Discussion:
firefox-esr security support for arm?
Marc
2018-09-08 07:06:57 UTC
Permalink
Hi all,

I use Raspberry Pies running Debian Stretch (armhf 32-bit) with a
custom Linux kernel for both my Desktop and Portable systems. I have
been using firefox-esr (with some modifications for speed and security)
as a browser so far.

Yesterday's message to debian-security-announce was a bit of a morning
In addition, the new Firefox packages require Rust to build. A
compatible Rust toolchain has been backported to Debian stretch, but is
not available for all architectures which previously supported the
purely C++-based Firefox packages. Thus, the new Firefox packages
don't support the armel, armhf, mips, mips64el and mipsel architectures
at this point.
Apparently lacking enough caffeine, I could not find any relevant
discussions about this so far. I did notice that the current version
of firefox-esr for armhf is present in sid (but I am loath to run
sid on production systems), and that mozilla.org does not seem to
distribute any binaries for arm.

What's the realistic way forward from here, assuming that I would like
a browser with security support? Pull firefox-esr plus dependencies
from sid (probably quite intrusive)? Switch to chromium-browser?
Switch to another distribution or even a BSD? Or am I overreacting and
should just wait a couple of days for (Rust and) Firefox to magically
appear in stretch-backports? :)

Regards
Marc
Alan Corey
2018-09-08 08:30:26 UTC
Permalink
Got anything you can cross-compile one on? I built Firefox 61 on a
Rock64 (and Rust first). I've tried a few times to build on a
Raspberry Pi 3B without success. And I was running 64bit Debian
Buster on one in one case. Supposedly Firefox doesn't like 32 bit
anymore. They also recommend 10 GB of RAM, my Rock64 has 4 GB plus
swap. It's about 1.5 GB of source code.
I had about 20 GB swap on the Pi I think, it just wouldn't fly.

The Rust is problematic, I wish they'd wean themselves off of it. The
demo "Hello World" program in Rust is 2 MB, and all it does is to
print Hello World at the console, not even GUI. I could do that in
200 bytes of 8088 assembly.
Post by Marc
Hi all,
I use Raspberry Pies running Debian Stretch (armhf 32-bit) with a
custom Linux kernel for both my Desktop and Portable systems. I have
been using firefox-esr (with some modifications for speed and security)
as a browser so far.
Yesterday's message to debian-security-announce was a bit of a morning
In addition, the new Firefox packages require Rust to build. A
compatible Rust toolchain has been backported to Debian stretch, but is
not available for all architectures which previously supported the
purely C++-based Firefox packages. Thus, the new Firefox packages
don't support the armel, armhf, mips, mips64el and mipsel architectures
at this point.
Apparently lacking enough caffeine, I could not find any relevant
discussions about this so far. I did notice that the current version
of firefox-esr for armhf is present in sid (but I am loath to run
sid on production systems), and that mozilla.org does not seem to
distribute any binaries for arm.
What's the realistic way forward from here, assuming that I would like
a browser with security support? Pull firefox-esr plus dependencies
from sid (probably quite intrusive)? Switch to chromium-browser?
Switch to another distribution or even a BSD? Or am I overreacting and
should just wait a couple of days for (Rust and) Firefox to magically
appear in stretch-backports? :)
Regards
Marc
--
-------------
No, I won't call it "climate change", do you have a "reality problem"? - AB1JX
Cities are cages built to contain excess people and keep them from
cluttering up nature.
Impeach Impeach Impeach Impeach Impeach Impeach Impeach Impeach
Marc
2018-09-08 09:11:32 UTC
Permalink
Post by Alan Corey
Got anything you can cross-compile one on?
Of course I could always spin up a Linode or something for that.
I was kind of hoping to remain within Debian.

Regards,
Marc
John Paul Adrian Glaubitz
2018-09-08 08:38:38 UTC
Permalink
It should actually be possible to bootstrap the Rust compiler and Cargo in version 1.24 for armel and armhf and I can take of that if no one disagrees.

Adrian
Post by Marc
Hi all,
I use Raspberry Pies running Debian Stretch (armhf 32-bit) with a
custom Linux kernel for both my Desktop and Portable systems. I have
been using firefox-esr (with some modifications for speed and security)
as a browser so far.
Yesterday's message to debian-security-announce was a bit of a morning
In addition, the new Firefox packages require Rust to build. A
compatible Rust toolchain has been backported to Debian stretch, but is
not available for all architectures which previously supported the
purely C++-based Firefox packages. Thus, the new Firefox packages
don't support the armel, armhf, mips, mips64el and mipsel architectures
at this point.
Apparently lacking enough caffeine, I could not find any relevant
discussions about this so far. I did notice that the current version
of firefox-esr for armhf is present in sid (but I am loath to run
sid on production systems), and that mozilla.org does not seem to
distribute any binaries for arm.
What's the realistic way forward from here, assuming that I would like
a browser with security support? Pull firefox-esr plus dependencies
from sid (probably quite intrusive)? Switch to chromium-browser?
Switch to another distribution or even a BSD? Or am I overreacting and
should just wait a couple of days for (Rust and) Firefox to magically
appear in stretch-backports? :)
Regards
Marc
Alan Corey
2018-09-08 08:43:29 UTC
Permalink
You'll probably need to update it:
rustup update
I think. The rust in debs was too old when I tried.

