Reverting firefox-esr upgrade in Buster

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Reverting firefox-esr upgrade in Buster

local10
Hi,

Is there a way to revert firefox-esr upgrade to version 60 in Buster and install back firefox v 52.9.0?
Thanks


Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

Brad Rogers
On Thu, 8 Nov 2018 06:43:02 +0100 (CET)
local10 <[hidden email]> wrote:

Hello local10,

>Is there a way to revert firefox-esr upgrade to version 60 in Buster
>and install back firefox v 52.9.0?

Why?  Apart from the move from XUL to WE extensions, going back is
simply asking for trouble security-wise.  Also, more and more sites will
stop working correctly as v52 gets more out of date.

That said, to wind back, you set up a new repo as per this page:
https://snapshot.debian.org/

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
Tell the dinosaurs they just won't survive
The History Of The World (Part 1) - The Damned

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

local10
Nov 8, 2018, 2:55 AM by [hidden email]:

> Why?  Apart from the move from XUL to WE extensions, going back is
> simply asking for trouble security-wise.  Also, more and more sites will
> stop working correctly as v52 gets more out of date.
>
> That said, to wind back, you set up a new repo as per this page:
> https://snapshot.debian.org <https://snapshot.debian.org/>
>

Some plugins disappeared, some no longer work the way they did (meaning they now work worse), NoScript freaked me out when I saw what happened to it. And in general, with each new release FF seems to be getting worse and worse: more dumbed down while at the same time being bloated with "features" like tracking, telemetry, promotions, social, etc.

Anyway, thanks for the link.

Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

Brad Rogers
On Thu, 8 Nov 2018 10:15:28 +0100 (CET)
local10 <[hidden email]> wrote:

Hello local10,

>Some plugins disappeared, some no longer work the way they did (meaning
>they now work worse), NoScript freaked me out when I saw what happened

That's because of the change from XUL to WE.  Some of your extensions
will have suitable replacements.  Sadly, not all.  Mostly, anything that
modified the FF UI will have no replacement.  In fact, if you look at
the plugins page, you should see a section marked "Legacy Extensions".
Look there, and an offer to find replacements is available to you.  Like
I said, not everything will have anything suitable to work in its stead.

I'm no fan of the move to WE myself, despite the security issues
claimed(1) to exist with XUL. It's one of the reasons I use Pale Moon.

>Anyway, thanks for the link.

No problem.

Just be aware that v52 (in testing) isn't going to get security updates,
and that can be hazardous.  Also, some site no longer work in v52 -
anything video related is at risk as more sites move to playback
technology that v52 can't do.

(1) I say 'claimed' because it's based on limited reading of one,
probably biased, source.

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
What do you call that noise, that you put on?
This Is Pop - XTC

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

local10
Nov 8, 2018, 4:43 AM by [hidden email]:

> I'm no fan of the move to WE myself, despite the security issues
> claimed(1) to exist with XUL. It's one of the reasons I use Pale Moon.
>

I was looking into PaleMoon/Basilisk/Waterfox myself but decided not to proceed at the time as they are not in the Debian repository.

> Just be aware that v52 (in testing) isn't going to get security updates,
> and that can be hazardous.  Also, some site no longer work in v52 -
> anything video related is at risk as more sites move to playback
> technology that v52 can't do.
>

The majority of security issues are related to Javascript use and with Noscript installed this attack vector should be reduced somewhat as I only enable Javascript for a few websites. Am still deciding what to do though, just wanted to see how easy it would be to go back to 52.9.

Thanks for the info.

Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

Brad Rogers
On Thu, 8 Nov 2018 11:26:11 +0100 (CET)
local10 <[hidden email]> wrote:

Hello local10,

>I was looking into PaleMoon/Basilisk/Waterfox myself but decided not to
>proceed at the time as they are not in the Debian repository.

IDK what the position is WRT Waterfox, but I don't think Pale Moon or
Basilisk are likely to make it into Derbian repos as there are,
potentially, license issues regarding branding.

In any case, keeping up to date with Pale Moon shouldn't be an issue, as
it has its own, internal, update method (I suspect Basilisk is the
same).  You get the choice of 'update automatically', 'notify and let me
choose when to update' or 'never update'.

>though, just wanted to see how easy it would be to go back to 52.9.

As you've seen, it's not too difficult.  Just remember to pin FF though,
if you do decide to roll back to v52.  Otherwise you might end up
updating FF accidentally.

I'm speaking from experience.   :-)

>Thanks for the info.

No problem.

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
It belongs to them, let's give it back
Beds Are Burning - Midnight Oil

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

Michael Stone-2
In reply to this post by local10
On Thu, Nov 08, 2018 at 11:26:11AM +0100, local10 wrote:
>I was looking into PaleMoon/Basilisk/Waterfox myself but decided not to proceed at the time as they are not in the Debian repository.

You're much better off using a third-party-sourced browser than sticking
with an obsolete & unsupported version because it happened to be
packaged by debian at one time.

Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

Cindy-Sue Causey
In reply to this post by local10
On 11/8/18, local10 <[hidden email]> wrote:

> Nov 8, 2018, 4:43 AM by [hidden email]:
>
>> I'm no fan of the move to WE myself, despite the security issues
>> claimed(1) to exist with XUL. It's one of the reasons I use Pale Moon.
>>
>
> I was looking into PaleMoon/Basilisk/Waterfox myself but decided not to
> proceed at the time as they are not in the Debian repository.
>
>> Just be aware that v52 (in testing) isn't going to get security updates,
>> and that can be hazardous.  Also, some site no longer work in v52 -
>> anything video related is at risk as more sites move to playback
>> technology that v52 can't do.
>>
>
> The majority of security issues are related to Javascript use and with
> Noscript installed this attack vector should be reduced somewhat as I only
> enable Javascript for a few websites. Am still deciding what to do though,
> just wanted to see how easy it would be to go back to 52.9.


I got... *sigh*... hacked/cracked two weekends ago. "That other
operating system" that has been running as my dialup modem via a
networked laptop. Could have come from outside the country, but I'm
leaning toward +1 more that it has roots right outside my front door.

Whatever. It became a "S'all good" situation because I'm all #Linux
now with Puppy Linux serving fabulously as the dialup modem handler
(ttySHSF0 56k hsfmodem with that being a head nod to an older thread).

ANYWAY, IN THE PROCESS of going through that, my bank account no
longer is fully accessible. I did a Hail Mary the other day by trying
Links/2, w3m, elinks, yada, on Debian Buster because that very topic
had once been mentioned here on Debian-User.

I like them... Posted some Twitter and a little bit of other test
websurfing with elinks. Discovered that Gmail has a mobile I've never
been offered. Turned into one of those "Hey, this is really cool"
moments.

But... bank account STILL does not work...

It yelled javascript was not enabled and basically *almost* KICKED me
out IMMEDIATELY because it wasn't available.

Which led to me sitting here thinking... I THOUGHT javascript was
security issue prone to the point folks are trying to wipe it from the
Net. So WHY is a bank so dependent on it that my bank's website almost
seemed to freak that javascript wasn't available???

While seeking tips on how to possibly enable javascript for elinks et
al(l) to assuage said banking website's apparent trauma, I tripped
over a mention of banks specifically being where users are having
significant problems. CHECK and/but yet again: WHY?!

That's about the end of my tale outside of serious head scratching.
Well, that and that more (hopefully temporarily unsuccessful) Hail
Mary efforts led to finding libjs-extjs, libjs-json, and a couple
others that I've forgotten and can't find now via "apt-cache search".

Those didn't immediately help, but I think that was a time constraint
issue that caused me to not cognitively grasp how to implement them.
It looks like there may be a need for rebuilding before one or more
are actually integrated into elinks and family....

OR not... It's a front burner deal to try new how-to tutorial searches
again. It really was neat using those terminal browsers. It's REALLY
nice to have multiple functioning options available at all times for
getting what we need from the Internet..

PS I don't know if javascript plays any into Twitter's functionality,
but I'm seeing features that weren't available a few days ago, mostly
"Trending". They appeared after recent reboots following initial
installation of libjs-extjs and related. Could be related but could
also just be coincidence.

Nope, not comfortable with any of it, but am under pressure to get
some heavy duty stuff done FAST. Had to make a *_CHOICE_* under
extreme duress. That "duress" just ticked up a couple notches as of
two hours ago.

This choice wasn't near as much fun as picking between entire
operating systems. The libjs-extjs/libjs-json experience appears to
have potential to cause problems if newbies don't know how to
*consciously* keep it in check.. which I, for one, don't yet because I
haven't stumbled upon just the right cognitively friendly tutorial...
yet. :)

Cindy :)
--
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* Waving @ City of Jasper Admin for helping set up auto-debit so I
don't have to-o-o-o! *

Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

Dan Ritter-4
Cindy-Sue Causey:
> But... bank account STILL does not work...
>
> It yelled javascript was not enabled and basically *almost* KICKED me
> out IMMEDIATELY because it wasn't available.
>
> Which led to me sitting here thinking... I THOUGHT javascript was
> security issue prone to the point folks are trying to wipe it from the
> Net. So WHY is a bank so dependent on it that my bank's website almost
> seemed to freak that javascript wasn't available???

Oh, that's easy.

People at corporations care about:
    - making money
    - keeping money
    - reducing the amount of money they spend in order to do the
      first two

(Most) banks are corporations.

It turns out that the web is much much cheaper than a bank clerk
per unit of work that each does. So web solutions replace
people.

It also turns out that most of the people who run banks don't
know much about computers or software or the web... but they all
believe that they are expert users. And as a consequence, they
don't care one whit about actual security.

So they'll pay extra to get logos and certificates and big green
bars on browsers, but animations and smooth flows win over
debuggable code every single time.

