A few packages in Fedora get major updates outside the regular release cycle. The kernel is one of these, and Firefox is another. The maintainers do their best to handle these situations. Of course they always try to avoid any breaking changes to the user experience. However, there are times an upstream provides a path that makes this unavoidable. One of those rare situations is happening at present.
Upstream work on Firefox 57
Over the past year, Mozilla has been working on a series of major changes to the Firefox browser, mainly for performance and security. These changes are referred to as Project Quantum. Some improvements arrived already with no major differences for its users.
Last month the major changes landed in the developer channel. These changes mark a major deadline for how extensions work. This deadline gave third party developers a chance to look at their extensions and make changes to remain compatible. It was an important milestone date for the various Firefox add-ons. Firefox 57 marks an end to the legacy XUL based extensions. Starting with version 57, Firefox supports only a new type of extension, named WebExtension.
This shouldn’t be a surprise to Firefox extension developers, though. The compatibility roadmap has been known for the past year. Those who maintain their own extensions should read through the general upstream documentation on the change and the specific porting guide, as well.
User visible changes
Of course, developers following the Mozilla blogs have been aware of this change for a while. But the question remains: what does this mean for users?
The WebExtensions API is a cross-platform initiative. Therefore, this change means more extensions shared between Chrome, Opera and Firefox and the larger community. That should lead to better quality extensions overall. For the past several months, extension developers have been porting and giving feedback to Mozilla with APIs they require. Over 5000 extensions from addons.mozilla.org have been converted to remain compatible with version 57 and onward.
Users probably shouldn’t “hold back at FF56 as my favorite extensions don’t work.” Recall that security fixes only come from new versions, and they’ll all be WebExtension only. The Extended Support Release version will also switch to WebExtensions only at the next release. This date, June 2018, marks the deadline for ESR users to migrate their extensions.
Check which extensions you use that aren’t supported, and investigate if there’s a replacement or a beta test build by the developer. An upstream effort tracks whether many popular extensions have been ported yet, and related Mozilla bugs.
In addition to the extension changes, there are UI changes (codename Photon) as well as HTML, CSS and JavaScript rendering additions and fixes. Although the present beta release notes are brief, they link to further articles on the changes. Users and system administrators should read them to be prepared.
How Fedora is handling Firefox 57
Firefox 57 release is scheduled for November 14; Fedora 27 releases a week or so before that. The current Fedora 27 beta has the Firefox 57 beta. Fedora intends to have the Firefox 57 final release in a Fedora 27 update. This will be a significant part of the Fedora 27 Workstation release. If you use extensions, you’ll want to be aware of this plan.
Once Mozilla releases version 57, it will be submitted to the Fedora 26 updates-testing repository for an extended period. This provides adequate time for users to check their extensions before the update is promoted. However, this update will come to the stable repos for Fedora 26.
Between now and that point, a COPR provides builds for early testing of the builds, updated with any changes from the Fedora 27 release. Note that you cannot return to the older release on the same profile, due to changes in the update. Bear that in mind before installing this early release. You may want to make a backup of the existing profile before you update. This COPR will be removed when Firefox 57 reaches the Fedora 26 updates-testing repository.
To test these early package builds and provide early feedback of any issues, follow the usual COPR instructions to enable the repository and install the software:
dnf copr enable jhogarth/firefox57 dnf update firefox
When version 57 reaches the testing repository of Fedora 26 and the COPR is no longer required, remove it. This gets you the official Firefox maintainer’s builds and a clean future upgrade to Fedora 27:
dnf clean all dnf copr remove jhogarth/firefox57
Providing feedback on the upcoming packages
Is the thought of testing the upcoming Firefox tempting? Then please follow these guidelines so maintainers can more easily handle your reported issues.
- The Fedora 25 builds are entirely unsupported and provided only as a convenience for testing. Only Fedora 26 will receive the Firefox 57 update in the official Fedora repositories.
