[Sugar-devel] IMPORTANT: sugar-jhbuild: security update of xulrunner

Sascha Silbe sascha-ml-ui-sugar-devel at silbe.org
Tue Mar 24 06:48:28 EDT 2009


Short summary:
If you're using sugar-jhbuild on Debian, please run "cd sugar-jhbuild && 
rm -rf source/mozilla source/hulahop install && ./sugar-jhbuild build" 
before using anything web-related the next time.
Otherwise (i.e. not running on Debian), please make sure 
sugar-jhbuild/source/mozilla does not exist (if it does exist, execute 
the commands given above as well).

Long explanation:
xulrunner has had a security update. Most of you will we be unaffected 
as we're using the distro package if we can (you do install distro 
security updates regularly, do you?). But for Debian sid+squeeze, we 
need to use our own copy due to path mismatches.
Usually this wouldn't be a big deal, as sugar-jhbuild is meant to pull 
the latest version of each package and build it, so taking care of 
security updates automatically. Unfortunately, this does NOT work 
properly for tarballs: if any previous tarball has been extracted, any 
updated version will be left untouched! So to build the updated version, 
you need to remove the entire "sugar-jhbuild/source/mozilla" directory.
As xulrunner uses the full version number inside directories (*), you 
need to ensure no outdated version is still installed and hulahop gets 
rebuilt from scratch. The easiest way to do that is to remove the 
directories "sugar-jhbuild/source/hulahop" and "sugar-jhbuild/install". 
Run a full build ("./sugar-jhbuild build") afterwards.

(*) Incidentally, Debian fixed this (so installing the updated package 
should have been enough, no rebuild of hulahop needed). Unfortunately, 
all other distros (including Ubuntu) use the same paths as upstream...
     Seems like Mozilla products suck a lot regarding security updates 
(see the note about Iceweasel in the etch release notes as well). :(

CU Sascha

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: Digital signature
Url : http://lists.sugarlabs.org/archive/sugar-devel/attachments/20090324/b72eedcf/attachment.pgp 

More information about the Sugar-devel mailing list