xulrunner 2.0 in rawhide (F15) bundles several system libs
Toshio Kuratomi
a.badger at gmail.com
Thu Sep 30 18:22:36 UTC 2010
On Thu, Sep 30, 2010 at 01:29:38PM -0400, Gregory Maxwell wrote:
>
> I yelled pretty loudly when Fedora first packaged libvpx because
> fedora took a _known vulnerable_ version which Mozilla and opera were
> patching around but where the upstream hadn't yet merged the fixes.
>
> Things are more mature now but there are still somewhat scary fixes
> happening, at least with the platform dependant code:
> https://review.webmproject.org/#change,603
>
>
> Mozilla being a vector for the widescale exploitation would be
> terrible for their image— and also terrible for Fedora's, we really
> don't want to create our own version of the debian openssl rng bug.
> There really is a common interest here and the folks on the Mozilla
> side are better informed about the risks.
>
> The patches mozilla is carrying are visible as files in the respective
> directories here:
> http://mxr.mozilla.org/mozilla-central/source/media/
>
> I'd suggest that fedora folks interested in the bundling help by
> making sure that the applicable fixes make it upstream. Even if Fedora
> were to ditch the trademarks you couldn't escape doing this work.
>
Note that even without unbundling we have to do this work anyway -- but we
have to do it (or at least verify that it's done) twice, once in libvpx and
once in firefox. It sounds from your post that one problem is that the
libvpx maintainer has a volatile code base with multiple sources to pull
code from but is only paying attention to a subset of those.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20100930/3e6b4ab5/attachment-0001.bin
More information about the devel
mailing list