Old Firefox with fresh Java plugin, for upcoming in August deprecation of Java in Firefox ESR
(with a take on automating Oracle JDK fetch)
Iâm afraid this will only be usable for several months, as after that 52.x ESR will get unmaintained upstream and will surely start accumulating security bugsâŚ
Sure, it will.
And yes, it will be removed from Nixpkgs, so after 18.09 it wonât be possible to setup Oracle web java plugin.
My purpose is to have a persistent browser Java app, that wonât be broken until upstream (online banking and Nixpkgs) stops using client side web Java. Think of concrete browser for specific webpage. Would be extremely cool if it was possible to build some real GUI window with webpage hardcoded.
I fear I failed to achieve my goal (ever working Nix script). I get this error now:
error: Package âfirefox-esr-unwrapped-52.9.0esrâ in /nix/store/k4hi8p0flmjvhgx02zyzqkqcsybnpzfw-source/pkgs/applications/networking/browsers/firefox/packages.nix:70 is marked as insecure, refusing to evaluate.
Known issues:
- Support ended in August 2018.
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add âfirefox-esr-unwrapped-52.9.0esrâ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"firefox-esr-unwrapped-52.9.0esr"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
âfirefox-esr-unwrapped-52.9.0esrâ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"firefox-esr-unwrapped-52.9.0esr"
];
}
(use '--show-trace' to show detailed location information)
So, even stable branches do get nasty breaking updates. I have to rely on NIXPKGS_ALLOW_INSECURE=1
, which is uh oh.
So Iâve chosen to pin to nixpkgs commit instead.
From now on, no more firefox+jre updates. Think about it. Bank web clients now insist on switching to Internet Explorer if you want security updates.
https://www.java.com/en/download/faq/firefox_java.xml
What breaking updates? Speaking of 18.09? We marked FF 52 insecure on the day of 18.09 official release announcement â a bit late, I admit, but otherwise I see nothing wrong.
No, I was talking about 18.03. Removal/deprecation/rename of packages (if that is dictated by security policy) should be done in next release, not current. I remember I had same kind of problem when firefox-esr was renamed in stable branch.
Ah, I see, it got picked to 18.03 as well. But I actually agree with that! That package does have known security problems now. AFAIK noone provides patches to alleviate that. Better force the user to explicitly acknowledge it than to silently let her continue using it.
On reflection, I think Iâve misunderstand what âstableâ branches are for. Looks like API stability isnât provided - security objections override âstabilityâ needs. And there canât be nixpkgs channels, that are both secure and API stable.
As I see it, the stable branches do try to provide both security and stability. If you really want stability only, you donât need to update at all, so usually security has higher priority â in cases where itâs infeasible to have both. (I write âusuallyâ because some CVEs have rather low severity and not everyone even agrees those are bugs.)