- The COPR is provided by the author, a Fedora Packager, not the Mozilla maintenance team, though it is a coordinated effort. The author will try to get updates into place as soon as possible after updates in Fedora 27. These RPMs are not identical to those that will appear in Fedora, although built from the same spec files and sources as in Fedora’s git repositories.
- Please only report Firefox issues and not any extension issues to Bugzilla. If in doubt, please try to reproduce the issue with extensions disabled.
- Please use Bugzilla. Do not mail anyone directly.
To report any issues with Firefox 57 on Fedora, use the standard bugzilla report, and please note in the report that you’re using these packages.
Hiisi
Couldn’t press the like button while I definitely like this article. I hope some vital for my workflow addons will receive updates on time.
Yaris
If I read the list on arewewebextensionsyet.com correctly it seems that noscript got 2 blockers to be webextension ready for 57 and that the firefox devs are not interested to fix it before Firefox 58. If that means that we won’t have noscript at all before 58 then i can’t update to 57. The web is too crowded with JavaScript exploits, like for example the minermalwares that are now getting traction, to be run with no precautions at all. Disabling JavaScript all together ain’t a option either as many websites depend on it for functionality.
Trowa
It seems many of us will be switching to Firefox ESR to make use of NoScript until Firefox 58 is out.
James Hogarth
Unfortunately I don’t think profile compatibility is there to go from FF56 to FF52ESR.
I did see someone suggest this to replace NoScript until it gets an update?
https://addons.mozilla.org/en-gb/firefox/addon/umatrix/
GOGI
Don’t worry about NoScript to be ported at time for Firefox 57 release. Visit the “NoScript” web-page and you’ll find an explanation from the maintainer on the forum there, who says that these two “blockers” are about some API’s which will not come out from Mozilla maintainers before Firefox 58 release, and these API’s are important for upgrading the extension for “Tor” users only. (Tor is based on Firefox…).
For Firefox regular users a web-ext of NoScript will be available very soon, few time before official relase of version 57.
And by the way, I’m actually using FF57 on Fedora 27, so for the moment without NoScript (which I have been using for years), and trust me, it’s working, even Java are not overloading the browser, MEM comsuption is really really low, and I won’t talk about speed and fluidity…
Leslie Satenstein
Its too bad that many extension providers are in reaction mode. I suppose from Firefox( Mozilla’s) point of view, these providers had one year to do something.
But human nature being what it is, and often, priorities arise, the providers are only in reaction mode, and will develop their upgrades after go-live.
Some of them will use the webExtension to encapsulate their existing extension. So, in effect, nothing has changed for these extension providers. Juse use webExtensions as a wrapper.
Equinae
Some of them will use the webExtension to encapsulate their existing extension. So, in effect, nothing has changed for these extension providers. Juse use webExtensions as a wrapper.
That is not possible, by definition.
The supposed problem is that extensions have access to everything in Firefox, and that allows a bad actor / mistake to expose / “bring down” all of Firefox. The new WebExtensions isolates the extension.
This is made painfully aware in NoScript. Current WebExtensions do not have all the needed functionality. It CANNOT be ported.
If WebExtensions end up providing the same power to extensions then the same pitfalls we be present. You can’t have power without the possibility for miss use.
fmase
Firefox 57 in f27 beta already include Client side decoration option – no need Htitle extension.
about:config
widget.allow-client-side-decoration
James
fmase, thank you for the suggestion. It works. I am glad that Firefox now has that option to not use the title bar. I don’t have to use pixel or extension to hide the title bar. Love it! Fedora 27 beta has been great and stable so far. Firefox 57 is better now.
Dave
Speed is ok, but what about making it work with more web sites? I end up using Chromium often because FF doesn’t work wit the site.
And what about a pop-up blocker that actually works? So tired of all the pop-ups that are not blocked.
