I'm not sure what URL is technically supposed to be the correct one, but they do seem to have updated through at least 60.5: http://devel.trisquel.info/repos/packages/icecat/pool/main/i... Trisquel in general seems to be pretty dead, looking at their git.
While I'm not sure whether that includes any backported security fixes or not, you're right that this is concerning. Perhaps building it yourself is the way to go.
>I use upstream ESR ever since FF disabled add-ons since they let their cert expire [5]
Unless I'm mistaken that bug would have bitten you on ESR as well. The expired certificate was an intermediate used to sign most of the addons on AMO. If ESR wasn't using that certificate then it wouldn't have been able to validate those addons. Correct me if I'm wrong.
Looking at their SCM, they updated to the newest upstream less than two days ago [1]. However, the change appears trivial, so it might be feasible to track upstream if building from source as long as their customization scripts remain compatible.
> that bug would have bitten you on ESR as well
Sorry, I didn't word that clearly. ESR was affected, but the signature check could be disabled from about:config. The release channel had that flag listed, but it had no effect.
Ah, I didn't realize ESR did that. (And frankly I'm surprised it does.) One of the things I change when I build Firefox for myself is allowing the disabling of addon signings via about:config.
While I'm not sure whether that includes any backported security fixes or not, you're right that this is concerning. Perhaps building it yourself is the way to go.
>I use upstream ESR ever since FF disabled add-ons since they let their cert expire [5]
Unless I'm mistaken that bug would have bitten you on ESR as well. The expired certificate was an intermediate used to sign most of the addons on AMO. If ESR wasn't using that certificate then it wouldn't have been able to validate those addons. Correct me if I'm wrong.