Haven't had any software updates for a while

32 replies [Last post]
oysterboy

I am a member!

I am a translator!

Offline
Joined: 02/01/2011

Maybe an issue with the mirror you're using. Can you please post the output of the following command?

cat /etc/apt/sources.list

al_chemia
Offline
Joined: 06/14/2016

You're right, there seems to be an issue with the US mirror. I switched to the main server and it's now updating normally.

sanchezman
Offline
Joined: 12/09/2015

# Trisquel repositories for supported software and updates
deb http://us.archive.trisquel.info/trisquel/ belenos main
deb-src http://us.archive.trisquel.info/trisquel/ belenos main
deb http://us.archive.trisquel.info/trisquel/ belenos-security main
deb-src http://us.archive.trisquel.info/trisquel/ belenos-security main
deb http://us.archive.trisquel.info/trisquel/ belenos-updates main
deb-src http://us.archive.trisquel.info/trisquel/ belenos-updates main
#deb http://us.archive.trisquel.info/trisquel/ belenos-backports main
#deb-src http://us.archive.trisquel.info/trisquel/ belenos-backports main

lembas
Offline
Joined: 05/13/2010

> I'm worried that I'm open to security vulnerabilities.

You are.

https://trisquel.info/en/forum/abrowser-version-trisquel-6

(the problem is apparently also in trisquel 7)

sanchezman
Offline
Joined: 12/09/2015

As much as I love fully free distros, I'm thinking of switching to debian and just not enabling nonfree repos. It seems every fully free distro is consistently teetering on the brink of being left unsupported.

Mzee
Offline
Joined: 07/10/2013

Unfortunately, you are very right about this. :-( In the long run, I might do the same.

lembas
Offline
Joined: 05/13/2010

Which of the free distros do you have experience with?

I'll probably leave Trisquel as well but I'd rather move to a free distro than an optionally free distro. That would make it so much simpler to answer people who ask which distro I'm using. :)

I think Parabola is where I'm going next.

sanchezman
Offline
Joined: 12/09/2015

The last fully free distro I used was parabola. It was fine until a broken update to OpenSSL completely trashed my system. I couldn't browse the internet, I couldn't install updates, and I couldn't even revert to an older version of OpenSSL. I still don't know what cause it to happen (but I think it had something to do with the p2p package installer I had set up two months prior), as I've used Arch before and had 0 problems with it. I guess my warning is: Be careful with rolling release systems that don't have extensive support.

lembas
Offline
Joined: 05/13/2010

Thanks for the heads up. I've never used a rolling release distro before but I've heard these stories before. I guess what they say about the bleeding edge is true.

ADFENO
Offline
Joined: 12/31/2012

For those wanting to use other free system distribution: try GuixSD.

It's rolling release *but*:

* Let's you keep various versions of the same package.

* Eases the process of building your own packages and sharing them with
others.

** In spite of the above, the build process is made to be user-friendly
through the recipes written in Guile.

** If the GuixSD knows someplace where it can get builds for packages,
and if there is one for your system architecture, it'll download the
package. It won't build things unless it can't find a built package.

* Avoids "dependency hell".

* Many other advantages that I forgot to mention due to lack of human
memory.

I'm not going to switch right now due to a huge backlog of personal
tasks that I have to do. But U'm planning on doing so some time (maybe 6
months from now, I guess).

davidpgil
Offline
Joined: 08/26/2015

I really like the idea of switching to GuixSD as well, but I am concerned it might be too early to really use. :/

oysterboy

I am a member!

I am a translator!

Offline
Joined: 02/01/2011

The Abrowser situation annoys me too. I am currently evaluating Parabola. Installing it was surprisingly easy. I remembered having a hard time trying to install Arch a few years ago (I actually never succeeded :)), but following the beginner's guide to Parabola was really straightforward and easy. I am currently evaluating two desktop environments: MATE and KDE. All the programs are as up to date as can be, and that includes Iceweasel of course. But there are risks associated with the rolling release model. A few days ago, an update to hunspell, I believe, broke Icedove, Iceweasel and Icecat. On the other hand, it was fixed the next day. Also I read somewhere that the MATE desktop is currently unmaintained (the maintainer of the MATE packages for Arch decided to quit) and might be dropped from the repos for that reason. So being on the bleeding edge can have important drawbacks if you don't like (big) surprises after applying updates...

Maybe Trisquel needs to drop Abrowser and concentrate on Icecat, where it may be easier to make sure the latest security patches are applied in a timely fashion?

Legimet
Offline
Joined: 12/10/2013

I'm planning to install Debian testing (main only, of course) one of these days. Because of the vulnerable Abrowser, and because I need newer versions of some packages (for which I downloaded the .debs from Debian). I also like Parabola.

hack and hack
Offline
Joined: 04/02/2015

In that other thread, it is said that Abrowser's version in Trisquel 7 is outdated.