Sent from my Motorola XT1527

On Sat, Sep 8, 2018, 4:38 AM John Paul Adrian Glaubitz <
Post by John Paul Adrian Glaubitz
It should actually be possible to bootstrap the Rust compiler and Cargo in
version 1.24 for armel and armhf and I can take of that if no one disagrees.
Adrian
Post by Marc
Hi all,
I use Raspberry Pies running Debian Stretch (armhf 32-bit) with a
custom Linux kernel for both my Desktop and Portable systems. I have
been using firefox-esr (with some modifications for speed and security)
as a browser so far.
Yesterday's message to debian-security-announce was a bit of a morning
In addition, the new Firefox packages require Rust to build. A
compatible Rust toolchain has been backported to Debian stretch, but is
not available for all architectures which previously supported the
purely C++-based Firefox packages. Thus, the new Firefox packages
don't support the armel, armhf, mips, mips64el and mipsel architectures
at this point.
Apparently lacking enough caffeine, I could not find any relevant
discussions about this so far. I did notice that the current version
of firefox-esr for armhf is present in sid (but I am loath to run
sid on production systems), and that mozilla.org does not seem to
distribute any binaries for arm.
What's the realistic way forward from here, assuming that I would like
a browser with security support? Pull firefox-esr plus dependencies
from sid (probably quite intrusive)? Switch to chromium-browser?
Switch to another distribution or even a BSD? Or am I overreacting and
should just wait a couple of days for (Rust and) Firefox to magically
appear in stretch-backports? :)
Regards
Marc
Alan Corey
2018-09-08 08:53:02 UTC
Permalink
Oh, Qupzilla isn't bad, better than Chromium.

Sent from my Motorola XT1527
Post by Alan Corey
rustup update
I think. The rust in debs was too old when I tried.
Sent from my Motorola XT1527
On Sat, Sep 8, 2018, 4:38 AM John Paul Adrian Glaubitz <
Post by John Paul Adrian Glaubitz
It should actually be possible to bootstrap the Rust compiler and Cargo
in version 1.24 for armel and armhf and I can take of that if no one
disagrees.
Adrian
Post by Marc
Hi all,
I use Raspberry Pies running Debian Stretch (armhf 32-bit) with a
custom Linux kernel for both my Desktop and Portable systems. I have
been using firefox-esr (with some modifications for speed and security)
as a browser so far.
Yesterday's message to debian-security-announce was a bit of a morning
In addition, the new Firefox packages require Rust to build. A
compatible Rust toolchain has been backported to Debian stretch, but is
not available for all architectures which previously supported the
purely C++-based Firefox packages. Thus, the new Firefox packages
don't support the armel, armhf, mips, mips64el and mipsel architectures
at this point.
Apparently lacking enough caffeine, I could not find any relevant
discussions about this so far. I did notice that the current version
of firefox-esr for armhf is present in sid (but I am loath to run
sid on production systems), and that mozilla.org does not seem to
distribute any binaries for arm.
What's the realistic way forward from here, assuming that I would like
a browser with security support? Pull firefox-esr plus dependencies
from sid (probably quite intrusive)? Switch to chromium-browser?
Switch to another distribution or even a BSD? Or am I overreacting and
should just wait a couple of days for (Rust and) Firefox to magically
appear in stretch-backports? :)
Regards
Marc
Marc
2018-09-08 09:03:50 UTC
Permalink
Post by Alan Corey
Oh, Qupzilla isn't bad, better than Chromium.
Thanks for your suggestion! However,
<https://www.debian.org/releases/stretch/armhf/release-notes/ch-information.en.html#browser-security>
seems to warn explicitly against using browsers based on webkit
and qtwebkit (such as qupzilla): "These browsers should not be used
against untrusted websites."

Regards,
Marc
John Paul Adrian Glaubitz
2018-09-08 09:09:08 UTC
Permalink
No, I don’t. I have bootstrapped the Rust compiler already for multiple architectures in Debian. Never had to use any of the upstream tools.
https://buildd.debian.org/status/logs.php?pkg=rustc&arch=armel
https://buildd.debian.org/status/logs.php?pkg=rustc&arch=armhf
Will take care of it tonight, but wait with the upload until I get an ACK from the release team.