Rui Quaresma
Hello everyone, I am using fedora 27 and this excellent I have had a problem with firefox 56 which is as follows; I have installed adobe flash 27.0.0.159 so me of the problem in a game played the letters of the game become undone appear colored, I installed the firefox 57 quantum resolved the same. If anyone can help thank you. Thank you
Nonya
Several things that should have been included in Firefox long ago:
Making extensions like adblock plus, noscript, privacy badger, disconnect, and HTTPS everywhere unnecessary by including these functionalities in Firefox.
Let users opt out of tabbed browsing!
Make all data collection opt-in, and the default set to NO DATA COLLECTION!!
Firefox should be striving to be the most security and privacy focused and fastest browser!
A. Rodef
Security is but one concern – privacy is another.
Updating FF may provide protection against theoretical exploits that may or may not become relevant, while add-ons address existing, immediate threats and limitations to privacy.
In a situation where the majority of my core add-ons is not supported in FF 57, the trade-off is clear. Updating would be a large step back, no matter whose responsibility it is. I can rather live with a slightly outdated base browser as long as the add-ons work. They’ll reduce attack vectors anyway. In some time, it may look better.
Finally, the add-ons were the unique selling point of FF. If they become less accessible, FF becomes less interesting.
Conclusion for the next year:
dnf update –exclude=firefox
James Hogarth
Excluding Firefox from updates is not the best idea from a security perspective and won’t be possible going from F26 to F27 as the latter will ship with FF57.
S. Rose
I see. The article says “The current Fedora 27 beta has the Firefox 57 beta. Fedora intends to have the Firefox 57 final release in a Fedora 27 update.” but doesn’t explicitly state that 27 will ship with 57 beta. I suppose that’s implied by the statement that 27 beta will ship with 57 beta? Probably, but I read it twice and had concluded that 27 would ship with 56 until I read your comment. Thanks for your work on this, BTW.
James Hogarth
At the time of writing the Fedora 27 composed media for beta testing, and leading up to the final. had Firefox 26 with a day one update to the Firefox 27 beta.
My understanding with discussions with the Firefox maintainers were that Firefox 57 was expected in Fedora 27, and later as an update to Fedora 26.
As of last Friday FESCo agreed that a day one update with such a huge change in behaviour was not sensible so Firefox 57 beta will be part of the Fedora 27 release itself.
And no problem – we all work for the best we can do for the Fedora community 🙂
Ken
Pale Moon is a Firefox replacement for running the add-ons you want.
Marco
A fork which is probably extremely insecure, given that it is based off on a very old Firefox version. Imagine how many security fixes have been released since then!
Tony Lins
The Pale Moon browser have a different version numbering scheme and an pre-australis UI, so it’s natural to think it’s an outdated version of firefox. Below the surface, Pale Moon is an optimized and heavily modified code base, with a different layout and rendering engine forked from Gecko a couple years back, focusing towards security and performance so many of firefox’s bugs don’t affect PM.
Pale Moon developers have forked Pale Moon from Firefox completely, they did to Goanna too (Pale Moon’s layout/rendering engine), which was forked too. Pale Moon’s relation code-wise to Firefox is akin to LibreOffice’s with OpenOffice case (people didn’t like the way the project was headed and forked, using their own release pace and their own features).
They achieved performance gains without e10s. They have disabled it and have been cleaning (read extirpating) it’s code from Pale Moon code base.
From their site (palemoon.org):
Based on our own optimized layout engine (Goanna)
Safe: forked from mature Mozilla code and regularly updated
Secure: Additional security features and security-aware development
Supported by our user community, and fully non-profit
Familiar, efficient, fully customizable interface
Support for full themes: total freedom over any element's design
Support for easily-created lightweight themes (skins)
Smooth and speedy page drawing and script processing
Increased stability: experience fewer browser crashes
Support for many Firefox extensions
Support for a growing number of Pale Moon exclusive extensions
Extensive and growing support for HTML5 and CSS3
Broad support for image formats: Supports WebP and JPEG-XR
Many customization and configuration options
This browser, even though fairly close to Gecko-based browsers like Mozilla Firefox and SeaMonkey in the way it works, is based on a different layout engine and offers a different set of features. It aims to provide close adherence to official web standards and specifications in its implementation (with minimal compromise), and purposefully excludes a number of features to strike a balance between general use, performance, and technical advancements on the Web.
