Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1881495 - Outdated Firefox is going to be shipped in the Fedora 33 Beta
Summary: Outdated Firefox is going to be shipped in the Fedora 33 Beta
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 33
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Gecko Maintainer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedFreezeException RejectedBlocker
Depends On: 1872111
Blocks: F33BetaFreezeException
TreeView+ depends on / blocked
 
Reported: 2020-09-22 14:13 UTC by Tomas Popela
Modified: 2020-10-23 21:25 UTC (History)
23 users (show)

Fixed In Version: firefox-81.0-6.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-25 16:48:31 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Tomas Popela 2020-09-22 14:13:30 UTC 
The last successful build on F33 is firefox-78.0.2-1.fc33 and that is currently being in a compose that will became Fedora 33 Beta.

The Fedora Workstation Working Group decided that we don't want to ship Fedora 33 with that outdated default web browser.

We are asking the Firefox maintainers to build the today's released Firefox 81 on Fedora 33 so it's part of Fedora 33 Beta.

Note: The Firefox depends on a NSS update that's currently in Bodhi - queued for stable - https://bodhi.fedoraproject.org/updates/FEDORA-2020-99834af551. This one will need to go to stable as well so it's part of beta.
Comment 1 Chris Murphy 2020-09-22 14:22:15 UTC 
Further, right now system upgrades from Fedora 32 will downgrade users to Firefox 78. There's no guarantee that Firefox can properly handle downgrade with respect to user configuration files - in fact the user profile could break as a result of the downgrade.
Comment 2 Kamil Páral 2020-09-22 14:28:36 UTC 
(In reply to Chris Murphy from comment #1)
> Further, right now system upgrades from Fedora 32 will downgrade users to
> Firefox 78. There's no guarantee that Firefox can properly handle downgrade
> with respect to user configuration files - in fact the user profile could
> break as a result of the downgrade.

No, that's not a problem, because F32 also contains just FF78 and nothing newer.

> The Fedora Workstation Working Group decided that we don't want to ship Fedora 33 with that outdated default web browser.

Is there some criterion broken? There can be some security fixes but that's just a Final criterion. Is there something else? Otherwise this might be more fit as a freeze exception.
Comment 3 Kamil Páral 2020-09-22 14:33:12 UTC 
(In reply to Kamil Páral from comment #2)
> No, that's not a problem, because F32 also contains just FF78 and nothing
> newer.

And I was wrong! F32 contains FF80 and FF81 is in testing now. So the user configuration issue during a downgrade is a real threat. Has anyone tested if it blows up?
Comment 4 Tomas Popela 2020-09-22 14:35:04 UTC 
(In reply to Kamil Páral from comment #2)
> > The Fedora Workstation Working Group decided that we don't want to ship Fedora 33 with that outdated default web browser.
> 
> Is there some criterion broken? There can be some security fixes but that's
> just a Final criterion. Is there something else? Otherwise this might be
> more fit as a freeze exception.

Do we need a criterion Kamil? If it would be some system library, then I wouldn't mind providing something, but this is about the default web browser that people use to access their online banking and so on. If it would be just one release, eg. shipping F33 Beta with Firefox 80, then we are "probably" fine with that, but this is several releases with multiple high severity CVEs:

Firefox 81 - https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/
Firefox 80 - https://www.mozilla.org/en-US/security/advisories/mfsa2020-36/
Firefox 79 - https://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
Comment 5 Tomas Popela 2020-09-22 14:36:20 UTC 
(In reply to Kamil Páral from comment #3)
> (In reply to Kamil Páral from comment #2)
> > No, that's not a problem, because F32 also contains just FF78 and nothing
> > newer.
> 
> And I was wrong! F32 contains FF80 and FF81 is in testing now. So the user
> configuration issue during a downgrade is a real threat. Has anyone tested
> if it blows up?

Yes, AFAIK Felipe and Neal had these problems and their profiles were nuked.
Comment 6 Kalev Lember 2020-09-22 14:51:37 UTC 
I talked to stransky and trying to help this along a bit. I've created a buildroot override for the nss build that Firefox 81 needs, and also went ahead disabled LTO for firefox (it was one of the issues blocking the F33+ builds) in https://src.fedoraproject.org/rpms/firefox/c/bcd30e838ba1620a5413970cac2334454cb2d643?branch=f33 and kicked off a new build attempt:

https://koji.fedoraproject.org/koji/taskinfo?taskID=52025342

Let's see how this goes.
Comment 7 Neal Gompa 2020-09-22 14:54:49 UTC 
(In reply to Tomas Popela from comment #5)
> (In reply to Kamil Páral from comment #3)
> > (In reply to Kamil Páral from comment #2)
> > > No, that's not a problem, because F32 also contains just FF78 and nothing
> > > newer.
> > 
> > And I was wrong! F32 contains FF80 and FF81 is in testing now. So the user
> > configuration issue during a downgrade is a real threat. Has anyone tested
> > if it blows up?
> 
> Yes, AFAIK Felipe and Neal had these problems and their profiles were nuked.

