Bug#600681: Houston... (Debian Abandonware browser Iceweasel 3.5.x actively blocked by major sites now)

[Andreas Mohr]

Package: iceweasel
Version: 3.5.13-1
Severity: important
Justification: major user-facing component of a system is unusably outdated (missing OFFICIAL support, of security updates etc.)

Keywords: Firefox Iceweasel 3.5 outdated unsupported deprecated


For about 3 weeks now already, bw-bank.de has been actively blocking
online banking access for Firefox versions <= 3.5.x.

The problem is that I'm online with a Debian system as updated as can be
(Debian stable base, security, even plus backports). The version that it offers is 3.5.12-2~bpo50+1 .
I know the history of why 3.5.x has been decided to remain in Debian (issues with updating of XUL dependencies, as explained in http://bugs.debian.org/591500 ).

Mozilla is said to have ceased support for 3.5.x in August 2010 already (see http://de.wikipedia.org/wiki/Mozilla_Firefox ).
(the IDIOTIC Mozilla source versioning development has been bitterly and thoroughly
complained about in an online article a couple months ago which I cannot locate
any more currently, which pinpointed EXACTLY the major issues that distro people would face once security update support was very prematurely closed down).
Probably the decision-making at that bank is a sort of reptile-minded "is it a vendor-supported version?".
This probably explains why even internet browser ZOMBIE IE6 is still supported
(Secunia statistics of IE8 vs. FF 3.5 vs. IE6 are eye-opening).

So, who is to take the blame?
I'd say it's Mozilla by far. And then we have a very much overly eager deprecation by the bank (blocked a mere month after official support ended, for a browser version which got introduced on June 30th 2009 only).
But a large share of the problem lies on Debian as well, since NOT EVEN UNSTABLE
has a less-than-historic Firefox version (http://packages.debian.org/search?keywords=iceweasel ). And even Backports doesn't help either (one needs to go to experimental to even get a glimpse of 3.6.x!).
Note that an analysis of distrowatch.com package versions shows that usually the second-last release version of distros (MEPIS, MINT, openSUSE, Mandriva, Fedora) already progressed towards 3.6.x, EXCEPT for Debian. Even the rabidly conservative RHEL5.5 (which I have to work with most of the time) is now at Firefox 3.6.x (.8, IIRC).

Hence this IMHO critical bug report. We're talking of a major system component (some users are spending > 90% of their time with browser use) which is starting to be unusably outdated, and even the most conservative other distros have updated their packages. IMHO this should serve as a wakeup call.

Now, which direction to go to?
Probably Backports would be the best place to act on this.

Thanks,

Andreas Mohr