With the current generation of mainstream browsers, there are also more obvious and not just “under the hood” differences: Pale Moon will continue to provide grouped navigation buttons of a decent size, a bookmarks toolbar that is enabled by default, tabs next to page content by default (easily switchable) and not in the least a functional status bar and more freedom in customization, to name a few things.
Marco
Tony, a modern browser is composed of hundreds of millions of lines of code. There’s a very small number of developers working on Pale Moon (certainly less than 10). So take what the website says with a pinch of salt.
They haven’t actually rewritten the layout and the rendering engines, you can take a look at the source files on their repository: they are almost the same as in Firefox.
A lot of the claims they make are false. E.g. “increased stability” or “security” or “performance” can’t be on par with Firefox. e10s improved all of them significantly, especially stability and security. The rewritten style engine in Rust (Stylo) improves security significantly. Moreover, all the recent significant performance improvements contained in 57 are not in Pale Moon.
Tony Lins
Yep, I’m not taking what they say as absolute truth (including here what I referenced in my last comment, what Mozilla or anyone else says) about anything. I agree that the web browsers’ code bases are enormous nowadays, I’m not disputing that. In my last comment, I said that Pale Moon devs forked Mozilla code, and they did, but that doesn’t mean that they will reinvent the wheel, like Mozilla is doing. I’d say they are trying only to have their way to enjoy the web whilst they can, because, well, they can. I only said that they have had performance gains without e10s because I used it and the results were attested personally, as you can attest too (I don’t know about if it can still be replicated with newer releases of FF and PM)… I hope Mozilla can improve the WebExtensions API to have a good level of extensibility in the future, as well as more personalization options available.
I see the gains of moving to a newer platform based on newer programming languages such as Rust. I’m not trying to diminish their effort, not at all. But probably they could do it in a less hurtful way to the community, since their core users and add-on developers are or were on it for the extensions, the old ones. Probably, in the same way NPAPI flash still plays in Firefox (after they had it disabled), they could have done something similar, or have released a transition path with a very powerful and yet, very secure (as much as possible) extension API, or even yet, redesign XUL to work with Servo…
Pale Moon devs. and community already are planning and acting accordingly about this ffv57-onwards future since even before when it was announced (you can check their forum), and I’m still watching where it will lead.
V
unfortunately the Mozilla foundation and Firefox is turning to a small or the last dictator
i installed Firefox 57 in a virtual machine and i investigated it.
every version of 57+ sends data to various ip ( different each time , some type of telemetry ) after the close of firefox.they said that they are using this data for debugging reasons . so what is the reason for the old health report exists ?
web extensions is a tool for this crew to filter what THE MARKETING ALLOW users have installed on their broswer . my best plugins blocked from update .
for me firefox was some plugins . other than that there is nothing special to this browser . have you used android firefox ? it sucks with or without plugins . the lag is terrible on android firefox !
personal i prefer using an outdated browser with javascript blocker like the firefox’s fork icecat with all the plugins that make it really secure like HTTPS Everywhere and webrtc and more , than a updated browser and unprotected to any javascript attack or worse against an installed plugin like flash that it is so open to remote attacks.
i hope fedora team jump from firefox train soon as i did
TomTr
I feel It’s not exactly fair to test telemetry in Alpha/Beta builds unless you intentionally completely opted-out of it (both technical data and crash reports) and it still genuinely sent your data. They are pretty clear themselves in this regard, see https://wiki.mozilla.org/Telemetry/FAQ#Why_is_Telemetry_enabled_by_default_on_the_Firefox_pre-release_channels.3F
Marco
You do realize that Firefox is opensource, right? If they were sending your private data to their servers, everybody would know (as the source code of the browser can be inspected)…
Anyway, you can disable any kind of telemetry if you want, there are preferences for that.