Yup, I lost everything when I upgraded from F32 to F33 on Sunday.
Comment 8 Kamil Páral 2020-09-22 16:52:15 UTC 
(In reply to Tomas Popela from comment #4)
> Do we need a criterion Kamil? If it would be some system library, then I
> wouldn't mind providing something, but this is about the default web browser
> that people use to access their online banking and so on. 

But we're talking about Beta here. I agree that for a Final release it wouldn't be acceptable (and we have that covered).

Yes, we prefer to have a criterion instead of ad-hoc decisions. It doesn't need to exist now, we can all agree that this is something we really want to do - but it should then trigger a process to define the criterion later, or make some other change, so that the next time this situation occurs, it's a systematic process instead of an ad-hoc one.

Sadly, both security and user corruption criteria are Final:
https://fedoraproject.org/wiki/Fedora_33_Final_Release_Criteria#Security_bugs
https://fedoraproject.org/wiki/Fedora_33_Final_Release_Criteria#Data_corruption

We can decide that one or both should be moved to Beta. I just want to point out that there should be a justification why we're blocking the Beta release on this.

For Beta, there is https://fedoraproject.org/wiki/Fedora_33_Beta_Release_Criteria#Upgrade_requirements :
"For each one of the release-blocking package sets, it must be possible to successfully complete a direct upgrade from a fully updated, clean default installation of each of the last two stable Fedora releases with that package set installed. 
The upgraded system must meet all release criteria."

One could argue that losing your user profile during the upgrade fails the "you can run the web browser" criterion, at least how people normally understand it (your changes are persisted between sessions). But it's stretching it quite a bit, this is definitely a user data corruption instead.

I think the most reasonable here is to agree that the data corruption criterion should be moved to Beta. The way it is written, it even gives us some flexibility, because we can either wait for a fix or just document it, based on how severe it is and what the milestone is.

If there wasn't the data loss scenario, I'd say "this is fine", because it's Beta and there can be a 0-day update waiting. But the data loss scenario would be really unpleasant for everyone who'd decide to upgrade to F33 Beta to test it and had their Firefox user profile nuked.
Comment 9 Chris Murphy 2020-09-22 17:03:51 UTC 
Bug 1872111 complicates this. Workstation/aarch64/images/Fedora-Workstation-aarch64-_RELEASE_MILESTONE_-sda.raw.xz is release blocking.

https://fedoraproject.org/wiki/Releases/33/ReleaseBlocking
Comment 10 Kamil Páral 2020-09-23 07:16:42 UTC 
Our blocker discussion has been split into two, unfortunately, so interested parties should also follow our blocker-review ticket here:
https://pagure.io/fedora-qa/blocker-review/issue/118
Comment 11 Kamil Páral 2020-09-23 07:20:23 UTC 
The freeze exception has been approved:
https://pagure.io/fedora-qa/blocker-review/issue/118
Comment 12 Fedora Update System 2020-09-23 08:02:22 UTC 
FEDORA-2020-299af333c6 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-299af333c6
Comment 13 Martin Stransky 2020-09-23 08:03:27 UTC 
Added the i686/x86_64 builds for now to have Intel covered at least.
Comment 14 Martin Stransky 2020-09-23 08:06:35 UTC 
Also note that https://bodhi.fedoraproject.org/updates/FEDORA-2020-99834af551 (nss update) is needed for this bug.
Comment 15 Fedora Update System 2020-09-23 15:26:53 UTC 
FEDORA-2020-299af333c6 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-299af333c6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-299af333c6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 16 Kalev Lember 2020-09-23 21:55:43 UTC 
OK, arm and aarch64 builds are now fixed in firefox-81.0-6.fc33. I also went ahead and merged the firefox builds into the nss update so they go out together in the same update.
Comment 17 Fedora Update System 2020-09-24 13:32:32 UTC 
FEDORA-2020-99834af551 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-99834af551`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-99834af551

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 18 Geoffrey Marr 2020-09-24 19:22:40 UTC 
Discussed during the 2020-09-24 Fedora 33 Go/No-Go meeting: [0]

The decision to classify this bug as a "RejectedBlocker (Beta)" was made as a fixed package has been built and will be available in the stable repo on release day.

[0] https://meetbot-raw.fedoraproject.org/fedora-meeting-1/2020-09-24/f33-beta-go_no_go-meeting.2020-09-24-17.00.txt
Comment 19 Fedora Update System 2020-09-25 16:48:31 UTC 
FEDORA-2020-99834af551 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 20 Adam Williamson 2020-10-23 21:25:36 UTC 
Bug fixed, commonbugs not needed.
Note You need to log in before you can comment on or make changes to this bug.