Adrian
rustup update
I think. The rust in debs was too old when I tried.
Sent from my Motorola XT1527
Post by John Paul Adrian Glaubitz
It should actually be possible to bootstrap the Rust compiler and Cargo in version 1.24 for armel and armhf and I can take of that if no one disagrees.
Adrian
Post by Marc
Hi all,
I use Raspberry Pies running Debian Stretch (armhf 32-bit) with a
custom Linux kernel for both my Desktop and Portable systems. I have
been using firefox-esr (with some modifications for speed and security)
as a browser so far.
Yesterday's message to debian-security-announce was a bit of a morning
In addition, the new Firefox packages require Rust to build. A
compatible Rust toolchain has been backported to Debian stretch, but is
not available for all architectures which previously supported the
purely C++-based Firefox packages. Thus, the new Firefox packages
don't support the armel, armhf, mips, mips64el and mipsel architectures
at this point.
Apparently lacking enough caffeine, I could not find any relevant
discussions about this so far. I did notice that the current version
of firefox-esr for armhf is present in sid (but I am loath to run
sid on production systems), and that mozilla.org does not seem to
distribute any binaries for arm.
What's the realistic way forward from here, assuming that I would like
a browser with security support? Pull firefox-esr plus dependencies
from sid (probably quite intrusive)? Switch to chromium-browser?
Switch to another distribution or even a BSD? Or am I overreacting and
should just wait a couple of days for (Rust and) Firefox to magically
appear in stretch-backports? :)
Regards
Marc
Marc
2018-09-08 09:17:03 UTC
Permalink
No, I don’t. I have bootstrapped the Rust compiler already for multiple architectures in Debian. Never had to use any of the upstream tools.
[...]
Will take care of it tonight, but wait with the upload until I get an ACK from the release team.
That sounds great, thank you! With that in place, what would have
to be done to get the Firefox packages built for arm again?

Regards,
Marc
John Paul Adrian Glaubitz
2018-09-08 11:18:47 UTC
Permalink
Post by Marc
No, I don’t. I have bootstrapped the Rust compiler already for multiple architectures in Debian. Never had to use any of the upstream tools.
[...]
Will take care of it tonight, but wait with the upload until I get an ACK from the release team.
That sounds great, thank you! With that in place, what would have
to be done to get the Firefox packages built for arm again?
Nothing. Just cargo and rustc are required. I just asked debian-release for permission. Let’s see.

Adrian
John Paul Adrian Glaubitz
2018-09-09 21:02:52 UTC
Permalink
Post by John Paul Adrian Glaubitz
It should actually be possible to bootstrap the Rust compiler and Cargo in version 1.24 for armel and armhf and I can take of that if no one disagrees.
I'm waiting for an OK to upload from debian-release/security:

