https://pkginfo.devuan.org/stage/ceres/ … esr-1.html

I presume it will filter down to the other branches soon.

Why do you care if your ISP can see which packages you are downloading?

https does not only pretend listening, it also pretends Man-in-the-Middle-Attacks.
And even if it only protects me from listening: my ISP do not need to know anything (data economy). ;-)

If I would do this I would run:

torsocks wget --https-only --no-cookies foobar

But just as I say above it is not Firefox ESR 60.7.2.
https://www.mozilla.org/en-US/security/ … sa2019-19/

I just posted the wrong link (was tired) but thanks I will correct the other post ;-)

Thank you all for you posts and have a nice day! :-)

pcalvert wrote:

I downloaded the Firefox ESR package from here:
https://packages.debian.org/stretch/firefox-esr

I now this website, but this link is not the source where you have to download it from, it is here:
http://security.debian.org/debian-secur … ian.tar.xz
and this is not https.

You just downloaded the source package, which you can use to compile new binaries. I can assure you that you do not want to do that. Try one of these .deb packages instead. You can find these by scrolling down the page that pcalvert linked and selecting the architecture you want.

amd64
http://security.debian.org/debian-secur … _amd64.deb

i386
http://security.debian.org/debian-secur … 1_i386.deb

this is not https.

Why do you care if your ISP can see which packages you are downloading?

Try

wget https://deb.debian.org/debian-security/pool/updates/main/f/firefox-esr/firefox-esr_60.7.1esr-1~deb9u1_amd64.deb
# dpkg -i firefox-esr_60.7.1esr-1~deb9u1_amd64.deb

If you need the latest version right away, you can always get it directly from mozilla and just unpack it and run it. That's a more conservative choice than upgrading to ceres.

Hey, thanks for your answer.
Yeah I ment a package with the newest security patches (version was the wrong word sorry).
Before you posted this I have had it already downloaded from here:
https://releases.mozilla.org/pub/firefox/releases/

I now this website, but this link is not the source where you have to download it from, it is here:
http://security.debian.org/debian-secur … ian.tar.xz
http://security.debian.org/debian-secur … _amd64.deb
and this is not https.

Then I installed it using gdebi.

Result:

$ apt policy firefox-esr
firefox-esr:
  Installed: 60.7.1esr-1~deb9u1
  Candidate: 60.7.1esr-1~deb9u1
  Version table:
 *** 60.7.1esr-1~deb9u1 100
        100 /var/lib/dpkg/status
     60.7.0esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-security/main i386 Packages
     60.6.3esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii-updates/main i386 Packages
     60.6.1esr-1~deb9u1 500
        500 http://deb.devuan.org/merged ascii/main i386 Packages

Phil

There is no firefox in stretch or ascii. Never was, never will be.

Both firefox and firefox-esr are in the unstable branch (sid/ceres) and it looks like they've both been patched.
https://security-tracker.debian.org/tra … ge/firefox

If you need the latest version right away, you can always get it directly from mozilla and just unpack it and run it. That's a more conservative choice than upgrading to ceres.

I runned

apt update -o Acquire::http::AllowRedirect=false

followed by

apt list --upgradable

and got

firefox-esr/stable-security 60.7.1esr-1~deb9u1 amd64 [upgradable from: 60.7.0esr-1~deb9u1]
vim-common/stable-security 2:8.0.0197-4+deb9u2 all [upgradable from: 2:8.0.0197-4+deb9u1]
vim-tiny/stable-security 2:8.0.0197-4+deb9u2 amd64 [upgradable from: 2:8.0.0197-4+deb9u1]
xxd/stable-security 2:8.0.0197-4+deb9u2 amd64 [upgradable from: 2:8.0.0197-4+deb9u1]

So no actual version of firefox either!
I am not an expert, but this is big crap!
I really need firefox, a safe one!

At least: I would never upgrade my system over http...

Try the old repository :

deb http://auto.mirror.devuan.org/merged ascii main contrib non-free
deb http://auto.mirror.devuan.org/merged ascii-backports main contrib non-free
deb http://auto.mirror.devuan.org/merged ascii-updates main contrib non-free
deb http://auto.mirror.devuan.org/merged ascii-security main contrib non-free

This mirror do not work with https, so I won't use it.

Like wich ones before?

UPDATE:
The link did not work, it was search for the word 'firefox' in this forum

Seems like there is no up2date version of firefox in all branches:
https://pkginfo.devuan.org/cgi-bin/d1pk … elease=any
Or is this website out of date and if so why it exists?

BTW:
I am using this repo:
deb https://pkgmaster.devuan.org/merged ascii main
deb https://pkgmaster.devuan.org/merged ascii-security main
deb https://pkgmaster.devuan.org/merged ascii-updates main

But a apt update do not get me these versions.
Why?

It is not the first time I have to wait long time before I can upgrade firefox...
That is a high security risc, cause some people need to allow Javascript for banking or something else...