Old Firefox with fresh Java plugin

Old Firefox with fresh Java plugin, for upcoming in August deprecation of Java in Firefox ESR
(with a take on automating Oracle JDK fetch)

1 Like

I’m afraid this will only be usable for several months, as after that 52.x ESR will get unmaintained upstream and will surely start accumulating security bugs…

Sure, it will.

And yes, it will be removed from Nixpkgs, so after 18.09 it won’t be possible to setup Oracle web java plugin.

My purpose is to have a persistent browser Java app, that won’t be broken until upstream (online banking and Nixpkgs) stops using client side web Java. Think of concrete browser for specific webpage. Would be extremely cool if it was possible to build some real GUI window with webpage hardcoded.

I fear I failed to achieve my goal (ever working Nix script). I get this error now:

error: Package ‘firefox-esr-unwrapped-52.9.0esr’ in /nix/store/k4hi8p0flmjvhgx02zyzqkqcsybnpzfw-source/pkgs/applications/networking/browsers/firefox/packages.nix:70 is marked as insecure, refusing to evaluate.


Known issues:
 - Support ended in August 2018.

You can install it anyway by whitelisting this package, using the
following methods:

a) for `nixos-rebuild` you can add ‘firefox-esr-unwrapped-52.9.0esr’ to
   `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
   like so:

     {
       nixpkgs.config.permittedInsecurePackages = [
         "firefox-esr-unwrapped-52.9.0esr"
       ];
     }

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘firefox-esr-unwrapped-52.9.0esr’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:

     {
       permittedInsecurePackages = [
         "firefox-esr-unwrapped-52.9.0esr"
       ];
     }


(use '--show-trace' to show detailed location information)

So, even stable branches do get nasty breaking updates. I have to rely on NIXPKGS_ALLOW_INSECURE=1, which is uh oh.

So I’ve chosen to pin to nixpkgs commit instead.

From now on, no more firefox+jre updates. Think about it. Bank web clients now insist on switching to Internet Explorer if you want security updates.
https://www.java.com/en/download/faq/firefox_java.xml

What breaking updates? Speaking of 18.09? We marked FF 52 insecure on the day of 18.09 official release announcement – a bit late, I admit, but otherwise I see nothing wrong.

No, I was talking about 18.03. Removal/deprecation/rename of packages (if that is dictated by security policy) should be done in next release, not current. I remember I had same kind of problem when firefox-esr was renamed in stable branch.

Ah, I see, it got picked to 18.03 as well. But I actually agree with that! That package does have known security problems now. AFAIK noone provides patches to alleviate that. Better force the user to explicitly acknowledge it than to silently let her continue using it.

On reflection, I think I’ve misunderstand what “stable” branches are for. Looks like API stability isn’t provided - security objections override “stability” needs. And there can’t be nixpkgs channels, that are both secure and API stable.

As I see it, the stable branches do try to provide both security and stability. If you really want stability only, you don’t need to update at all, so usually security has higher priority – in cases where it’s infeasible to have both. (I write “usually” because some CVEs have rather low severity and not everyone even agrees those are bugs.)