xulrunner 2.0 in rawhide (F15) bundles several system libs
Gregory Maxwell
gmaxwell at gmail.com
Thu Sep 30 17:29:38 UTC 2010
On Thu, Sep 30, 2010 at 1:09 PM, Christopher Aillon <caillon at redhat.com> wrote:
> On 09/30/2010 05:19 AM, Sven Lankes wrote:
>> On Thu, Sep 30, 2010 at 06:37:33PM +0900, Takanori MATSUURA wrote:
>>
>>> If someone implement
>>> --enable-system-libvpx
>>> --enable-system-vorbis
>>> --enable-system-ogg
>>> --enable-system-theora
>>> into the mozilla source, we can easily remove source for the
>>> libraries. And Fedora will be happy. :-)
>>
>> https://bugzilla.mozilla.org/show_bug.cgi?id=577653
>>
>> Looking at how rigorous new packages with bundled libs are fought we
>> should really stop shipping firefox and start shipping Iceweasel.
>
> I personally don't care what we call it. I'm not going to start
> breaking funny cat videos just to meet packaging ideals on a deadline.
> I'd rather deal with all you guys complaining on fedora-devel and in
> fesco tickets than the influx of bugs if I started breaking shit. It's
> bad enough that there are more bugs than we can handle. Besides,
> Mozilla has a good track record of allowing system libs after things
> settle down, and I have no doubt that we'll get these at some point.
>
> From Mozilla's perspective, they could:
>
> 1. Do what they are doing now, temporarily not allow a few new system
> libs, waiting until they get banged into shape and *then* enable system
> libs (down the road).
> 2. Bang on the code in private and wait until it meets every Fedora
> packaging guideline, etc, until committing to the upstream repository,
> so we all get to wait for all of the cool shit that's happening.
>
> Please note that we're talking about pre-release versions of Firefox in
> a pre-release version of Fedora anyway, so a lot of churn is to be
> expected. We're almost certainly going to have to temporarily disable
> and reenable a lot of other system libs during the beta cycles to get
> builds out the door, just like we always do in rawhide. Not that I can
> guarantee that the release version will have all the above system libs
> enabled, but we'll know a lot more closer to FF4 and F15 release time.
I yelled pretty loudly when Fedora first packaged libvpx because
fedora took a _known vulnerable_ version which Mozilla and opera were
patching around but where the upstream hadn't yet merged the fixes.
Things are more mature now but there are still somewhat scary fixes
happening, at least with the platform dependant code:
https://review.webmproject.org/#change,603
Mozilla being a vector for the widescale exploitation would be
terrible for their image— and also terrible for Fedora's, we really
don't want to create our own version of the debian openssl rng bug.
There really is a common interest here and the folks on the Mozilla
side are better informed about the risks.
The patches mozilla is carrying are visible as files in the respective
directories here:
http://mxr.mozilla.org/mozilla-central/source/media/
I'd suggest that fedora folks interested in the bundling help by
making sure that the applicable fixes make it upstream. Even if Fedora
were to ditch the trademarks you couldn't escape doing this work.
More information about the devel
mailing list