***@z6:..incoming/rust> ls -l *deb9u*
-rw-r--r-- 1 glaubitz glaubitz 6504 Sep 9 22:11 cargo_0.25.0-3~deb9u1_armel.buildinfo
-rw-r--r-- 1 glaubitz glaubitz 1423 Sep 9 22:11 cargo_0.25.0-3~deb9u1_armel.changes
-rw-r--r-- 1 glaubitz glaubitz 1850244 Sep 9 22:11 cargo_0.25.0-3~deb9u1_armel.deb
-rw-r--r-- 1 glaubitz glaubitz 6441 Sep 9 22:11 cargo_0.25.0-3~deb9u1_armhf.buildinfo
-rw-r--r-- 1 glaubitz glaubitz 1426 Sep 9 22:11 cargo_0.25.0-3~deb9u1_armhf.changes
-rw-r--r-- 1 glaubitz glaubitz 1900968 Sep 9 22:11 cargo_0.25.0-3~deb9u1_armhf.deb
-rw-r--r-- 1 glaubitz glaubitz 510590 Sep 9 22:11 cargo-dbgsym_0.25.0-3~deb9u1_armel.deb
-rw-r--r-- 1 glaubitz glaubitz 1785138 Sep 9 22:11 cargo-dbgsym_0.25.0-3~deb9u1_armhf.deb
-rw-r--r-- 1 glaubitz glaubitz 26880552 Sep 9 22:11 libstd-rust-1.24_1.24.1+dfsg1-1~deb9u3_armel.deb
-rw-r--r-- 1 glaubitz glaubitz 26549632 Sep 9 14:59 libstd-rust-1.24_1.24.1+dfsg1-1~deb9u3_armhf.deb
-rw-r--r-- 1 glaubitz glaubitz 28998358 Sep 9 22:11 libstd-rust-1.24-dbgsym_1.24.1+dfsg1-1~deb9u3_armel.deb
-rw-r--r-- 1 glaubitz glaubitz 28728838 Sep 9 14:59 libstd-rust-1.24-dbgsym_1.24.1+dfsg1-1~deb9u3_armhf.deb
-rw-r--r-- 1 glaubitz glaubitz 21486694 Sep 9 22:11 libstd-rust-dev_1.24.1+dfsg1-1~deb9u3_armel.deb
-rw-r--r-- 1 glaubitz glaubitz 21504808 Sep 9 14:59 libstd-rust-dev_1.24.1+dfsg1-1~deb9u3_armhf.deb
-rw-r--r-- 1 glaubitz glaubitz 7785 Sep 9 22:11 rustc_1.24.1+dfsg1-1~deb9u3_armel.buildinfo
-rw-r--r-- 1 glaubitz glaubitz 2710 Sep 9 22:11 rustc_1.24.1+dfsg1-1~deb9u3_armel.changes
-rw-r--r-- 1 glaubitz glaubitz 1502824 Sep 9 22:11 rustc_1.24.1+dfsg1-1~deb9u3_armel.deb
-rw-r--r-- 1 glaubitz glaubitz 7785 Sep 9 14:59 rustc_1.24.1+dfsg1-1~deb9u3_armhf.buildinfo
-rw-r--r-- 1 glaubitz glaubitz 2710 Sep 9 14:59 rustc_1.24.1+dfsg1-1~deb9u3_armhf.changes
-rw-r--r-- 1 glaubitz glaubitz 1470082 Sep 9 14:59 rustc_1.24.1+dfsg1-1~deb9u3_armhf.deb
-rw-r--r-- 1 glaubitz glaubitz 9726826 Sep 9 22:11 rustc-dbgsym_1.24.1+dfsg1-1~deb9u3_armel.deb
-rw-r--r-- 1 glaubitz glaubitz 9655566 Sep 9 14:59 rustc-dbgsym_1.24.1+dfsg1-1~deb9u3_armhf.deb
***@z6:..incoming/rust>

Adrian
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - ***@debian.org
`. `' Freie Universitaet Berlin - ***@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
Marc
2018-09-12 06:15:13 UTC
Permalink
Post by John Paul Adrian Glaubitz
It should actually be possible to bootstrap the Rust compiler and Cargo in version 1.24 for armel and armhf and I can take of that if no one disagrees.
And firefox-esr_60.2.0esr-1~deb9u2_armhf.deb rolled in last night.
I really wanted to say thank you for your help!


However, starting the new firefox, I get nothing but this:

***@kalmar:~$ firefox --safe-mode
ExceptionHandler::GenerateDump cloned child 5756
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
***@kalmar:~$

And a dialog appears: "We're Sorry. Firefox hat a problem and crashed.
[...]"

I've tried both a normal start and with safe mode, and both after
moving all of .mozilla, .cache, .config, and dconf out of the way.
I've even created a new user with an empty home directory (except
for .Xauthority) and got the same result.

Essentially, the new Firefox appears not to be useable at all at
this point. From a security perspective, this is probably superior
to an outdated browser, but from a functionality perspective, without
a working browser, this computer is no longer able to perform its
allotted tasks.

[On a marginally related note, chromium 69.0.3497.81-1~deb9u1 for
armhf crashes with a segmentation violation, also before mapping any
browser windows.]

Regards,
Marc

Phil Endecott
2018-09-08 17:15:29 UTC
Permalink
Post by Marc
I use Raspberry Pies running Debian Stretch (armhf 32-bit)
Yesterday's message to debian-security-announce was a bit of a morning
shock for me.
In my case, I'm using arm64 devices (ODROID-C2) running stretch.
But I have armhf as an extra architecture (dpkg --add-architecture)
so that I can install packages whose arm64 versions aren't available
or don't work properly. There were quite a few of these when I first
got the boards (pre stretch) but fewer now. In particular, I am
using the armhf version of firefox.

So, perhaps I should avoid the problem of the lack of an armhf
rust compiler and hence lack of updated firefox packages by trying
to install the 64-bit firefox package?

Does anyone know if I am likely to encounter problems with
firefox-esr:arm64 ? In particular if anyone has tried using it
on an ODROID-C2 or similar (kernel 3.14, no GPU support) please
let me know. I am cautious about just trying it because I fear
the difficulty involved in rolling back if necessary. Should I
just wait until someone has made the rust stuff work on armhf?


Thanks, Phil.
Loading...