HTTPS Everywhere is going to work with 57, when 57 is released (you can find this info on the official HTTPS Everywhere documentation). WebRTC is a feature of the browser which has nothing to do with security and is not an addon, so it’s supported in 57 too.
By the way, using an outdated browser is extremely insecure!
fikoulli
Interesting, which tool you used for checking the sent data ? installed on host or guest ?
Thx
Zoltan
Same here. As we at Fedora prefer FOSS, on default would be a better choice Icecat on default.
Marco
You know, Firefox is FOSS. The logo is protected by trademark, but so is the Fedora logo, or the Debian logo, and so on. If your definition of FOSS means that the logo must be completely free to use by anyone, then you are excluding Fedora too from the definition.
buddabrod
Why not just do
sudo dnf –enablerepo=updates-testing upgrade firefox
Firefox 57 beta builds have been in updates-testing for almost 2 weeks now. No need for some external repos..
James Hogarth
The Firefox 57 build was pulled from updates-testing in F26 following a discussion with the maintainers and FESCo.
https://pagure.io/fesco/issue/1783
It was decided that packages that are not intended to reach stable (so this would exclude prerelease of upcoming versions already in Fedora) should (must?) not be in the updates-testing repo.
https://pagure.io/fesco/issue/1782
This was why the Firefox 57 beta was pulled from the Fedora 26 updates-testing repo but remains in the Fedora 27 repo (as F27 is in beta and the final release of FF57 is close to F27).
Anyone on F26 who does as you suggest right now won’t get FF57 until after it releases and is pushed sometime in mid-late November.
If you previously grabbed the early beta from the F26 updates-testing repos please enable my COPR so you receive any updates to the beta, and eventually the release candidate and final builds, otherwise you will receive no updates to it until it reaches final and gets a package update in F26.
buddabrod
Thank you for the update and clarification.!
fikoulli
Same for me, NoScript is a MUST have, and its not on Firefox 57, so I downgraded to FF56.
from the author of NS (@ma1) :
” if you’re using Firefox 57 you’ll need to open about:config and turn the extensions.legacy.enabled preference to true …..”
I’ll try this.
link : https://noscript.net/getit
Luya Tshimbalanga
Make sure to also track the progress migrating add-ons to webextension: https://arewewebextensionsyet.com/
Creep
Did you think about https://addons.mozilla.org/en-US/firefox/addon/umatrix/ by uBlock Origin author ?
fikoulli
I’ll give a try, Thx
GOGI
This will only work with Nightly version of FF, not beta 57.
fikoulli
Yes GOGI, Noscript install only on Nightly Builds 🙁
Umatrix is a little complicated.
With Icecat, web pages goes on all ways.
So what I finally did :
1. Epiphany for some few sites like : twitter, youtube …
2. Tor-Browser + UBlock Origin, for all other browsing
before closing it, I bookmark opened tabs ( there’s no history 🙂 )
Good page about Browser privacy : https://www.privacytools.io/
The challenge is to find a balance btw privacy and acceptable browsing.
wang ming heng
The intrusive Javascripts sometimes are a concern but I can simply turn it off both in Firefox and Chrome without plugins/extensions when I have to visit certain sites, though a little inconvenient. What these “modern browsers” really bother me is the removal of support for things like Java. I’m often in a situation that ssh access is blocked when I need to manage my remote hosts, and in these browsers Java console is unsupported which is fundamentally broken for me. Also I used to use some theme plugins like gnome theme tweak, but now none of them work because this WebExtension doesn’t seem to allow ui modifications, so I have to stand Firefox’s stupid default tab style? Really for all these I find myself use Epiphany much more than I did before, and even have installed Chrome, as they both succumb to WebExtension anyway, so what’s the difference?
Tony
What I’m going to miss is Vimperator. In fact, I miss it right now as it stopped working in the current version. Really hope someone takes this up and does a rewrite.