libgssapi-krb5-2       1.21.3-4
ii  pulseaudio             17.0+dfsg1-1

-- no debconf information

[Captura de tela de 2025-02-01 17-24-48.png (image/png, attachment)]

Message #10 received at [email protected] (full text, mbox, reply):

From: Mike Hommey <[email protected]>

To: Leandro Cunha <[email protected]>, [email protected]

Subject: Re: Bug#1094957: firefox-esr: Message encourages user to download browser from Mozilla repository

Date: Sun, 2 Feb 2025 06:24:34 +0900

On Sat, Feb 01, 2025 at 05:39:43PM -0300, Leandro Cunha wrote:
> Package: firefox-esr
> X-Debbugs-Cc: [email protected]
> Version: 128.6.0esr-4
> Severity: normal
> 
> Dear Maintainer,
> 
> Showing a warning with the text "some of Firefox's security features
> may offer less protection on your current operating system", with the
> link below[1] recommending downloading from the Mozilla repository
> claiming that this way I would have more protection? Firefox is
> distributed in RPM, distributed in DEB and even Arch distributes it in
> its official repositories like Debian. This information may encourage
> users with less knowledge to follow what would be mentioned in the
> link below. I believe that this message is also not true regarding the
> security issue and I trust the work of those who have maintained it
> for so many years. See screenshot.
> 
> This message is not relevant, but you can create a patch to remove it
> and precisely to prevent more lay users from avoiding using Firefox
> ESR (for example) offered by Debian.
> This with the idea that such security problems would be fixed.

The message *is* relevant, and the link, while misleading, is kind of
right, but it doesn't bring you to the relevant part of the page, which
is at the end, under "Security features warning".

The link should probably be changed to

https://support.mozilla.org/en-US/kb/install-firefox-linux#w_security-features-warning

But I'd argue it should have its own separate support page.

Mike

Message #17 received at [email protected] (full text, mbox, reply):

From: Leandro Cunha <[email protected]>

To: Mike Hommey <[email protected]>, [email protected]

Subject: Re: Bug#1094957: firefox-esr: Message encourages user to download browser from Mozilla repository

Date: Sat, 1 Feb 2025 18:38:04 -0300

On Sat, Feb 1, 2025 at 6:24 PM Mike Hommey <[email protected]> wrote:
>
> On Sat, Feb 01, 2025 at 05:39:43PM -0300, Leandro Cunha wrote:
> > Package: firefox-esr
> > X-Debbugs-Cc: [email protected]
> > Version: 128.6.0esr-4
> > Severity: normal
> >
> > Dear Maintainer,
> >
> > Showing a warning with the text "some of Firefox's security features
> > may offer less protection on your current operating system", with the
> > link below[1] recommending downloading from the Mozilla repository
> > claiming that this way I would have more protection? Firefox is
> > distributed in RPM, distributed in DEB and even Arch distributes it in
> > its official repositories like Debian. This information may encourage
> > users with less knowledge to follow what would be mentioned in the
> > link below. I believe that this message is also not true regarding the
> > security issue and I trust the work of those who have maintained it
> > for so many years. See screenshot.
> >
> > This message is not relevant, but you can create a patch to remove it
> > and precisely to prevent more lay users from avoiding using Firefox
> > ESR (for example) offered by Debian.
> > This with the idea that such security problems would be fixed.
>
> The message *is* relevant, and the link, while misleading, is kind of
> right, but it doesn't bring you to the relevant part of the page, which
> is at the end, under "Security features warning".
>
> The link should probably be changed to
>
> https://support.mozilla.org/en-US/kb/install-firefox-linux#w_security-features-warning
>
> But I'd argue it should have its own separate support page.
>
> Mike

"The sandbox in Firefox makes use of unprivileged user namespaces when
creating new processes for enforcing more security. This can be
considered a security risk, therefore some Linux distributions have
started to restrict its usage and only allow it to work where there is
an AppArmor profile."

Interesting, but the question would be that I need to configure
Firefox ESR for this as a security enhancement? I agree that it is
directed to a page that covers the topic very broadly and it would be
interesting if it were separate.

I would be unaware of this issue if it weren't for this message, if it
addresses what you mentioned it would be a useful message indeed.

-- 
Cheers,
Leandro Cunha

Send a report that this bug log contains spam.