But according to this, it isn't a problem regarding support (https://trisquel.info/fr/forum/icecat-default-browser#comment-3375).
> Web Browser 3.5? Why should Trisquel users have to get an outdated
version
> of their browser for the next six months, when 3.6 has come out already?
It will ship with whatever version is the official upstream, to have the
same
level of support. Stability and security are more important than
modernity.

So what's the deal? With two people saying the opposite, and me not being knowledgeable enough, what do you all think? And Why?

Legimet
Offline
Joined: 12/10/2013

That was before the Firefox rapid release, when Debian/Ubuntu backported security patches to the version of Firefox they were using. Now all distros either use the latest version, or a supported ESR version. Debian uses the ESR version, but no longer backports security fixes, so once the version they are using is unsupported, they go to the next ESR version.
The situation in Trisquel is that there is an old, unsupported non-ESR version receiving no updates, and this is a serious issue.

hack and hack
Offline
Joined: 04/02/2015

Thanks.
Basically, ESR or not, at some point it's time to upgrade, because the security fixes are not backported from the latest version anymore,if I understand.
This is definitely not right.

I'd rather have the money spent on this instead.
The browser is one of the weakest links, so this issue really needs to be first on the list.
Specially since it's an OS meant for the average user.

In terms of security, I wonder how many programs need to always be up-to-date, besides the browser. Anything accessing the network,I suppose, but this might be overkill.

hack and hack
Offline
Joined: 04/02/2015

Firefox will manage its own updates independently of your system’s package manager, an download subsequent releases. There will be no need to repeat the whole “procedure”… Enjoy Firefox!
Thanks for the info. It's probably the easiest and simplest fix on the list.
Reading this, I see it updates by itself, even upgrades by itself probably since there's no need to "repeat the whole procedure".
I even found the ESR version in there.

But it's only a fix. So few were aware that there was such a security whole for so long in the first place.
Even the users reading the forum are/were in trouble if we rely only on the system updates.
It takes DAYS for Ubuntu to switch to the next version,
though it takes less work than Abrowser or Icecat, but still.
Not normal For both Trisquel browsers to take so long when it comes to security.

If it's too much work, at the very least, the maintainers should let Firefox be the default on the next release. It might be not as free (minor issues, but issues nonetheless), but at least it is safe, always, for all users (which allows to spread the word about Trisquel with confidence).
Or be religiously steady with these specific updates.

Bottom line: as it is right now, I'll stay on Trisquel because I can fix some stuff and I want to support it.
I can also fix the other few machines around me.

But for now I just can't recommend it around me.

hack and hack
Offline
Joined: 04/02/2015

Could you expand just a bit on Debian not backporting security fixes on ESR?
I thought that was the point of ESR (which I barely new it existed yesterday, might I add).

So Firefox 44 was out in early February (https://en.wikipedia.org/wiki/Firefox_versions#Version_44).
It's been nearly 6 month without any updates, since once a new version comes out, the earlier one isn't supported anymore (can't find again where I've read that yet).

But to my understanding, simply upgrading to version 45 (ESR) would have brought security fixes for 10 months or so.
Unless there's that backports thing I don't quite get.

al_chemia
Offline
Joined: 06/14/2016

I'm glad you asked this, as I've noticed the same thing. Here's the output of my /etc/apt/sources.list

# deb http://us.archive.trisquel.info/trisquel/ belenos main

# deb http://us.archive.trisquel.info/trisquel/ belenos-updates main
# deb http://archive.trisquel.info/trisquel belenos-security main

# See http://trisquel.info/wiki/ for how to upgrade to
# newer versions of the distribution.
deb http://us.archive.trisquel.info/trisquel/ belenos main
deb-src http://us.archive.trisquel.info/trisquel/ belenos main

deb http://us.archive.trisquel.info/trisquel/ belenos-updates main
deb-src http://us.archive.trisquel.info/trisquel/ belenos-updates main

deb http://us.archive.trisquel.info/trisquel/ belenos-security main
deb-src http://us.archive.trisquel.info/trisquel/ belenos-security main

# Uncomment this lines to enable the backports optional repository
# deb http://us.archive.trisquel.info/trisquel/ belenos-backports main
# deb-src http://us.archive.trisquel.info/trisquel/ belenos-backports main

Legimet
Offline
Joined: 12/10/2013

Don't use the US mirror. Use archive.trisquel.info without the us in front.

al_chemia
Offline
Joined: 06/14/2016

Yep, I made the switch last night and successfully updated.

hack and hack
Offline
Joined: 04/02/2015

I don't have answers yet from IRC, but I found this interesting (unfortunate, but interesting):
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
These completely concern our Abrowser version.
That's about 28 exploitable weak spots (orange and red).
10 for the ESR version.

