Odd comment in Iceweasel security patch release note

[Leos1]

I have some questions about a comment in the recent Iceweasel security patch for Debian stable (Squeeze) users at http://lists.debian.org/debian-security ... 00130.html:

Note: We'd like to advise users of Iceweasel's 3.5 branch in Debian
stable to consider to upgrade to the Iceweasel 10.0 ESR (Extended
Support Release) which is now availble in Debian Backports.
Although Debian will continue to support Iceweasel 3.5 in stable with
security updates, this can only be done on a best effort base as
upstream provides no such support anymore. On top of that, the 10.0
branch adds proactive security features to the browser.

Questions:

• Has anyone tried following this advice? How is it working for you?
• What are the pros and cons in terms of user security?
• What "proactive security features"? Could they break NoScript? How about tor/torbutton/polipo?
• Is Debian Backports even an official part of Debian.org?
• Is it covered by the Debian Security Team?
• Would adding Debian Backports to software sources require one to update many items not in the Stable branch?
• What is the safest way to add Backports using synaptic?
• If I try this but don't like what happens, can I return to previous state?

[vbrummond]

I have some questions about a comment in the recent Iceweasel security patch for Debian stable (Squeeze) users at http://lists.debian.org/debian-security ... 00130.html

Sounds good. I am just a simple user but I will try to answer. Welcome to the forum.

Has anyone tried following this advice? How is it working for you?

I have upgraded all of my machines to the Iceweasel in backports. It is required to view most modern sites with newer javascript/html5. I have noticed no issues.

What are the pros and cons in terms of user security?

I would say that ESR is more secure due to being more modern, designed for long term support, and supported by both Debian and Mozilla.

What "proactive security features"? Could they break NoScript? How about tor/torbutton/polipo?

ESR is an official Mozilla release. Addons will probably work.

Is Debian Backports even an official part of Debian.org?

Yes.
http://backports-master.debian.org/
http://mozilla.debian.net/

Is it covered by the Debian Security Team?

Seems like it, as they list security advisories right on the main page.

Would adding Debian Backports to software sources require one to update many items not in the Stable branch?

The packages are designed to work on stable. They are completely opt-in and do not install automatically.

What is the safest way to add Backports using synaptic?

Most if not all of these are answered on the Debian Backports site. It is probably best to do research first.
http://backports-master.debian.org/Instructions/

If I try this but don't like what happens, can I return to previous state?

Yes, just install the squeeze version of the package.

[Leos1]

Excellent answers, thank you.

They tried to confuse me with "pinned to 100" but I understood

[Leos1]

Followed advice to do more research. Wikipedia, Mozilla pages I found did not help me make an informed decision, but did find an Ubuntu blogger arguing that using Iceweasel 10 ESR would decrease security:
http://www.chriscoulson.me.uk/blog/?p=111

There is a common misconception that when a piece of software receives only reactive security fixes, it is the safest option for users and that the risk of breakage is minimal with this approach. In reality, this isn’t exactly true.
...

Doesn't this argument challenge the very premise of Debian's testing-unstable-stable cycle?
And why would Mozilla frown upon Linux distributions making an ESR release their standard package?

[huggybear]

It isn't completely true, no. For instance, there might be security features that just can't be backported to an old version. There might also be old vulnerabilities that have never been discovered simply because not as many peopel are using the old version.
But all in all, I think hackers and script kiddies will rather focus on backdoors of more recent software (they'll get more victims).
Security wise, your bank just may say: "Sorry, this software won't work on your old browser."

etc.

[Randicus Draco Albus]

He also says this:

Over time, Firefox ESR will become slower than Firefox

This strikes me more as propaganda than fact, when taken in the context of:

In addition to this, we offer the latest version of Chromium alongside Firefox in the Ubuntu archive. It would be bad for Mozilla for us to offer an outdated Firefox ESR against the very latest version of Chromium, as the difference in performance between the 2 can significantly influence our users perception of the quality of Mozilla’s product.

He also argues that people who use the stable version actually do not want stability. They actually want the latest and greatest.
I would say the real reason for Canonical's decision is simply that they want to sell Ubuntu by only having the latest and greatest version of Firefox. In the same way as they claim releasing a new version every six months ensures that the system is always up-to-date.

I take whatever an Ubuntu or Canonical blogger/developer/sales rep writes with a grain of salt.

[vbrummond]

Yeah, I wouldn't put much stock into what Ubuntu has to say. They have different goals and standards than Debian. Personally I think ESR is a good move. It might be the first step into bringing the 'firefox' branding back to Debian. Not that I miss it.

[Leos1]

I think I need elaboration from someone on the Debian security team. Most helpful would be information enabling individual users to make good choices based upon how they use Iceweasel, what add-ons they have installed.

I find it hard to extract useful information efficiently from the mailing lists. This seems like the kind of issue which could best be discussed in a regular blog from the security team.

[vbrummond]

I mean feel free to be curious or ask the security team yourself; Though I think you may be reading too much into this. Unless you are a developer or security researcher yourself you are always at the mercy of the software you use.

[Randicus Draco Albus]

If you are paranoid about security, look at craigevil's set-up. He has it posted several times here and on DFN.