Remember, every security bug is also a bug.

-dsr-

Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

Brad Rogers
On Thu, 8 Nov 2018 10:24:57 -0500
Dan Ritter <[hidden email]> wrote:

Hello Dan,

>believe that they are expert users. And as a consequence, they
>don't care one whit about actual security.

Not entirely true;  They don't care about *customer* security.  Their
own they do.  How well (read:poorly) they manage it is a closely guarded
secret.

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
The deadbeats and the dispossessed, the seekers of unlikeliness
Street Of Dreams - The Damned

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

rhkramer
In reply to this post by Cindy-Sue Causey
On Thursday, November 08, 2018 09:53:24 AM Cindy-Sue Causey wrote:
> I got... *sigh*... hacked/cracked two weekends ago. "That other
> operating system" that has been running as my dialup modem via a
> networked laptop. Could have come from outside the country, but I'm
> leaning toward +1 more that it has roots right outside my front door.

I don't have any comment on the rest of your post, but (and I'm frantically
knocking on wood as I write this), I don't think I've ever been hacked in the
33+ years I've been connected to the Internet or predecessor online systems.

What I use is a router with NAT between the modem (of whatever flavor) and any
of my systems.  Back in the day, I had to do some gymnastics to play some
games -- I don't know if that is still an issue, but, to the greatest extent
possible, I recommend that everyone consider a router with NAT between their
computers and the Internet.

(And, as I close, Just knocking on wood a few more times... ;-)

Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

Gene Heskett-4
On Thursday 08 November 2018 12:37:42 [hidden email] wrote:

> On Thursday, November 08, 2018 09:53:24 AM Cindy-Sue Causey wrote:
> > I got... *sigh*... hacked/cracked two weekends ago. "That other
> > operating system" that has been running as my dialup modem via a
> > networked laptop. Could have come from outside the country, but I'm
> > leaning toward +1 more that it has roots right outside my front
> > door.
>
> I don't have any comment on the rest of your post, but (and I'm
> frantically knocking on wood as I write this), I don't think I've ever
> been hacked in the 33+ years I've been connected to the Internet or
> predecessor online systems.
>
> What I use is a router with NAT between the modem (of whatever flavor)
> and any of my systems.  Back in the day, I had to do some gymnastics
> to play some games -- I don't know if that is still an issue, but, to
> the greatest extent possible, I recommend that everyone consider a
> router with NAT between their computers and the Internet.
>
> (And, as I close, Just knocking on wood a few more times... ;-)

Been doing that for nearly 20 years, using dd-wrt, I see them knocking on
the door, quite a few times a second at times. Only one got in, and I
had to give him the login/pw combos to do it as I needed help. Not
another in nearly 2 decades. I no longer watch the logs, too boring.

--
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

Ben Caradoc-Davies-3
In reply to this post by Cindy-Sue Causey
On 09/11/2018 03:53, Cindy-Sue Causey wrote:
> But... bank account STILL does not work...
> It yelled javascript was not enabled and basically*almost*  KICKED me
> out IMMEDIATELY because it wasn't available.
> Which led to me sitting here thinking... I THOUGHT javascript was
> security issue prone to the point folks are trying to wipe it from the
> Net. So WHY is a bank so dependent on it that my bank's website almost
> seemed to freak that javascript wasn't available???

I use and recommend Firefox with NoScript. Recent NoScript supports
WebExtensions, with a new user interface. NoScript blocks JavaScript by
default and protects you from a range of threats even for origins from
which JavaScript is permitted. With NoScript, you can selectively enable
JavaScript for those sites that you trust.

I also use Adblock Plus because ads are a known delivery mechanism for
malicious content. The combination of NoScript and Adblock Plus has the
side benefit of making we browsing much faster.

If you are paranoid, you can use a dedicated Firefox profile for your
internet banking. If you are super-paranoid, you can run Firefox on a
dedicated virtual machine. A freshly booted non-writeable live image for
each banking session will prevent malicious state from being persisted
on the client VM. As long as the host machine has not been compromised,
in which case all bets are off.

I like web sites that fail gracefully when JavaScript is disabled.
Unfortunately, JavaScript Single Page Applications (SPA) are a plague on
the internet. I prefer RESTful architectures.

Kind regards,

--
Ben Caradoc-Davies <[hidden email]>
Director
Transient Software Limited <https://transient.nz/>
New Zealand

Reply | Threaded
Open this post in threaded view
|

Re: Reverting firefox-esr upgrade in Buster

Jimmy Johnson-8
In reply to this post by local10
On 11/07/2018 09:43 PM, local10 wrote:
> Hi,
>
> Is there a way to revert firefox-esr upgrade to version 60 in Buster and install back firefox v 52.9.0?
> Thanks


Here:
  https://pkgs.org/download/firefox-esr
--
Jimmy Johnson

Slackware64 14.2 - KDE 4.14.32 - AMD A8-7600 - EXT4 at sda9
Registered Linux User #380263