On Wed 04 Dec 2024 08:32:01 GMT, Jay Faulkner wrote:

There is no truly correct answer to that question. Here's my $0.02: I
always want to run the latest release of a web browser -- otherwise
you're counting on folks to be able to identify every single patch
related to security and backport it -- even if people are trying. This
is why I run the rapid slot of Firefox.

The ESR is officially supported by Mozilla, so you don’t rely on only
one person (from Nebraska) here.

On my side, I don’t want the new bullshit features of Firefox to arrive
too soon, so I run ESR.

--
Alarig

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 5/12/24 09:04, Alarig Le Lay wrote:

The ESR is officially supported by Mozilla, so you don’t rely on only
one person (from Nebraska) here.

Yes, there have _never_ been whole teams who have missed backporting
a seemingly innocuous security fix. That has never in the history of
the world happened.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Rainer,

On 5/12/24 00:35, Dr Rainer Woitok wrote:

So which slot should I choose? Any opinions out there?

I can't speak for Firefox, but I do maintain Chromium which is similar
enough in terms of being a browser with a fast release cycle and several channels.

I recommend keeping your browser as up-to-date as possible. The `rapid`
channel for Firefox may result in more frequent updates for you as
an end-user, but it always includes the latest fixes (and features)

That's not saying that ESR is likely to be vulnerable, but the fixes
going into ESR are going to be backported from the rapid and development channels. A lot of work goes into ensuring that these backports are done
in a timely manner, but it's not beyondthe realm of possibility for one
to be missed, or announced and fixed in rapid but not in ESR leaving
those users vulnerable.

IMO if you're not an enterprise you should be running rapid. If you are
an enterprise you have your own requirements to think about, but you
should probably also be running rapid.

In Chromium terms, I often run the beta (or dev) channels, as I know
that security fixes for the stable channel are implemented in dev
and backported from there.

I hope that helps, I need to run and get breakfast.

Cheers,

Matt

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wednesday 4 December 2024 23:25:42 GMT Matt Jolly wrote:

Hi Rainer,

On 5/12/24 00:35, Dr Rainer Woitok wrote:

So which slot should I choose? Any opinions out there?

I can't speak for Firefox, but I do maintain Chromium which is similar
enough in terms of being a browser with a fast release cycle and several channels.

I recommend keeping your browser as up-to-date as possible. The `rapid` channel for Firefox may result in more frequent updates for you as
an end-user, but it always includes the latest fixes (and features)

That's not saying that ESR is likely to be vulnerable, but the fixes
going into ESR are going to be backported from the rapid and development channels. A lot of work goes into ensuring that these backports are done
in a timely manner, but it's not beyondthe realm of possibility for one
to be missed, or announced and fixed in rapid but not in ESR leaving
those users vulnerable.

IMO if you're not an enterprise you should be running rapid. If you are
an enterprise you have your own requirements to think about, but you
should probably also be running rapid.

In Chromium terms, I often run the beta (or dev) channels, as I know
that security fixes for the stable channel are implemented in dev
and backported from there.

I hope that helps, I need to run and get breakfast.

Cheers,

Matt

Thanks for your informed input. What would say is the time lag between some vulnerability announced in a browser before backporting takes place? I've
been thinking the latest dev release may have patched some old(er) vulnerability, while at the same time introducing one or two new zero-day horrors.

Thinking about it, would you know how far out of kilter is Falkon with respect to vulnerabilities? I noticed enotices mention Falkon is essentially out of date and some websites may break, but couldn't decide if this meant it should not be used unless you've a penchant for retro-software.

PS. As an alternative to Firefox the OP could consider the overlay for Librewolf/librewolf-bin:

https://librewolf.net/
https://codeberg.org/librewolf/gentoo.git

Its releases are more frequent than the Firefox-ESR, but I don't know if they are in sync with Firefox rapid.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmdQ7OgACgkQseqq9sKV ZxmxoRAA3NETUfLq6r3qPWc0l3ab0d+Z0yqEvzFtrZATZ9v0kHQ8OJQUiIEAfK3N iX2+SsDD4zi5RH3OyJyrUp2L0nCusVpqZcT8M3B4G3BQWZiOVy200S01fXfngvVT GVgD29i4s3k43qhtPdDSXVAsLivpS1UvfLOOlX1Ldxr4a/B883TzhBO57Do3yuTv tsVQ6yfendklJRvqJlPUFYgJ6gWMYODMM9moHXQYmUPMyU1uDofcgFuGZgHJG5em YbnkGxtk+u7yogoTXeOwjgyami10ylQdCu2DTiFl9iu0XNG2gdJYOlkObgCTT3xK iJ0f5McBOgqhoxKDP9nm3XrDRfZlI3wlsJFsN6yKoqWj5RprfQ/+uUf64p2NeOlA 4LXqOIN1iBxYusCaHnJqDwRbGpWKk8XDSO39dAmsbBn6kzgyyGAYSo0O7t1T2BhM GI7QL98npwdeia59EGiwnHS71M/BxIjp9itRy6EoWmVeGcjmxJJWuRETgtvufRWk XSWVY+YVC/qJWRxXBiBfyKYBWh9RAGhTya4w6oWF9pY8DZX8ROnaR1NVRWAvpA5A MS19X7wGP5dj7+i/LhrwK+JsVeUI1YkCdVB/c/d/z7Zhr7rBXMqHyFnYXc8rFXR2 CsC3aLml1lcFVIa6X2mWUfQHzTTGtG9X+viQ/6bQInMx03mA3Vs=
=edfv
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)