Adress bar spoofing? Firejail won't do much against that. And not all users have Javascript disabled.

As a reminder: 3 months late for Icecat, 6 months late for Abrowser, being the default browser.
Hopefully this won't be taken as ungratitude or bitching on the same level of Trisquel 8 not being ready.

I see less and less reasons not to worry about this. And I want to support Trisquel.
I want to be able to recommend it without worries.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Pointing out that your browser hasn't received security updates for 6 months is all but "bitching"..

hack and hack
Offline
Joined: 04/02/2015

True, I mean I don't want this issue to be associated with the usual persistent complaints about aesthetics or user-friendliness or the latest packages. This is critical because it's about security updates regarding a vulnerable and exposed program.

al_chemia
Offline
Joined: 06/14/2016

Just do what any self-respecting neckbeard would do: use Lynx.

hack and hack
Offline
Joined: 04/02/2015

There are options indeed, but that means that Trisquel isn't enough by default. And since I recommend it around me, that's problematic. Not for my reputation, but for their security.

hack and hack
Offline
Joined: 04/02/2015

I tried #FSF, they told me I better try the softwares mailing lists.
Like for IceCat: name at domain
For Abrowser I have no idea, it's not in the FSF directory.
I can't seem to find info about it yet, besides it being an unbranded Firefox with the Trisquel addon repo instead.

An interesting point is that IceCat is made from a script, which was recently updated by Ruben (http://git.savannah.gnu.org/cgit/gnuzilla.git).
What's interesting is that he updated it to 38.8.0ESR.
And that was after IceCat being supposedly late compared to Firefox.
Why not go to 45 directly (besided having to deal with the tons of changes between versions)?

official and default browser needs to come from upstream, though.
From https://trisquel.info/fr/forum/icecat-default-browser#comment-3375
Upstream means Trisquel is based on Ubuntu 14.04 LTS (Trusty Tahr), right?
That would mean That Ubuntu still has version 44?

I might have some answers in the mailing list, and maybe give some help if I can.

EDIT:____________________________

I found the mailing list, and it seems TorBB only switched to version 45ESR around the 10th of June.
https://lists.gnu.org/archive/html/bug-gnuzilla/2016-06/msg00008.html

Here's a reason for not Updating IceCat just yet: https://lists.gnu.org/archive/html/bug-gnuzilla/2016-06/msg00006.html

I most likely won't have further data on this, seeing so few answers.
So, cookie prompt vs security fixes. I doubt the issue is different on Debian.

The choice is between living with a risky browser and having cookie prompts vs the opposite.
Seems the choice has been made, but I think it's better to try to fix the prompt AFTER upgrading. It's much safer for the average user.
Worst case, it's still possible to have the older version on the side for those absolutely needing the prompt.

hack and hack
Offline
Joined: 04/02/2015

It's been maybe about a week that I haven't had any software updates either.
Here's the content of "cat /etc/apt/sources.list":
# deb http://archive.trisquel.info/trisquel/ belenos main
# deb http://archive.trisquel.info/trisquel/ belenos-updates main
# deb http://archive.trisquel.info/trisquel belenos-security main
# See http://trisquel.info/wiki/ for how to upgrade to
# newer versions of the distribution.
deb http://archive.trisquel.info/trisquel/ belenos main
deb-src http://archive.trisquel.info/trisquel/ belenos main
deb http://archive.trisquel.info/trisquel/ belenos-updates main
deb-src http://archive.trisquel.info/trisquel/ belenos-updates main
deb http://archive.trisquel.info/trisquel/ belenos-security main
deb-src http://archive.trisquel.info/trisquel/ belenos-security main
# Uncomment this lines to enable the backports optional repository
# deb http://archive.trisquel.info/trisquel/ belenos-backports main
# deb-src http://archive.trisquel.info/trisquel/ belenos-backports main

I see it's possible to switch to another server, but how do I do that?

Mzee
Offline
Joined: 07/10/2013

Same problem here. :-(

fbit

I am a member!

Offline
Joined: 07/07/2013

Same here. Switching to different mirrors doesn't make a difference.

Edit: Is there a place on this website for updates/news? It would be good to know what's going on in cases like this.

hack and hack
Offline
Joined: 04/02/2015

To the maintainers: thanks for the updates, much appreciated !

vita_cell
Offline
Joined: 07/19/2015

The Trisquel7's autoupdate program crashes or do nothing. It finds something, but won't update. So, update through Synaptic or Console, are working.