Firefox zeroday patch


#1

Is there any intention of updating firefox in the Pure OS/Purism repository?


#2

Got the update half an hour ago on the byzantium repo. You’re probably using the amber repo?


#3

Yes I am. I use the amber repo with the belief that it is/was the “approved repo” for Purism. Perhaps I am wrong in this assumption.?


#4

No you’re not, but in my experience it takes a little longer in amber to get updates.


#5

Thanks for the info. I appreciate your help.


#6

I’ve been curious about the status of a patch for PureBrowser in Amber; I know it’s currently based on Firefox ESR 60.9, which reached end-of-life in November. Is it affected by the vulnerability? If so, is a patch possible given upstream end of support?


#7

Given the amount of work and divergence from upstream Firefox we’re no longer going to support Purebrowser. My first recommendation is to use a different browser, like Epiphany, or to download Firefox directly from Mozilla.

My second recommendation is to ensure that you have an updated package repository for your system. You can ensure you have up-to-date package repositories by following these instructions to add amber-updates and amber-security if you do not yet have them; https://tracker.pureos.net/w/pureos/software_center/software_sources/


#8

Is it affected by the vulnerability?

This requires investigation to determine because we remove portions of Firefox and Debian (our upstream) does the same.

If so, is a patch possible given upstream end of support?

Likely no, it is best practice to use the browser directly from the source. In the case of Firefox, that is Mozilla. We’ve tried to work with Mozilla to maintain Purebrowser in PureOS but they don’t share our goals at this point in time.


#9

Amber is the “stable” PureOS distribution. It receives updates but it does not receive new software. It does receive backported security updates. Byzantium is the “rolling release” of PureOS, it receives lots and lots of updates and new software. It is inherently more unstable however.


#10

Thanks Jeremiah, How do I find the address of the Byzantium repo? Just google it?


#11

Maybe follow hints here: Pureos rolling release

However I think you will also want to comment out “Amber” if changing over.

As to whether one or the other is “approved”, I think that depends on your goals.

  • Get work done with the minimum of disruption - Amber
  • Always have the latest and greatest - Byzantium

My 2c.


#12

Thanks again for the quick reply (that was fast). I found the Byzantium info on a prior post from last November. Thanks again


#13

you could also dual-boot both Amber and Byzantium or have one or both in a VM …


#14

That reminds me, I should write up a quick HowTo on creating a PureOS Byzantium VM.


#15

Thanks for the clarification, Jeremiah. Have you thought about updating the Amber ISO to remove PureBrowser, replacing it with Epiphany in the default install? Technically it goes against the concept of a stable release, I know, but it may be a good safeguard to prevent new users from using an unsupported and potentially unsecure browser.


#16

Yes, this is something we’ve thought about. However, there is still a large installed base that is not addressed by these actions and we need to help those folks. This is why our current focus is on updating Purebrowser through our amber-update or amber-security channel.


#17

Does that mean Purebrowser is or isn’t going to receive future security updates? It sounded like it isn’t from now on which would mean we should all stop using it ASAP and move on to an alternative? Or perhaps I interpreted your last statement incorrectly and it would only stop receiving security updates if Debian doesn’t provide anymore ESR updates?


#18

Okay, I may have screwed something up. Any help would be greatly appreciated. I added the Byzantium repos to PureOS Software & Updates. I updated 59 applications and they look great. I then downloaded the latest version of Firefox and could/can only launch Firefox via CLI when I typed in ~/firefox/firefox. Firefox does not show up as an application on the GUI or on my favorites bar. I double clicked on the Software & Updates application and it did not launch. I restated my laptop and tried to launch Software & Updated again, but no response. I uninstalled Software & Updates (with the intention of re-installing it) but now I don’t have the Software or Software & Updated Application on my GUI at all. My questions are:

  1. How do I get the “Software” and “Software & Updates” applications re-installed on my GUI?
  2. What step(s) am I missing with Firefox. How come Firefox does not show up on my GUI’s applications list or the favorites bar? How do I get them there?

I realize it Saturday but if anyone knows what I am missing can you clue me in after the weekend? Thanks


#19

have you tried to start firefox from the CLI ? then when it pops up look in the launch-toolbar and see if it’s there then > right click > add to favorites (that’s how it should be on Gnome DE)

to search for packages :

  1. elevate your privileges with sudo or su
  2. apt search “at-least-part-of-the-name-of-the-package-you-want”
  3. make a note in your mind or in the clipboard or copy/yank the name of the package you want from the list

to install :

  1. elevate your privileges with sudo or su
  2. apt install “exact-name-of-the-package”
    or
    apt install “at-least-part-of-the-name-of-the-package-you-want”
  3. confirm

in your case it’s > apt install gnome-software
just make sure you have the privileges to install …


#20

wait what ? are you from the future ? where i am it’s Thursday morning jan 16 2020 … back to the future now i guess …