Manually installing the tarball from the official FF site. (Alternatively forking/re-pruposing Tor Browser downloader to fetch and verify the code).
Given that there is no upstream support for updated Chromium releases for Linux and that Debian will always lag behind because they are stretched too thin, I think having the freshest FF is better in this case and less likely for the user to be running code with 100< gaping holes known for 6+ months.
Chromium is more like a browser toolkit. Something Google can use as a base to maintain proprietary Chrome or third parties can use to create browser forks. But it’s not a “standalone browser project”. What I mean by that, it’s not maintained as per convention, as other Open Source browsers are maintained, i.e. stable releases and binary builds available for public download. The “real browser project” is Chrome, but it’s proprietary.
And since no other third party fills this void either…
… Chromium by itself unfortunately isn’t a suitable option.
Debian version of Chromium reported to be exploited in the wild.
Patch Google Chrome with the latest updates – if you don’t, you’re vulnerable to a zero-day that is actively being exploited, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.
Criminals are targeting users of Chrome with outdated installations, CISA said in an advisory note urging folk to update their browsers immediately.
“Google has released Chrome version 86.0.4240.183 for Windows, Mac, and Linux addressing multiple vulnerabilities, including vulnerability CVE-2020-16009. Exploit code for this vulnerability exists in the wild,” said the agency in a statement.
Debian affected by CVE-2020-16009 at time of writing, see:
Their infrastructure was hacked and had a link to backdoored versions - while that won’t affect end to end signed packages it doesn’t inspire confidence. Also they do not have a security team nor do they assign CVEs to affected software like Debian does also they don’t have the resources to implement reproducibly built packages like Debian does so any Mint specific packages will be a risk in the future.
They used to have a frankenDebian thing going on, but it changed in recent versions. However they are way behind on releasing versions that track Debian stable. For example LMDE 4 was only just released a few months ago this year, Depending on anything from LMDE means running something compatible with old-stable for a very long time which might introduce dependency hell.
They do little oversight of package safety/maintenance. A hidden cryptocurrency miner was slipped thru in uploads. Major apps lacked updates for a long time. Server components of the snap packaging system remain closed which gives Canonical control over the tech. Avoiding the support and proliferation of their lock-in format is a good move IMO.
Also Ubuntu anything has the tendency to be half baked abandonware once Canonical grows bored with it after they fail to monetize it.
Previous version: 83.0.4103.116-3.1
Current version: (not in testing)
Bug #973848: chromium: Unsupported version, many security bugs unfixed
Bug #960454: chromium: Make Chromium ask before downloading and enabling DRM
Bug #972134: chromium: please, consider moving the package to team-maintainance to properly maintain it
Bug #977103: chromium: FTBFS on armhf: error: write to reserved register ‘R7’
Bug #976292: design-desktop-web: drop chromium as Depends
Migration status for chromium (- to 83.0.4103.116-3.1): BLOCKED: Rejected/violates migration policy/introduces a regression